Difference between revisions of "Artifact Examples"
Line 9: | Line 9: | ||
= Artifact Examples = | = Artifact Examples = | ||
− | TSK_WEB_BOOKMARK | + | '''TSK_WEB_BOOKMARK''' |
* TSK_URL | * TSK_URL | ||
* TSK_DATETIME (context of "Last Visit Date") | * TSK_DATETIME (context of "Last Visit Date") | ||
Line 17: | Line 17: | ||
* TSK_TITLE (Title of webpage) | * TSK_TITLE (Title of webpage) | ||
− | TSK_WEB_COOKIE | + | '''TSK_WEB_COOKIE''' |
* TSK_URL | * TSK_URL | ||
* TSK_DATETIME (context of "Creation Date") | * TSK_DATETIME (context of "Creation Date") | ||
Line 26: | Line 26: | ||
* TSK_PROG_NAME (browser this came from) | * TSK_PROG_NAME (browser this came from) | ||
− | TSK_WEB_HISTORY | + | '''TSK_WEB_HISTORY''' |
* TSK_URL | * TSK_URL | ||
* TSK_DATETIME | * TSK_DATETIME | ||
Line 34: | Line 34: | ||
* TSK_TITLE (title of webpage) | * TSK_TITLE (title of webpage) | ||
− | TSK_WEB_DOWNLOAD | + | '''TSK_WEB_DOWNLOAD''' |
* TSK_URL (Location file was downloaded from) | * TSK_URL (Location file was downloaded from) | ||
* TSK_DATETIME (time file was downloaded) | * TSK_DATETIME (time file was downloaded) | ||
* TSK_PATH (location saved to) | * TSK_PATH (location saved to) | ||
− | TSK_RECENT_OBJECT (MRU, recent docs, etc.) | + | '''TSK_RECENT_OBJECT''' (MRU, recent docs, etc.) |
* TSK_PATH (path of recently accessed file) | * TSK_PATH (path of recently accessed file) | ||
* TSK_DATETIME (date of access, if known) | * TSK_DATETIME (date of access, if known) | ||
* TSK_PROG_NAME (program that access is associated with -- "Windows", "Word", etc.) | * TSK_PROG_NAME (program that access is associated with -- "Windows", "Word", etc.) | ||
− | TSK_TRACKPOINT | + | '''TSK_TRACKPOINT''' |
* TSK_GEO_LATITUDE | * TSK_GEO_LATITUDE | ||
* TSK_GEO_LONGITUDE | * TSK_GEO_LONGITUDE | ||
Line 50: | Line 50: | ||
* TSK_DATETIME | * TSK_DATETIME | ||
− | TSK_INSTALLED_PROG | + | '''TSK_INSTALLED_PROG''' |
* PROG_NAME (method of determining "Hashset", "Registry", etc. in context) | * PROG_NAME (method of determining "Hashset", "Registry", etc. in context) | ||
− | TSK_KEYWORD_HIT | + | '''TSK_KEYWORD_HIT''' |
* TSK_KEYWORD (keyword that hit) | * TSK_KEYWORD (keyword that hit) | ||
* TSK_REGEXP (regular expression that was used - if used) | * TSK_REGEXP (regular expression that was used - if used) | ||
Line 59: | Line 59: | ||
* TSK_SET_NAME (text name of a set/list that the keyword was part of) | * TSK_SET_NAME (text name of a set/list that the keyword was part of) | ||
− | TSK_HASHSET_HIT | + | '''TSK_HASHSET_HIT''' |
* TSK_SET_NAME (name or file name of hashset that hash was located in) | * TSK_SET_NAME (name or file name of hashset that hash was located in) | ||
− | TSK_DEVICE_ATTACHED (for each time that a known device was attached to system USB ID, for example) | + | '''TSK_DEVICE_ATTACHED''' (for each time that a known device was attached to system USB ID, for example) |
* TSK_DEVICE_ID (ID of attached device) | * TSK_DEVICE_ID (ID of attached device) | ||
* TSK_DATETIME (Date that device was attached) | * TSK_DATETIME (Date that device was attached) | ||
* TSK_PATH (mount point for device) | * TSK_PATH (mount point for device) | ||
− | TSK_INTERESTING_FILE (for a file that was found by it's name or other heuristic) | + | '''TSK_INTERESTING_FILE''' (for a file that was found by it's name or other heuristic) |
* TSK_SET_NAME (name of set that defined the rule that flagged this file) | * TSK_SET_NAME (name of set that defined the rule that flagged this file) | ||
− | TSK_EMAIL_MSG (for an e-mail message that was found) | + | '''TSK_EMAIL_MSG''' (for an e-mail message that was found) |
* TSK_EMAIL_TO | * TSK_EMAIL_TO | ||
* TSK_EMAIL_CC | * TSK_EMAIL_CC |
Revision as of 08:00, 11 June 2012
The TSK blackboard organizes data into artifacts. This page lists the standard artifacts and what attributes should be defined with them. For more details on the blackboard, refer to http://sleuthkit.org/sleuthkit/docs/framework-docs/mod_bbpage.html.
This page lists general names of artifacts and attributes. Below are links to the specific C++ and Java references.
- C++ Artifacts
- C++ Attributes
- Java Artifacts (note that the C++ code has the full description of the artifacts)
- Java Attributes (note that the C++ code has the full description of the attributes)
Contents
Artifact Examples
TSK_WEB_BOOKMARK
- TSK_URL
- TSK_DATETIME (context of "Last Visit Date")
- TSK_DATETIME (context of "Date Added")
- TSK_NAME (to store assigned name and folder)
- TSK_PROG_NAME (browser this came from)
- TSK_TITLE (Title of webpage)
TSK_WEB_COOKIE
- TSK_URL
- TSK_DATETIME (context of "Creation Date")
- TSK_DATETIME (context of "Expiration Date"
- TSK_NAME
- TSK_VALUE
- TSK_FLAG
- TSK_PROG_NAME (browser this came from)
TSK_WEB_HISTORY
- TSK_URL
- TSK_DATETIME
- TSK_PROG_NAME (browser this came from)
- TSK_REFERRER
- TSK_USERNAME
- TSK_TITLE (title of webpage)
TSK_WEB_DOWNLOAD
- TSK_URL (Location file was downloaded from)
- TSK_DATETIME (time file was downloaded)
- TSK_PATH (location saved to)
TSK_RECENT_OBJECT (MRU, recent docs, etc.)
- TSK_PATH (path of recently accessed file)
- TSK_DATETIME (date of access, if known)
- TSK_PROG_NAME (program that access is associated with -- "Windows", "Word", etc.)
TSK_TRACKPOINT
- TSK_GEO_LATITUDE
- TSK_GEO_LONGITUDE
- TSK_GEO_* (other geo-related attributes as needed and available)
- TSK_DATETIME
TSK_INSTALLED_PROG
- PROG_NAME (method of determining "Hashset", "Registry", etc. in context)
TSK_KEYWORD_HIT
- TSK_KEYWORD (keyword that hit)
- TSK_REGEXP (regular expression that was used - if used)
- TSK_PREVIEW (45 chars of text before and after keyword hit)
- TSK_SET_NAME (text name of a set/list that the keyword was part of)
TSK_HASHSET_HIT
- TSK_SET_NAME (name or file name of hashset that hash was located in)
TSK_DEVICE_ATTACHED (for each time that a known device was attached to system USB ID, for example)
- TSK_DEVICE_ID (ID of attached device)
- TSK_DATETIME (Date that device was attached)
- TSK_PATH (mount point for device)
TSK_INTERESTING_FILE (for a file that was found by it's name or other heuristic)
- TSK_SET_NAME (name of set that defined the rule that flagged this file)
TSK_EMAIL_MSG (for an e-mail message that was found)
- TSK_EMAIL_TO
- TSK_EMAIL_CC
- TSK_EMAIL_BCC
- TSK_EMAIL_FROM
- TSK_SUBJECT
- TSK_EMAIL_CONTENT_* (message body. Use specific attribute for HTML, PlainText, or RTF. Use multiple content attributes if the message has both plain text and HTML)
- TSK_PATH (Folder that inbox is stored in -- "INBOX", etc.)
- TSK_USERNAME (Username of account that e-mail is associated with)
- TSK_DOMAIN (Domain of account that e-mail is associated with)
- TSK_DATETIME_RCVD
- TSK_DATETIME_SENT
- TSK_MSG_ID
- TSK_MSG_REPLY_ID
General Information Artifact Examples
Word Document
A module that analyzes a Microsoft Word file can pull text and metadata from the file. It should
- Save the extracted text as a TEXT attribute in GEN_INFO
- Save the last saved, printed, etc. dates as DATETIME attributes in GEN_INFO
- Save the author as XX in GEN_INFO
- Any images and embedded files that it can extract should be added to the central ImgDB as derived files and scheduled for processing.
JPEG File
A module that analyzes a JPEG image file could:
- Save the EXIF data (DATETIME, DEVICE, GEO) as attributes in GEN_INFO.