Artifact Examples
From SleuthKitWiki
Contents
Artifact Examples
TSK_WEB_BOOKMARK
- TSK_URL
- TSK_DATETIME (context of "Last Visit Date")
- TSK_DATETIME (context of "Date Added")
- TSK_NAME (to store assigned name and folder)
- TSK_PROG_NAME
TSK_WEB_COOKIE
- TSK_URL
- TSK_DATETIME (context of "Creation Date")
- TSK_DATETIME (context of "Expiration Date"
- TSK_NAME
- TSK_VALUE
- TSK_FLAG
- TSK_PROG_NAME
TSK_WEB_HISTORY
- TSK_URL
- TSK_DATETIME
- TSK_PROG_NAME
TSK_WEB_DOWNLOAD
- TSK_URL
- TSK_DATETIME
- TSK_PATH (location saved to)
TSK_RECENT_OBJECT (MRU, recent docs, etc.)
- TSK_PATH
- TSK_DATETIME
- TSK_PROG_NAME
TSK_TRACKPOINT
- TSK_GEO
- TSK_DATETIME
TSK_INSTALLED_PROG
- PROG_NAME (method of determining "Hashset", "Registry", etc. in context)
TSK_KEYWORD_HIT
- TSK_KEYWORD (keyword that hit)
- TSK_REGEXP (regular expression that was used - if used)
- TSK_PREVIEW (40(?) chars of text before and after keyword hit)
- TSK_KEYWORD_SET (text name of a set that the keyword was part of)
General Information Artifact Examples
Word Document
A module that analyzes a Microsoft Word file can pull text and metadata from the file. It should
- Save the extracted text as a TEXT attribute in GEN_INFO
- Save the last saved, printed, etc. dates as DATETIME attributes in GEN_INFO
- Save the author as XX in GEN_INFO
- Any images and embedded files that it can extract should be added to the central ImgDB as derived files and scheduled for processing.
JPEG File
A module that analyzes a JPEG image file could:
- Save the EXIF data as DATETIME and DEVICE attributes in GEN_INFO.
Other attributes
- TSK_CREDITCARD (ccv, etc in context)
- TSK_IP
- TSK_PHONE_NUMBER