Difference between revisions of "Artifact Examples"

From SleuthKitWiki
Jump to: navigation, search
Line 35: Line 35:
  
 
TSK_WEB_DOWNLOAD
 
TSK_WEB_DOWNLOAD
* TSK_URL
+
* TSK_URL (Location file was downloaded from)
* TSK_DATETIME
+
* TSK_DATETIME (time file was downloaded)
 
* TSK_PATH  (location saved to)
 
* TSK_PATH  (location saved to)
  
 
TSK_RECENT_OBJECT  (MRU, recent docs, etc.)
 
TSK_RECENT_OBJECT  (MRU, recent docs, etc.)
* TSK_PATH
+
* TSK_PATH (path of recently accessed file)
* TSK_DATETIME
+
* TSK_DATETIME (date of access, if known)
* TSK_PROG_NAME
+
* TSK_PROG_NAME (program that access is associated with -- "Windows", "Word", etc.)
  
 
TSK_TRACKPOINT
 
TSK_TRACKPOINT

Revision as of 09:30, 6 April 2012

The TSK blackboard organizes data into artifacts. This page lists the standard artifacts and what attributes should be defined with them. For more details on the blackboard, refer to http://sleuthkit.org/sleuthkit/docs/framework-docs/mod_bbpage.html.

This page lists general names of artifacts and attributes. Below are links to the specific C++ and Java references.

  • C++ Artifacts
  • C++ Attributes
  • Java Artifacts
  • Java Attributes

UPDATE THE ABOVE

Artifact Examples

TSK_WEB_BOOKMARK

  • TSK_URL
  • TSK_DATETIME (context of "Last Visit Date")
  • TSK_DATETIME (context of "Date Added")
  • TSK_NAME (to store assigned name and folder)
  • TSK_PROG_NAME

TSK_WEB_COOKIE

  • TSK_URL
  • TSK_DATETIME (context of "Creation Date")
  • TSK_DATETIME (context of "Expiration Date"
  • TSK_NAME
  • TSK_VALUE
  • TSK_FLAG
  • TSK_PROG_NAME

TSK_WEB_HISTORY

  • TSK_URL
  • TSK_DATETIME
  • TSK_PROG_NAME
  • TSK_REFERRER
  • TSK_USERNAME
  • TSK_NAME

TSK_WEB_DOWNLOAD

  • TSK_URL (Location file was downloaded from)
  • TSK_DATETIME (time file was downloaded)
  • TSK_PATH (location saved to)

TSK_RECENT_OBJECT (MRU, recent docs, etc.)

  • TSK_PATH (path of recently accessed file)
  • TSK_DATETIME (date of access, if known)
  • TSK_PROG_NAME (program that access is associated with -- "Windows", "Word", etc.)

TSK_TRACKPOINT

  • TSK_GEO
  • TSK_DATETIME

TSK_INSTALLED_PROG

  • PROG_NAME (method of determining "Hashset", "Registry", etc. in context)

TSK_KEYWORD_HIT

  • TSK_KEYWORD (keyword that hit)
  • TSK_REGEXP (regular expression that was used - if used)
  • TSK_PREVIEW (45 chars of text before and after keyword hit)
  • TSK_KEYWORD_SET (text name of a set/list that the keyword was part of)

TSK_HASHSET_HIT

  • TSK_HASHSET_NAME (name or file name of hashset that hash was located in)

TSK_DEVICE_ATTACHED (for each time that a known device was attached to system USB ID, for example)

  • TSK_DEVICE_ID (ID of attached device)
  • TSK_DATETIME (Date that device was attached)
  • TSK_PATH (mount point for device)

General Information Artifact Examples

Word Document

A module that analyzes a Microsoft Word file can pull text and metadata from the file. It should

  • Save the extracted text as a TEXT attribute in GEN_INFO
  • Save the last saved, printed, etc. dates as DATETIME attributes in GEN_INFO
  • Save the author as XX in GEN_INFO
  • Any images and embedded files that it can extract should be added to the central ImgDB as derived files and scheduled for processing.


JPEG File

A module that analyzes a JPEG image file could:

  • Save the EXIF data as DATETIME and DEVICE attributes in GEN_INFO.

Other attributes

  • TSK_CREDITCARD (ccv, etc in context)
  • TSK_IP_ADDRESS
  • TSK_PHONE_NUMBER