Difference between revisions of "Artifact Examples"

From SleuthKitWiki
Jump to: navigation, search
(Updated a few based on Autopsy use)
(Replaced content with "The TSK blackboard organizes data into artifacts. This page lists the standard artifacts and what attributes should be defined with them. It has been moved to here: http...")
 
(10 intermediate revisions by 4 users not shown)
Line 1: Line 1:
The TSK blackboard organizes data into artifacts.  This page lists the standard artifacts and what attributes should be defined with them.  For more details on the blackboard, refer to [http://sleuthkit.org/sleuthkit/docs/framework-docs/mod_bbpage.html http://sleuthkit.org/sleuthkit/docs/framework-docs/mod_bbpage.html].  
+
The TSK blackboard organizes data into artifacts.  This page lists the standard artifacts and what attributes should be defined with them.
  
This page lists general names of artifacts and attributes. Below are links to the specific C++ and Java references.
+
It has been moved to here: http://sleuthkit.org/sleuthkit/docs/jni-docs/latest/artifact_catalog_page.html
* [http://sleuthkit.org/sleuthkit/docs/framework-docs/TskBlackboard_8h.html#aac7b5d32c4b75d65468bbd1e0cb11a44 C++ Artifacts]
+
* [http://sleuthkit.org/sleuthkit/docs/framework-docs/TskBlackboard_8h.html#a133dead0ca74c17235430e12789258f4 C++ Attributes]
+
* [http://www.sleuthkit.org/sleuthkit/docs/javadocs/org/sleuthkit/datamodel/BlackboardArtifact.ARTIFACT_TYPE.html Java Artifacts] (note that the C++ code has the full description of the artifacts)
+
* [http://www.sleuthkit.org/sleuthkit/docs/javadocs/org/sleuthkit/datamodel/BlackboardAttribute.ATTRIBUTE_TYPE.html Java Attributes] (note that the C++ code has the full description of the attributes)
+
 
+
= Artifact Examples =
+
 
+
'''TSK_WEB_BOOKMARK'''
+
* TSK_URL
+
* TSK_DATETIME (context of "Last Visit Date")
+
* TSK_DATETIME (context of "Date Added")
+
* TSK_NAME (to store assigned name and folder)
+
* TSK_PROG_NAME (browser this came from)
+
* TSK_TITLE (Title of webpage)
+
 
+
'''TSK_WEB_COOKIE'''
+
* TSK_URL
+
* TSK_DATETIME (context of "Creation Date")
+
* TSK_DATETIME (context of "Expiration Date"
+
* TSK_NAME
+
* TSK_VALUE
+
* TSK_FLAG
+
* TSK_PROG_NAME (browser this came from)
+
 
+
'''TSK_WEB_HISTORY'''
+
* TSK_URL
+
* TSK_DATETIME
+
* TSK_PROG_NAME (browser this came from)
+
* TSK_REFERRER
+
* TSK_USER_NAME
+
* TSK_TITLE (title of webpage)
+
 
+
'''TSK_WEB_DOWNLOAD'''
+
* TSK_URL  (Location file was downloaded from)
+
* TSK_DATETIME  (time file was downloaded)
+
* TSK_PATH  (location saved to)
+
 
+
'''TSK_RECENT_OBJECT'''  (MRU, recent docs, etc.)
+
* TSK_PATH (path of recently accessed file)
+
* TSK_PATH_ID (Object ID of file in TSK_PATH)
+
* TSK_DATETIME (date of access, if known)
+
* TSK_PROG_NAME (program that access is associated with -- "Windows", "Word", etc.)
+
 
+
'''TSK_TRACKPOINT'''
+
* TSK_GEO_LATITUDE
+
* TSK_GEO_LONGITUDE
+
* TSK_GEO_* (other geo-related attributes as needed and available)
+
* TSK_DATETIME
+
 
+
'''TSK_INSTALLED_PROG'''
+
* PROG_NAME  (method of determining "Hashset", "Registry", etc. in context)
+
* TSK_DATETIME (time that program was installed)
+
 
+
'''TSK_KEYWORD_HIT'''
+
* TSK_KEYWORD (keyword that hit)
+
* TSK_REGEXP (regular expression that was used - if used)
+
* TSK_PREVIEW (45 chars of text before and after keyword hit)
+
* TSK_SET_NAME (text name of a set/list that the keyword was part of)
+
 
+
'''TSK_HASHSET_HIT'''
+
* TSK_SET_NAME (name or file name of hashset that hash was located in)
+
 
+
'''TSK_DEVICE_ATTACHED''' (for each time that a known device was attached to system USB ID, for example)
+
* TSK_DEVICE_ID (ID of attached device)
+
* TSK_DATETIME (Date that device was attached)
+
* TSK_PATH (mount point for device)
+
 
+
'''TSK_INTERESTING_FILE''' (for a file that was found by it's name or other heuristic)
+
* TSK_SET_NAME (name of set that defined the rule that flagged this file)
+
 
+
'''TSK_EMAIL_MSG''' (for an e-mail message that was found)
+
* TSK_EMAIL_TO
+
* TSK_EMAIL_CC
+
* TSK_EMAIL_BCC
+
* TSK_EMAIL_FROM
+
* TSK_SUBJECT
+
* TSK_EMAIL_CONTENT_* (message body.  Use specific attribute for HTML, PlainText, or RTF. Use multiple content attributes if the message has both plain text and HTML)
+
* TSK_PATH (Folder that inbox is stored in -- "INBOX", etc.)
+
* TSK_USERNAME (Username of account that e-mail is associated with)
+
* TSK_DOMAIN (Domain of account that e-mail is associated with)
+
* TSK_DATETIME_RCVD
+
* TSK_DATETIME_SENT
+
* TSK_MSG_ID
+
* TSK_MSG_REPLY_ID
+
 
+
'''TSK_WEB_SEARCH_QUERY''' (for a web search engine query that was found in web browsing history or bookmarks)
+
* TSK_DOMAIN (Domain associated with the web search engine)
+
* TSK_TEXT (The extracted web engine text query)
+
* TSK_DATETIME (Date when the search was done)
+
* TSK_PROG_NAME (browser this came from)
+
* TSK_USERNAME
+
 
+
'''TSK_TAG_FILE''' (a file tag, tagged by a user or a module)
+
* TSK_TAG_NAME (Tag name, can contain slashes to organize tags in hierarchy.  Examples: "Bookmark", "Bookmark/Encrypted", "Malware", "Malware/Windows/Unknown"
+
* TSK_COMMENT (tag comment)
+
 
+
'''TSK_TAG_ARTIFACT''' (an artifact tag, tagged by a user or a module)
+
* TSK_TAG_NAME (Tag name, can contain slashes to organize tags in hierarchy.  Examples: "Bookmark", "Bookmark/Passwords"
+
* TSK_TAGGED_ARTIFACT (the source artifact to be tagged)
+
* TSK_COMMENT (tag comment)
+
 
+
'''TSK_OS_ACCOUNT''' (an operating system user account)
+
* TSK_USER_NAME (the login name associated with the account)
+
* TSK_USER_ID (an identifier associated with the account, e.g., a SID)
+
 
+
'''TSK_SERVICE_ACCOUNT''' (a network service user account)
+
* TSK_USER_NAME (the login name associated with the account)
+
* TSK_DOMAIN (the domain name of the network service)
+
 
+
'''TSK_CONTACT''' (a Address-book/Email/Messaging application contact )
+
* TSK_NAME_PERSON (contact's name)
+
* TSK_PHONE_NUMBER (contact's main/default phone number)
+
* TSK_PHONE_NUMBER_HOME (contact's home phone number)
+
* TSK_PHONE_NUMBER_OFFICE (contact's office phone number)
+
* TSK_PHONE_NUMBER_MOBILE (contact's mobile phone number)
+
* TSK_EMAIL (contact's main/default email address)
+
* TSK_EMAIL_HOME (contact's home email address)
+
* TSK_EMAIL_OFFICE (contact's office email address)
+
 
+
'''TSK_MESSAGE''' (an SMS/MMS message extracted from phone, or from another messaging application, like IM, Voicemail)
+
* TSK_MESSAGE_TYPE (message type: SMS, MMS, IM etc.)
+
* TSK_DIRECTION (message direction: incoming, outgoing etc.)
+
* TSK_PHONE_NUMBER_FROM (originating phone number)
+
* TSK_EMAIL_FROM (originating email address)
+
* TSK_PHONE_NUMBER_TO (destination phone number(s))
+
* TSK_EMAIL_TO(destination email address(es))
+
* TSK_DATETIME (date/time)
+
* TSK_SUBJECT (message subject)
+
* TSK_TEXT (message body)
+
 
+
'''TSK_CALLLOG''' (a phone call log extracted from a phone or soft-phone application)
+
* TSK_NAME_PERSON (other party's name) 
+
* TSK_PHONE_NUMBER (other party's phone number)
+
* TSK_DATETIME (date/time of call)
+
* TSK_DIRECTION (direction of call: incoming, outgoing)
+
 
+
 
+
'''TSK_CALENDAR_ENTRY''' (a Calendar entry from a phone, PIM or a Calendar application.)
+
* TSK_CALENDAR_ENTRY_TYPE (entry type: meeting, task, etc.)
+
* TSK_DESCRIPTION (calendar entry description)
+
* TSk_DATETIME_START (starting date/time)
+
* TSK_DATETIME_END (ending date/time)
+
 
+
'''TSK_SPEED_DIAL_ENTRY''' (a speed dial entry from a phone)
+
* TSK_SHORTCUT (dialing shortcut for the speed dial entry)
+
* TSK_PERSON_NAME (speed dial contact's name)
+
* TSK_PHONE_NUMBER (phone number to call)
+
 
+
'''TSK_BLUETOOTH_PAIRING''' (a Bluetooth pairing entry)
+
* TSK_DEVICE_NAME (paired device's name)
+
* TSK_DEVICE_ID (paired device's BT hardware address)
+
* TSK_DATETIME (date/time of pairing)
+
 
+
'''TSK_GPS_BOOKMARK''' (a GPS location bookmark)
+
* TSK_GPS_LATITUDE (latitude for the location)
+
* TSK_GPS_LONGITUDE (longitude for the location)
+
* TSK_GPS_ALTITUDE (altitude for the location)
+
* TSK_NAME (location name)
+
* TSK_LOCATION (descriptive address of the location - e.g. a street address)
+
* TSK_DATETIME (date/time when the bookmark was created)
+
 
+
'''TSK_GPS_LAST_KNOWN_LOCATION''' (a last known GPS location)
+
* TSK_GPS_LATITUDE (latitude for the location)
+
* TSK_GPS_LONGITUDE (longitude for the location)
+
* TSK_GPS_ALTITUDE (altitude for the location)
+
* TSK_NAME (location name)
+
* TSK_LOCATION (descriptive address of the location - e.g. a street address)
+
* TSK_DATETIME (date/time when the location was recorded)
+
 
+
'''TSK_GPS_SEARCH''' (a GPS location reported as a result of a search)
+
* TSK_GPS_LATITUDE (latitude for the location)
+
* TSK_GPS_LONGITUDE (longitude for the location)
+
* TSK_GPS_ALTITUDE (altitude for the location)
+
* TSK_NAME (location name)
+
* TSK_LOCATION (descriptive address of the location - e.g. a street address)
+
* TSK_DATETIME (date/time when the location was searched)
+
 
+
= General Information Artifact Examples =
+
 
+
== Word Document ==
+
A module that analyzes a Microsoft Word file can pull text and metadata from the file.  It should
+
* Save the extracted text as a TEXT attribute in GEN_INFO
+
* Save the last saved, printed, etc. dates as DATETIME attributes in GEN_INFO
+
* Save the author as XX in GEN_INFO
+
* Any images and embedded files that it can extract should be added to the central ImgDB as derived files and scheduled for processing.
+
 
+
 
+
== JPEG File ==
+
A module that analyzes a JPEG image file could:
+
* Save the EXIF data (DATETIME, DEVICE, GEO) as attributes in GEN_INFO.
+

Latest revision as of 12:16, 4 February 2020

The TSK blackboard organizes data into artifacts. This page lists the standard artifacts and what attributes should be defined with them.

It has been moved to here: http://sleuthkit.org/sleuthkit/docs/jni-docs/latest/artifact_catalog_page.html