Artifact Examples

From SleuthKitWiki
Revision as of 20:13, 3 January 2012 by Carrier (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Artifact Examples

Bookmark

  • URL
  • DATETIME
  • NAME/FOLDER
  • PROG_NAME

Cookie

  • URL
  • DATETIME
  • NAME/VALUE
  • FLAG
  • PROG_NAME

History

  • URL
  • DATETIME
  • PROG_NAME

RecentObject

  • PATH
  • PROG_NAME

TrackPoint

  • GEO
  • DATETIME

InstalledProgram

  • PROG_NAME (source in context) (XX: Perhaps these could all be stored in GEN_INFO if they are just single attribute)

General Information Artifact Examples

Word Document

A module that analyzes a Microsoft Word file can pull text and metadata from the file. It should

  • Save the extracted text as a TEXT attribute in GEN_INFO
  • Save the last saved, printed, etc. dates as DATETIME attributes in GEN_INFO
  • Save the author as XX in GEN_INFO
  • Any images and embedded files that it can extract should be added to the central ImgDB as derived files and scheduled for processing.


JPEG File

A module that analyzes a JPEG image file could:

  • Save the EXIF data as DATETIME and DEVICE attributes in GEN_INFO.
Retrieved from "http://wiki.sleuthkit.org/index.php?title=Artifact_Examples&oldid=645"