|
|
(26 intermediate revisions by 6 users not shown) |
Line 1: |
Line 1: |
− | The TSK blackboard organizes data into artifacts. This page lists the standard artifacts and what attributes should be defined with them. For more details on the blackboard, refer to [http://sleuthkit.org/sleuthkit/docs/framework-docs/mod_bbpage.html http://sleuthkit.org/sleuthkit/docs/framework-docs/mod_bbpage.html]. | + | The TSK blackboard organizes data into artifacts. This page lists the standard artifacts and what attributes should be defined with them. |
| | | |
− | This page lists general names of artifacts and attributes. Below are links to the specific C++ and Java references.
| + | It has been moved to here: http://sleuthkit.org/sleuthkit/docs/jni-docs/latest/artifact_catalog_page.html |
− | * C++ Artifacts
| + | |
− | * C++ Attributes
| + | |
− | * Java Artifacts
| + | |
− | * Java Attributes
| + | |
− | UPDATE THE ABOVE
| + | |
− | | + | |
− | = Artifact Examples =
| + | |
− | | + | |
− | TSK_WEB_BOOKMARK
| + | |
− | * TSK_URL
| + | |
− | * TSK_DATETIME (context of "Last Visit Date")
| + | |
− | * TSK_DATETIME (context of "Date Added")
| + | |
− | * TSK_NAME (to store assigned name and folder)
| + | |
− | * TSK_PROG_NAME
| + | |
− | | + | |
− | TSK_WEB_COOKIE
| + | |
− | * TSK_URL
| + | |
− | * TSK_DATETIME (context of "Creation Date")
| + | |
− | * TSK_DATETIME (context of "Expiration Date"
| + | |
− | * TSK_NAME
| + | |
− | * TSK_VALUE
| + | |
− | * TSK_FLAG
| + | |
− | * TSK_PROG_NAME
| + | |
− | | + | |
− | TSK_WEB_HISTORY
| + | |
− | * TSK_URL
| + | |
− | * TSK_DATETIME
| + | |
− | * TSK_PROG_NAME
| + | |
− | * TSK_REFERRER
| + | |
− | * TSK_USERNAME
| + | |
− | * TSK_NAME
| + | |
− | | + | |
− | TSK_WEB_DOWNLOAD
| + | |
− | * TSK_URL
| + | |
− | * TSK_DATETIME
| + | |
− | * TSK_PATH (location saved to)
| + | |
− | | + | |
− | TSK_RECENT_OBJECT (MRU, recent docs, etc.)
| + | |
− | * TSK_PATH
| + | |
− | * TSK_DATETIME
| + | |
− | * TSK_PROG_NAME
| + | |
− | | + | |
− | TSK_TRACKPOINT
| + | |
− | * TSK_GEO
| + | |
− | * TSK_DATETIME
| + | |
− | | + | |
− | TSK_INSTALLED_PROG
| + | |
− | * PROG_NAME (method of determining "Hashset", "Registry", etc. in context)
| + | |
− | | + | |
− | TSK_KEYWORD_HIT
| + | |
− | * TSK_KEYWORD (keyword that hit)
| + | |
− | * TSK_REGEXP (regular expression that was used - if used)
| + | |
− | * TSK_PREVIEW (45 chars of text before and after keyword hit)
| + | |
− | * TSK_KEYWORD_SET (text name of a set/list that the keyword was part of)
| + | |
− | | + | |
− | TSK_HASHSET_HIT
| + | |
− | * TSK_HASHSET_NAME (name or file name of hashset that hash was located in)
| + | |
− | | + | |
− | TSK_DEVICE_ATTACHED (for each time that a known device was attached to system USB ID, for example)
| + | |
− | * TSK_DEVICE_ID (ID of attached device)
| + | |
− | * TSK_DATETIME (Date that device was attached)
| + | |
− | * TSK_PATH (mount point for device)
| + | |
− | | + | |
− | = General Information Artifact Examples =
| + | |
− | | + | |
− | == Word Document ==
| + | |
− | A module that analyzes a Microsoft Word file can pull text and metadata from the file. It should
| + | |
− | * Save the extracted text as a TEXT attribute in GEN_INFO
| + | |
− | * Save the last saved, printed, etc. dates as DATETIME attributes in GEN_INFO
| + | |
− | * Save the author as XX in GEN_INFO
| + | |
− | * Any images and embedded files that it can extract should be added to the central ImgDB as derived files and scheduled for processing.
| + | |
− | | + | |
− | | + | |
− | == JPEG File ==
| + | |
− | A module that analyzes a JPEG image file could:
| + | |
− | * Save the EXIF data as DATETIME and DEVICE attributes in GEN_INFO.
| + | |
− | | + | |
− | = Other attributes =
| + | |
− | * TSK_CREDITCARD (ccv, etc in context)
| + | |
− | * TSK_IP_ADDRESS
| + | |
− | * TSK_PHONE_NUMBER
| + | |
The TSK blackboard organizes data into artifacts. This page lists the standard artifacts and what attributes should be defined with them.