Difference between revisions of "Artifact Examples"

From SleuthKitWiki
Jump to: navigation, search
(Created page with "= Artifact Examples = Bookmark * URL * DATETIME * NAME/FOLDER * PROG_NAME Cookie * URL * DATETIME * NAME/VALUE * FLAG * PROG_NAME History * URL * DATETIME * PROG_NAME RecentO...")
 
(Replaced content with "The TSK blackboard organizes data into artifacts. This page lists the standard artifacts and what attributes should be defined with them. It has been moved to here: http...")
 
(33 intermediate revisions by 6 users not shown)
Line 1: Line 1:
= Artifact Examples =
+
The TSK blackboard organizes data into artifacts.  This page lists the standard artifacts and what attributes should be defined with them.
Bookmark
+
* URL
+
* DATETIME
+
* NAME/FOLDER
+
* PROG_NAME
+
  
Cookie
+
It has been moved to here: http://sleuthkit.org/sleuthkit/docs/jni-docs/latest/artifact_catalog_page.html
* URL
+
* DATETIME
+
* NAME/VALUE
+
* FLAG
+
* PROG_NAME
+
 
+
History
+
* URL
+
* DATETIME
+
* PROG_NAME
+
 
+
RecentObject
+
* PATH
+
* PROG_NAME
+
 
+
TrackPoint
+
* GEO
+
* DATETIME
+
 
+
InstalledProgram
+
* PROG_NAME  (source in context)    (XX: Perhaps these could all be stored in GEN_INFO if they are just single attribute)
+
 
+
= General Information Artifact Examples =
+
 
+
== Word Document ==
+
A module that analyzes a Microsoft Word file can pull text and metadata from the file.  It should
+
* Save the extracted text as a TEXT attribute in GEN_INFO
+
* Save the last saved, printed, etc. dates as DATETIME attributes in GEN_INFO
+
* Save the author as XX in GEN_INFO
+
* Any images and embedded files that it can extract should be added to the central ImgDB as derived files and scheduled for processing.
+
 
+
 
+
== JPEG File ==
+
A module that analyzes a JPEG image file could:
+
* Save the EXIF data as DATETIME and DEVICE attributes in GEN_INFO.
+

Latest revision as of 13:16, 4 February 2020

The TSK blackboard organizes data into artifacts. This page lists the standard artifacts and what attributes should be defined with them.

It has been moved to here: http://sleuthkit.org/sleuthkit/docs/jni-docs/latest/artifact_catalog_page.html