Difference between revisions of "Artifact Examples"

From SleuthKitWiki
Jump to: navigation, search
(Replaced content with "The TSK blackboard organizes data into artifacts. This page lists the standard artifacts and what attributes should be defined with them. It has been moved to here: http...")
 
(31 intermediate revisions by 6 users not shown)
Line 1: Line 1:
The TSK blackboard organizes data into artifacts.  This page lists the standard artifacts and what attributes should be defined with them.  For more details on the blackboard, refer to [http://sleuthkit.org/sleuthkit/docs/framework-docs/mod_bbpage.html http://sleuthkit.org/sleuthkit/docs/framework-docs/mod_bbpage.html].  
+
The TSK blackboard organizes data into artifacts.  This page lists the standard artifacts and what attributes should be defined with them.
  
This page lists general names of artifacts and attributes. Below are links to the specific C++ and Java references.
+
It has been moved to here: http://sleuthkit.org/sleuthkit/docs/jni-docs/latest/artifact_catalog_page.html
* C++ Artifacts
+
* C++ Attributes
+
* Java Artifacts
+
* Java Attributes
+
UPDATE THE ABOVE
+
 
+
= Artifact Examples =
+
 
+
TSK_WEB_BOOKMARK
+
* TSK_URL
+
* TSK_DATETIME (context of "Last Visit Date")
+
* TSK_DATETIME (context of "Date Added")
+
* TSK_NAME (to store assigned name and folder)
+
* TSK_PROG_NAME
+
 
+
TSK_WEB_COOKIE
+
* TSK_URL
+
* TSK_DATETIME (context of "Creation Date")
+
* TSK_DATETIME (context of "Expiration Date"
+
* TSK_NAME
+
* TSK_VALUE
+
* TSK_FLAG
+
* TSK_PROG_NAME
+
 
+
TSK_WEB_HISTORY
+
* TSK_URL
+
* TSK_DATETIME
+
* TSK_PROG_NAME
+
 
+
TSK_WEB_DOWNLOAD
+
* TSK_URL
+
* TSK_DATETIME
+
* TSK_PATH  (location saved to)
+
 
+
TSK_RECENT_OBJECT  (MRU, recent docs, etc.)
+
* TSK_PATH
+
* TSK_DATETIME
+
* TSK_PROG_NAME
+
 
+
TSK_TRACKPOINT
+
* TSK_GEO
+
* TSK_DATETIME
+
 
+
TSK_INSTALLED_PROG
+
* PROG_NAME  (method of determining "Hashset", "Registry", etc. in context)
+
 
+
TSK_KEYWORD_HIT
+
* TSK_KEYWORD (keyword that hit)
+
* TSK_REGEXP (regular expression that was used - if used)
+
* TSK_PREVIEW (40(?) chars of text before and after keyword hit)
+
* TSK_KEYWORD_SET (text name of a set that the keyword was part of)
+
 
+
= General Information Artifact Examples =
+
 
+
== Word Document ==
+
A module that analyzes a Microsoft Word file can pull text and metadata from the file.  It should
+
* Save the extracted text as a TEXT attribute in GEN_INFO
+
* Save the last saved, printed, etc. dates as DATETIME attributes in GEN_INFO
+
* Save the author as XX in GEN_INFO
+
* Any images and embedded files that it can extract should be added to the central ImgDB as derived files and scheduled for processing.
+
 
+
 
+
== JPEG File ==
+
A module that analyzes a JPEG image file could:
+
* Save the EXIF data as DATETIME and DEVICE attributes in GEN_INFO.
+
 
+
= Other attributes =
+
* TSK_CREDITCARD (ccv, etc in context)
+
* TSK_IP
+
* TSK_PHONE_NUMBER
+

Latest revision as of 12:16, 4 February 2020

The TSK blackboard organizes data into artifacts. This page lists the standard artifacts and what attributes should be defined with them.

It has been moved to here: http://sleuthkit.org/sleuthkit/docs/jni-docs/latest/artifact_catalog_page.html