Difference between revisions of "Artifact Examples"
From SleuthKitWiki
(Created page with "= Artifact Examples = Bookmark * URL * DATETIME * NAME/FOLDER * PROG_NAME Cookie * URL * DATETIME * NAME/VALUE * FLAG * PROG_NAME History * URL * DATETIME * PROG_NAME RecentO...") |
|||
| Line 1: | Line 1: | ||
= Artifact Examples = | = Artifact Examples = | ||
| − | + | TSK_WEB_BOOKMARK | |
| − | * | + | * TSK_URL |
| − | * | + | * TSK_DATETIME (context of "Last Visit Date") |
| − | * | + | * TSK_DATETIME (context of "Date Added") |
| − | * | + | * TSK_NAME (to store assigned name and folder) |
| + | * TSK_PROG_NAME | ||
| − | + | TSK_WEB_COOKIE | |
| − | * | + | * TSK_URL |
| − | * | + | * TSK_DATETIME (context of "Creation Date") |
| − | * | + | * TSK_DATETIME (context of "Expiration Date" |
| − | * | + | * TSK_NAME |
| − | * | + | * TSK_VALUE |
| + | * TSK_FLAG | ||
| + | * TSK_PROG_NAME | ||
| − | + | TSK_WEB_HISTORY | |
| − | * | + | * TSK_URL |
| − | * | + | * TSK_DATETIME |
| − | * | + | * TSK_PROG_NAME |
| − | + | TSK_WEB_DOWNLOAD | |
| − | * | + | * TSK_URL |
| − | * | + | * TSK_DATETIME |
| + | * TSK_PATH (location saved to) | ||
| − | + | TSK_RECENT_OBJECT (MRU, recent docs, etc.) | |
| − | * | + | * TSK_PATH |
| − | * | + | * TSK_DATETIME |
| + | * TSK_PROG_NAME | ||
| − | + | TSK_TRACKPOINT | |
| − | * PROG_NAME ( | + | * TSK_GEO |
| + | * TSK_DATETIME | ||
| + | |||
| + | TSK_INSTALLED_PROG | ||
| + | * PROG_NAME (method of determining "Hashset", "Registry", etc. in context) | ||
| + | |||
| + | TSK_KEYWORD_HIT | ||
| + | * TSK_KEYWORD (keyword that hit) | ||
| + | * TSK_REGEXP (regular expression that was used - if used) | ||
| + | * TSK_PREVIEW (40(?) chars of text before and after keyword hit) | ||
| + | * TSK_KEYWORD_SET (text name of a set that the keyword was part of) | ||
= General Information Artifact Examples = | = General Information Artifact Examples = | ||
| Line 42: | Line 57: | ||
A module that analyzes a JPEG image file could: | A module that analyzes a JPEG image file could: | ||
* Save the EXIF data as DATETIME and DEVICE attributes in GEN_INFO. | * Save the EXIF data as DATETIME and DEVICE attributes in GEN_INFO. | ||
| + | |||
| + | = Other attributes = | ||
| + | * TSK_CREDITCARD (ccv, etc in context) | ||
| + | * TSK_IP | ||
| + | * TSK_PHONE_NUMBER | ||
Revision as of 14:22, 6 January 2012
Contents
Artifact Examples
TSK_WEB_BOOKMARK
- TSK_URL
- TSK_DATETIME (context of "Last Visit Date")
- TSK_DATETIME (context of "Date Added")
- TSK_NAME (to store assigned name and folder)
- TSK_PROG_NAME
TSK_WEB_COOKIE
- TSK_URL
- TSK_DATETIME (context of "Creation Date")
- TSK_DATETIME (context of "Expiration Date"
- TSK_NAME
- TSK_VALUE
- TSK_FLAG
- TSK_PROG_NAME
TSK_WEB_HISTORY
- TSK_URL
- TSK_DATETIME
- TSK_PROG_NAME
TSK_WEB_DOWNLOAD
- TSK_URL
- TSK_DATETIME
- TSK_PATH (location saved to)
TSK_RECENT_OBJECT (MRU, recent docs, etc.)
- TSK_PATH
- TSK_DATETIME
- TSK_PROG_NAME
TSK_TRACKPOINT
- TSK_GEO
- TSK_DATETIME
TSK_INSTALLED_PROG
- PROG_NAME (method of determining "Hashset", "Registry", etc. in context)
TSK_KEYWORD_HIT
- TSK_KEYWORD (keyword that hit)
- TSK_REGEXP (regular expression that was used - if used)
- TSK_PREVIEW (40(?) chars of text before and after keyword hit)
- TSK_KEYWORD_SET (text name of a set that the keyword was part of)
General Information Artifact Examples
Word Document
A module that analyzes a Microsoft Word file can pull text and metadata from the file. It should
- Save the extracted text as a TEXT attribute in GEN_INFO
- Save the last saved, printed, etc. dates as DATETIME attributes in GEN_INFO
- Save the author as XX in GEN_INFO
- Any images and embedded files that it can extract should be added to the central ImgDB as derived files and scheduled for processing.
JPEG File
A module that analyzes a JPEG image file could:
- Save the EXIF data as DATETIME and DEVICE attributes in GEN_INFO.
Other attributes
- TSK_CREDITCARD (ccv, etc in context)
- TSK_IP
- TSK_PHONE_NUMBER
