Artifact Examples

From SleuthKitWiki
Revision as of 13:04, 16 March 2012 by Amalinowski (Talk | contribs)

Jump to: navigation, search

The TSK blackboard organizes data into artifacts. This page lists the standard artifacts and what attributes should be defined with them. For more details on the blackboard, refer to http://sleuthkit.org/sleuthkit/docs/framework-docs/mod_bbpage.html.

This page lists general names of artifacts and attributes. Below are links to the specific C++ and Java references.

  • C++ Artifacts
  • C++ Attributes
  • Java Artifacts
  • Java Attributes

UPDATE THE ABOVE

Artifact Examples

TSK_WEB_BOOKMARK

  • TSK_URL
  • TSK_DATETIME (context of "Last Visit Date")
  • TSK_DATETIME (context of "Date Added")
  • TSK_NAME (to store assigned name and folder)
  • TSK_PROG_NAME

TSK_WEB_COOKIE

  • TSK_URL
  • TSK_DATETIME (context of "Creation Date")
  • TSK_DATETIME (context of "Expiration Date"
  • TSK_NAME
  • TSK_VALUE
  • TSK_FLAG
  • TSK_PROG_NAME

TSK_WEB_HISTORY

  • TSK_URL
  • TSK_DATETIME
  • TSK_PROG_NAME
  • TSK_REFERRER
  • TSK_USERNAME
  • TSK_NAME

TSK_WEB_DOWNLOAD

  • TSK_URL
  • TSK_DATETIME
  • TSK_PATH (location saved to)

TSK_RECENT_OBJECT (MRU, recent docs, etc.)

  • TSK_PATH
  • TSK_DATETIME
  • TSK_PROG_NAME

TSK_TRACKPOINT

  • TSK_GEO
  • TSK_DATETIME

TSK_INSTALLED_PROG

  • PROG_NAME (method of determining "Hashset", "Registry", etc. in context)

TSK_KEYWORD_HIT

  • TSK_KEYWORD (keyword that hit)
  • TSK_REGEXP (regular expression that was used - if used)
  • TSK_PREVIEW (45 chars of text before and after keyword hit)
  • TSK_KEYWORD_SET (text name of a set/list that the keyword was part of)

General Information Artifact Examples

Word Document

A module that analyzes a Microsoft Word file can pull text and metadata from the file. It should

  • Save the extracted text as a TEXT attribute in GEN_INFO
  • Save the last saved, printed, etc. dates as DATETIME attributes in GEN_INFO
  • Save the author as XX in GEN_INFO
  • Any images and embedded files that it can extract should be added to the central ImgDB as derived files and scheduled for processing.


JPEG File

A module that analyzes a JPEG image file could:

  • Save the EXIF data as DATETIME and DEVICE attributes in GEN_INFO.

Other attributes

  • TSK_CREDITCARD (ccv, etc in context)
  • TSK_IP_ADDRESS
  • TSK_PHONE_NUMBER
Retrieved from "http://wiki.sleuthkit.org/index.php?title=Artifact_Examples&oldid=655"