Difference between revisions of "Artifact Examples"

From SleuthKitWiki
Jump to: navigation, search
m (Artifact Examples)
(5 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 
The TSK blackboard organizes data into artifacts.  This page lists the standard artifacts and what attributes should be defined with them.  For more details on the blackboard, refer to [http://sleuthkit.org/sleuthkit/docs/framework-docs/mod_bbpage.html http://sleuthkit.org/sleuthkit/docs/framework-docs/mod_bbpage.html].  
 
The TSK blackboard organizes data into artifacts.  This page lists the standard artifacts and what attributes should be defined with them.  For more details on the blackboard, refer to [http://sleuthkit.org/sleuthkit/docs/framework-docs/mod_bbpage.html http://sleuthkit.org/sleuthkit/docs/framework-docs/mod_bbpage.html].  
  
This page lists general names of artifacts and attributes. Below are links to the specific C++ and Java references.
+
This page lists general names of artifacts and attributes. Below are links to the specific Java references.
* [http://sleuthkit.org/sleuthkit/docs/framework-docs/TskBlackboard_8h.html#aac7b5d32c4b75d65468bbd1e0cb11a44 C++ Artifacts]
+
* [http://www.sleuthkit.org/sleuthkit/docs/jni-docs/4.3/enumorg_1_1sleuthkit_1_1datamodel_1_1_blackboard_artifact_1_1_a_r_t_i_f_a_c_t___t_y_p_e.html Java Artifacts] (note that the C++ code has the full description of the artifacts)
* [http://sleuthkit.org/sleuthkit/docs/framework-docs/TskBlackboard_8h.html#a133dead0ca74c17235430e12789258f4 C++ Attributes]
+
* [http://www.sleuthkit.org/sleuthkit/docs/jni-docs/4.3/enumorg_1_1sleuthkit_1_1datamodel_1_1_blackboard_attribute_1_1_a_t_t_r_i_b_u_t_e___t_y_p_e.html Java Attributes] (note that the C++ code has the full description of the attributes)
* [http://www.sleuthkit.org/sleuthkit/docs/javadocs/org/sleuthkit/datamodel/BlackboardArtifact.ARTIFACT_TYPE.html Java Artifacts] (note that the C++ code has the full description of the artifacts)
+
 
* [http://www.sleuthkit.org/sleuthkit/docs/javadocs/org/sleuthkit/datamodel/BlackboardAttribute.ATTRIBUTE_TYPE.html Java Attributes] (note that the C++ code has the full description of the attributes)
+
  
 
= Artifact Examples =  
 
= Artifact Examples =  
Line 71: Line 70:
 
'''TSK_INTERESTING_FILE_HIT''' (for a file that was found by its name or other heuristic)
 
'''TSK_INTERESTING_FILE_HIT''' (for a file that was found by its name or other heuristic)
 
* TSK_SET_NAME (name of set that defined the rule that flagged this file)
 
* TSK_SET_NAME (name of set that defined the rule that flagged this file)
 +
 +
'''TSK_INTERESTING_ARTIFACT_HIT''' (to identify an artifact as being interesting (for whatever reason).
 +
* NOTE: The source file for this artifact should be the same as the source file that associated artifact that we think is interesting
 +
* TSK_SET_NAME: Name of set that defined the rule that flagged this file.  Autopsy groups the hits by this name.
 +
* TSK_ASSOCIATED_ARTIFACT: The artifact ID that was considered interesting.
 +
* TSK_COMMENT: Optional comment to give more details about why it was flagged
 +
 +
 +
  
 
'''TSK_EMAIL_MSG''' (for an e-mail message that was found)
 
'''TSK_EMAIL_MSG''' (for an e-mail message that was found)
Line 79: Line 87:
 
* TSK_SUBJECT
 
* TSK_SUBJECT
 
* TSK_EMAIL_CONTENT_* (message body.  Use specific attribute for HTML, PlainText, or RTF. Use multiple content attributes if the message has both plain text and HTML)
 
* TSK_EMAIL_CONTENT_* (message body.  Use specific attribute for HTML, PlainText, or RTF. Use multiple content attributes if the message has both plain text and HTML)
* TSK_PATH (Folder that inbox is stored in -- "INBOX", etc.)
+
* TSK_PATH (Folder that inbox is stored in -- "INBOX", etc. This attribute is REQUIRED to make the artifact show up in Autopsy's tree view.)
 
* TSK_USERNAME (Username of account that e-mail is associated with)
 
* TSK_USERNAME (Username of account that e-mail is associated with)
 
* TSK_DOMAIN (Domain of account that e-mail is associated with)
 
* TSK_DOMAIN (Domain of account that e-mail is associated with)
Line 179: Line 187:
 
* TSK_DATETIME (date/time when the location was searched)
 
* TSK_DATETIME (date/time when the location was searched)
  
= General Information Artifact Examples =
+
'''TSK_REMOTE_DRIVE''' (a network drive)
 +
* TSK_LOCAL_PATH (local path to a network share)
 +
* TSK_REMOTE_PATH (remote path of the network share)
  
== Word Document ==
 
A module that analyzes a Microsoft Word file can pull text and metadata from the file.  It should
 
* Save the extracted text as a TEXT attribute in GEN_INFO
 
* Save the last saved, printed, etc. dates as DATETIME attributes in GEN_INFO
 
* Save the author as XX in GEN_INFO
 
* Any images and embedded files that it can extract should be added to the central ImgDB as derived files and scheduled for processing.
 
  
 +
= Changes in API =
 +
== Deprecated since API 3.1 ==
 +
Avoid the usage of the below as the behaviour has changed since the update to 3.1. TSK_TAG_FILE for example will not separate them by TSK_TAG_NAME anymore and they will all get grouped together as "Tagged Files" under extracted content.
  
== JPEG File ==
+
'''BlackboardArtifact.ARTIFACT_TYPE'''
A module that analyzes a JPEG image file could:
+
* TSK_TAG_ARTIFACT
* Save the EXIF data (DATETIME, DEVICE, GEO) as attributes in GEN_INFO.
+
* TSK_TAG_FILE
 +
 +
'''BlackboardAttribute.ATTRIBUTE_TYPE'''
 +
* TSK_ENCRYPTION_DETECTED
 +
* TSK_HASHSET_NAME
 +
* TSK_INTERESTING_FILE
 +
* TSK_KEYWORD_SET
 +
* TSK_TAGGED_ARTIFACT
 +
* TSK_TAG_NAME

Revision as of 12:05, 26 April 2017

The TSK blackboard organizes data into artifacts. This page lists the standard artifacts and what attributes should be defined with them. For more details on the blackboard, refer to http://sleuthkit.org/sleuthkit/docs/framework-docs/mod_bbpage.html.

This page lists general names of artifacts and attributes. Below are links to the specific Java references.

  • Java Artifacts (note that the C++ code has the full description of the artifacts)
  • Java Attributes (note that the C++ code has the full description of the attributes)


Artifact Examples

TSK_WEB_BOOKMARK

  • TSK_URL (URL of bookmark)
  • TSK_DATETIME_CREATED (when bookmark was created)
  • TSK_NAME (to store assigned name and folder)
  • TSK_PROG_NAME (browser this came from)
  • TSK_TITLE (Title of webpage)
  • TSK_DOMAIN (domain name of URL)

TSK_WEB_COOKIE

  • TSK_URL
  • TSK_DATETIME (last accessed)
  • TSK_NAME
  • TSK_VALUE
  • TSK_PROG_NAME (browser this came from)
  • TSK_DOMAIN (domain name of URL)

TSK_WEB_HISTORY

  • TSK_URL
  • TSK_DATETIME_ACCESSED
  • TSK_REFERRER
  • TSK_TITLE (title of webpage)
  • TSK_PROG_NAME (browser this came from)
  • TSK_DOMAIN (domain of URL)

TSK_WEB_DOWNLOAD

  • TSK_URL (Location file was downloaded from)
  • TSK_DATETIME_ACCESSED (time file was downloaded)
  • TSK_PATH (location saved to)
  • TSK_PATH_ID (ID of TSK_PATH attribute file)

TSK_RECENT_OBJECT (MRU, recent docs, etc.)

  • TSK_PATH (path of recently accessed file)
  • TSK_PATH_ID (Object ID of file in TSK_PATH)
  • TSK_DATETIME (date of access, if known)
  • TSK_PROG_NAME (program that access is associated with -- "Windows", "Word", etc.)

TSK_TRACKPOINT

  • TSK_GEO_LATITUDE
  • TSK_GEO_LONGITUDE
  • TSK_GEO_* (other geo-related attributes as needed and available)
  • TSK_DATETIME

TSK_INSTALLED_PROG

  • PROG_NAME (name of program installed)
  • TSK_DATETIME (time that program was installed)

TSK_KEYWORD_HIT

  • TSK_KEYWORD (keyword that hit)
  • TSK_REGEXP (regular expression that was used - if used)
  • TSK_PREVIEW (45 chars of text before and after keyword hit)
  • TSK_SET_NAME (text name of a set/list that the keyword was part of)

TSK_HASHSET_HIT

  • TSK_SET_NAME (name or file name of hashset that hash was located in)

TSK_DEVICE_ATTACHED (for each time that a known device was attached to system USB ID, for example)

  • TSK_DEVICE_ID (ID of attached device)
  • TSK_DATETIME (Date that device was attached)
  • TSK_PATH (mount point for device)

TSK_INTERESTING_FILE_HIT (for a file that was found by its name or other heuristic)

  • TSK_SET_NAME (name of set that defined the rule that flagged this file)

TSK_INTERESTING_ARTIFACT_HIT (to identify an artifact as being interesting (for whatever reason).

  • NOTE: The source file for this artifact should be the same as the source file that associated artifact that we think is interesting
  • TSK_SET_NAME: Name of set that defined the rule that flagged this file. Autopsy groups the hits by this name.
  • TSK_ASSOCIATED_ARTIFACT: The artifact ID that was considered interesting.
  • TSK_COMMENT: Optional comment to give more details about why it was flagged



TSK_EMAIL_MSG (for an e-mail message that was found)

  • TSK_EMAIL_TO
  • TSK_EMAIL_CC
  • TSK_EMAIL_BCC
  • TSK_EMAIL_FROM
  • TSK_SUBJECT
  • TSK_EMAIL_CONTENT_* (message body. Use specific attribute for HTML, PlainText, or RTF. Use multiple content attributes if the message has both plain text and HTML)
  • TSK_PATH (Folder that inbox is stored in -- "INBOX", etc. This attribute is REQUIRED to make the artifact show up in Autopsy's tree view.)
  • TSK_USERNAME (Username of account that e-mail is associated with)
  • TSK_DOMAIN (Domain of account that e-mail is associated with)
  • TSK_DATETIME_RCVD
  • TSK_DATETIME_SENT
  • TSK_MSG_ID
  • TSK_MSG_REPLY_ID

TSK_WEB_SEARCH_QUERY (for a web search engine query that was found in web browsing history or bookmarks)

  • TSK_DOMAIN (Domain associated with the web search engine)
  • TSK_TEXT (The extracted web engine text query)
  • TSK_DATETIME (Date when the search was done)
  • TSK_PROG_NAME (browser this came from)
  • TSK_USERNAME

TSK_TAG_FILE (a file tag, tagged by a user or a module)

  • TSK_TAG_NAME (Tag name, can contain slashes to organize tags in hierarchy. Examples: "Bookmark", "Bookmark/Encrypted", "Malware", "Malware/Windows/Unknown"
  • TSK_COMMENT (tag comment)

TSK_TAG_ARTIFACT (an artifact tag, tagged by a user or a module)

  • TSK_TAG_NAME (Tag name, can contain slashes to organize tags in hierarchy. Examples: "Bookmark", "Bookmark/Passwords"
  • TSK_TAGGED_ARTIFACT (the source artifact to be tagged)
  • TSK_COMMENT (tag comment)

TSK_OS_ACCOUNT (an operating system user account)

  • TSK_USER_NAME (the login name associated with the account)
  • TSK_USER_ID (an identifier associated with the account, e.g., a SID)

TSK_SERVICE_ACCOUNT (a network service user account)

  • TSK_USER_NAME (the login name associated with the account)
  • TSK_DOMAIN (the domain name of the network service)

TSK_CONTACT (a Address-book/Email/Messaging application contact )

  • TSK_NAME_PERSON (contact's name)
  • TSK_PHONE_NUMBER (contact's main/default phone number)
  • TSK_PHONE_NUMBER_HOME (contact's home phone number)
  • TSK_PHONE_NUMBER_OFFICE (contact's office phone number)
  • TSK_PHONE_NUMBER_MOBILE (contact's mobile phone number)
  • TSK_EMAIL (contact's main/default email address)
  • TSK_EMAIL_HOME (contact's home email address)
  • TSK_EMAIL_OFFICE (contact's office email address)

TSK_MESSAGE (an SMS/MMS message extracted from phone, or from another messaging application, like IM, Voicemail)

  • TSK_MESSAGE_TYPE (message type: SMS, MMS, IM etc.)
  • TSK_DIRECTION (message direction: incoming, outgoing etc.)
  • TSK_PHONE_NUMBER_FROM (originating phone number)
  • TSK_EMAIL_FROM (originating email address)
  • TSK_PHONE_NUMBER_TO (destination phone number(s))
  • TSK_EMAIL_TO(destination email address(es))
  • TSK_DATETIME (date/time)
  • TSK_SUBJECT (message subject)
  • TSK_TEXT (message body)

TSK_CALLLOG (a phone call log extracted from a phone or soft-phone application)

  • TSK_NAME_PERSON (other party's name)
  • TSK_PHONE_NUMBER (other party's phone number)
  • TSK_DATETIME (date/time of call)
  • TSK_DIRECTION (direction of call: incoming, outgoing)


TSK_CALENDAR_ENTRY (a Calendar entry from a phone, PIM or a Calendar application.)

  • TSK_CALENDAR_ENTRY_TYPE (entry type: meeting, task, etc.)
  • TSK_DESCRIPTION (calendar entry description)
  • TSk_DATETIME_START (starting date/time)
  • TSK_DATETIME_END (ending date/time)

TSK_SPEED_DIAL_ENTRY (a speed dial entry from a phone)

  • TSK_SHORTCUT (dialing shortcut for the speed dial entry)
  • TSK_PERSON_NAME (speed dial contact's name)
  • TSK_PHONE_NUMBER (phone number to call)

TSK_BLUETOOTH_PAIRING (a Bluetooth pairing entry)

  • TSK_DEVICE_NAME (paired device's name)
  • TSK_DEVICE_ID (paired device's BT hardware address)
  • TSK_DATETIME (date/time of pairing)

TSK_GPS_BOOKMARK (a GPS location bookmark)

  • TSK_GPS_LATITUDE (latitude for the location)
  • TSK_GPS_LONGITUDE (longitude for the location)
  • TSK_GPS_ALTITUDE (altitude for the location)
  • TSK_NAME (location name)
  • TSK_LOCATION (descriptive address of the location - e.g. a street address)
  • TSK_DATETIME (date/time when the bookmark was created)

TSK_GPS_LAST_KNOWN_LOCATION (a last known GPS location)

  • TSK_GPS_LATITUDE (latitude for the location)
  • TSK_GPS_LONGITUDE (longitude for the location)
  • TSK_GPS_ALTITUDE (altitude for the location)
  • TSK_NAME (location name)
  • TSK_LOCATION (descriptive address of the location - e.g. a street address)
  • TSK_DATETIME (date/time when the location was recorded)

TSK_GPS_SEARCH (a GPS location reported as a result of a search)

  • TSK_GPS_LATITUDE (latitude for the location)
  • TSK_GPS_LONGITUDE (longitude for the location)
  • TSK_GPS_ALTITUDE (altitude for the location)
  • TSK_NAME (location name)
  • TSK_LOCATION (descriptive address of the location - e.g. a street address)
  • TSK_DATETIME (date/time when the location was searched)

TSK_REMOTE_DRIVE (a network drive)

  • TSK_LOCAL_PATH (local path to a network share)
  • TSK_REMOTE_PATH (remote path of the network share)


Changes in API

Deprecated since API 3.1

Avoid the usage of the below as the behaviour has changed since the update to 3.1. TSK_TAG_FILE for example will not separate them by TSK_TAG_NAME anymore and they will all get grouped together as "Tagged Files" under extracted content.

BlackboardArtifact.ARTIFACT_TYPE

  • TSK_TAG_ARTIFACT
  • TSK_TAG_FILE

BlackboardAttribute.ATTRIBUTE_TYPE

  • TSK_ENCRYPTION_DETECTED
  • TSK_HASHSET_NAME
  • TSK_INTERESTING_FILE
  • TSK_KEYWORD_SET
  • TSK_TAGGED_ARTIFACT
  • TSK_TAG_NAME