|
|
(3 intermediate revisions by 2 users not shown) |
Line 1: |
Line 1: |
− | The TSK blackboard organizes data into artifacts. This page lists the standard artifacts and what attributes should be defined with them. For more details on the blackboard, refer to [http://sleuthkit.org/sleuthkit/docs/framework-docs/mod_bbpage.html http://sleuthkit.org/sleuthkit/docs/framework-docs/mod_bbpage.html]. | + | The TSK blackboard organizes data into artifacts. This page lists the standard artifacts and what attributes should be defined with them. |
| | | |
− | This page lists general names of artifacts and attributes. Below are links to the specific C++ and Java references.
| + | It has been moved to here: http://sleuthkit.org/sleuthkit/docs/jni-docs/latest/artifact_catalog_page.html |
− | * [http://sleuthkit.org/sleuthkit/docs/framework-docs/TskBlackboard_8h.html#aac7b5d32c4b75d65468bbd1e0cb11a44 C++ Artifacts]
| + | |
− | * [http://sleuthkit.org/sleuthkit/docs/framework-docs/TskBlackboard_8h.html#a133dead0ca74c17235430e12789258f4 C++ Attributes]
| + | |
− | * [http://www.sleuthkit.org/sleuthkit/docs/jni-docs/enumorg_1_1sleuthkit_1_1datamodel_1_1_blackboard_artifact_1_1_a_r_t_i_f_a_c_t___t_y_p_e.html Java Artifacts] (note that the C++ code has the full description of the artifacts)
| + | |
− | * [http://www.sleuthkit.org/sleuthkit/docs/jni-docs/enumorg_1_1sleuthkit_1_1datamodel_1_1_blackboard_attribute_1_1_a_t_t_r_i_b_u_t_e___t_y_p_e.html Java Attributes] (note that the C++ code has the full description of the attributes)
| + | |
− | | + | |
− | = Artifact Examples =
| + | |
− | | + | |
− | '''TSK_WEB_BOOKMARK'''
| + | |
− | * TSK_URL (URL of bookmark)
| + | |
− | * TSK_DATETIME_CREATED (when bookmark was created)
| + | |
− | * TSK_NAME (to store assigned name and folder)
| + | |
− | * TSK_PROG_NAME (browser this came from)
| + | |
− | * TSK_TITLE (Title of webpage)
| + | |
− | * TSK_DOMAIN (domain name of URL)
| + | |
− | | + | |
− | '''TSK_WEB_COOKIE'''
| + | |
− | * TSK_URL
| + | |
− | * TSK_DATETIME (last accessed)
| + | |
− | * TSK_NAME
| + | |
− | * TSK_VALUE
| + | |
− | * TSK_PROG_NAME (browser this came from)
| + | |
− | * TSK_DOMAIN (domain name of URL)
| + | |
− | | + | |
− | '''TSK_WEB_HISTORY'''
| + | |
− | * TSK_URL
| + | |
− | * TSK_DATETIME_ACCESSED
| + | |
− | * TSK_REFERRER
| + | |
− | * TSK_TITLE (title of webpage)
| + | |
− | * TSK_PROG_NAME (browser this came from)
| + | |
− | * TSK_DOMAIN (domain of URL)
| + | |
− | | + | |
− | '''TSK_WEB_DOWNLOAD'''
| + | |
− | * TSK_URL (Location file was downloaded from)
| + | |
− | * TSK_DATETIME_ACCESSED (time file was downloaded)
| + | |
− | * TSK_PATH (location saved to)
| + | |
− | * TSK_PATH_ID (ID of TSK_PATH attribute file)
| + | |
− | | + | |
− | '''TSK_RECENT_OBJECT''' (MRU, recent docs, etc.)
| + | |
− | * TSK_PATH (path of recently accessed file)
| + | |
− | * TSK_PATH_ID (Object ID of file in TSK_PATH)
| + | |
− | * TSK_DATETIME (date of access, if known)
| + | |
− | * TSK_PROG_NAME (program that access is associated with -- "Windows", "Word", etc.)
| + | |
− | | + | |
− | '''TSK_TRACKPOINT'''
| + | |
− | * TSK_GEO_LATITUDE
| + | |
− | * TSK_GEO_LONGITUDE
| + | |
− | * TSK_GEO_* (other geo-related attributes as needed and available)
| + | |
− | * TSK_DATETIME
| + | |
− | | + | |
− | '''TSK_INSTALLED_PROG'''
| + | |
− | * PROG_NAME (name of program installed)
| + | |
− | * TSK_DATETIME (time that program was installed)
| + | |
− | | + | |
− | '''TSK_KEYWORD_HIT'''
| + | |
− | * TSK_KEYWORD (keyword that hit)
| + | |
− | * TSK_REGEXP (regular expression that was used - if used)
| + | |
− | * TSK_PREVIEW (45 chars of text before and after keyword hit)
| + | |
− | * TSK_SET_NAME (text name of a set/list that the keyword was part of)
| + | |
− | | + | |
− | '''TSK_HASHSET_HIT'''
| + | |
− | * TSK_SET_NAME (name or file name of hashset that hash was located in)
| + | |
− | | + | |
− | '''TSK_DEVICE_ATTACHED''' (for each time that a known device was attached to system USB ID, for example)
| + | |
− | * TSK_DEVICE_ID (ID of attached device)
| + | |
− | * TSK_DATETIME (Date that device was attached)
| + | |
− | * TSK_PATH (mount point for device)
| + | |
− | | + | |
− | '''TSK_INTERESTING_FILE_HIT''' (for a file that was found by its name or other heuristic)
| + | |
− | * TSK_SET_NAME (name of set that defined the rule that flagged this file)
| + | |
− | | + | |
− | '''TSK_EMAIL_MSG''' (for an e-mail message that was found)
| + | |
− | * TSK_EMAIL_TO
| + | |
− | * TSK_EMAIL_CC
| + | |
− | * TSK_EMAIL_BCC
| + | |
− | * TSK_EMAIL_FROM
| + | |
− | * TSK_SUBJECT
| + | |
− | * TSK_EMAIL_CONTENT_* (message body. Use specific attribute for HTML, PlainText, or RTF. Use multiple content attributes if the message has both plain text and HTML)
| + | |
− | * TSK_PATH (Folder that inbox is stored in -- "INBOX", etc.)
| + | |
− | * TSK_USERNAME (Username of account that e-mail is associated with)
| + | |
− | * TSK_DOMAIN (Domain of account that e-mail is associated with)
| + | |
− | * TSK_DATETIME_RCVD
| + | |
− | * TSK_DATETIME_SENT
| + | |
− | * TSK_MSG_ID
| + | |
− | * TSK_MSG_REPLY_ID
| + | |
− | | + | |
− | '''TSK_WEB_SEARCH_QUERY''' (for a web search engine query that was found in web browsing history or bookmarks)
| + | |
− | * TSK_DOMAIN (Domain associated with the web search engine)
| + | |
− | * TSK_TEXT (The extracted web engine text query)
| + | |
− | * TSK_DATETIME (Date when the search was done)
| + | |
− | * TSK_PROG_NAME (browser this came from)
| + | |
− | * TSK_USERNAME
| + | |
− | | + | |
− | '''TSK_TAG_FILE''' (a file tag, tagged by a user or a module)
| + | |
− | * TSK_TAG_NAME (Tag name, can contain slashes to organize tags in hierarchy. Examples: "Bookmark", "Bookmark/Encrypted", "Malware", "Malware/Windows/Unknown"
| + | |
− | * TSK_COMMENT (tag comment)
| + | |
− | | + | |
− | '''TSK_TAG_ARTIFACT''' (an artifact tag, tagged by a user or a module)
| + | |
− | * TSK_TAG_NAME (Tag name, can contain slashes to organize tags in hierarchy. Examples: "Bookmark", "Bookmark/Passwords"
| + | |
− | * TSK_TAGGED_ARTIFACT (the source artifact to be tagged)
| + | |
− | * TSK_COMMENT (tag comment)
| + | |
− | | + | |
− | '''TSK_OS_ACCOUNT''' (an operating system user account)
| + | |
− | * TSK_USER_NAME (the login name associated with the account)
| + | |
− | * TSK_USER_ID (an identifier associated with the account, e.g., a SID)
| + | |
− | | + | |
− | '''TSK_SERVICE_ACCOUNT''' (a network service user account)
| + | |
− | * TSK_USER_NAME (the login name associated with the account)
| + | |
− | * TSK_DOMAIN (the domain name of the network service)
| + | |
− | | + | |
− | '''TSK_CONTACT''' (a Address-book/Email/Messaging application contact )
| + | |
− | * TSK_NAME_PERSON (contact's name)
| + | |
− | * TSK_PHONE_NUMBER (contact's main/default phone number)
| + | |
− | * TSK_PHONE_NUMBER_HOME (contact's home phone number)
| + | |
− | * TSK_PHONE_NUMBER_OFFICE (contact's office phone number)
| + | |
− | * TSK_PHONE_NUMBER_MOBILE (contact's mobile phone number)
| + | |
− | * TSK_EMAIL (contact's main/default email address)
| + | |
− | * TSK_EMAIL_HOME (contact's home email address)
| + | |
− | * TSK_EMAIL_OFFICE (contact's office email address)
| + | |
− | | + | |
− | '''TSK_MESSAGE''' (an SMS/MMS message extracted from phone, or from another messaging application, like IM, Voicemail)
| + | |
− | * TSK_MESSAGE_TYPE (message type: SMS, MMS, IM etc.)
| + | |
− | * TSK_DIRECTION (message direction: incoming, outgoing etc.)
| + | |
− | * TSK_PHONE_NUMBER_FROM (originating phone number)
| + | |
− | * TSK_EMAIL_FROM (originating email address)
| + | |
− | * TSK_PHONE_NUMBER_TO (destination phone number(s))
| + | |
− | * TSK_EMAIL_TO(destination email address(es))
| + | |
− | * TSK_DATETIME (date/time)
| + | |
− | * TSK_SUBJECT (message subject)
| + | |
− | * TSK_TEXT (message body)
| + | |
− | | + | |
− | '''TSK_CALLLOG''' (a phone call log extracted from a phone or soft-phone application)
| + | |
− | * TSK_NAME_PERSON (other party's name)
| + | |
− | * TSK_PHONE_NUMBER (other party's phone number)
| + | |
− | * TSK_DATETIME (date/time of call)
| + | |
− | * TSK_DIRECTION (direction of call: incoming, outgoing)
| + | |
− | | + | |
− | | + | |
− | '''TSK_CALENDAR_ENTRY''' (a Calendar entry from a phone, PIM or a Calendar application.)
| + | |
− | * TSK_CALENDAR_ENTRY_TYPE (entry type: meeting, task, etc.)
| + | |
− | * TSK_DESCRIPTION (calendar entry description)
| + | |
− | * TSk_DATETIME_START (starting date/time)
| + | |
− | * TSK_DATETIME_END (ending date/time)
| + | |
− | | + | |
− | '''TSK_SPEED_DIAL_ENTRY''' (a speed dial entry from a phone)
| + | |
− | * TSK_SHORTCUT (dialing shortcut for the speed dial entry)
| + | |
− | * TSK_PERSON_NAME (speed dial contact's name)
| + | |
− | * TSK_PHONE_NUMBER (phone number to call)
| + | |
− | | + | |
− | '''TSK_BLUETOOTH_PAIRING''' (a Bluetooth pairing entry)
| + | |
− | * TSK_DEVICE_NAME (paired device's name)
| + | |
− | * TSK_DEVICE_ID (paired device's BT hardware address)
| + | |
− | * TSK_DATETIME (date/time of pairing)
| + | |
− | | + | |
− | '''TSK_GPS_BOOKMARK''' (a GPS location bookmark)
| + | |
− | * TSK_GPS_LATITUDE (latitude for the location)
| + | |
− | * TSK_GPS_LONGITUDE (longitude for the location)
| + | |
− | * TSK_GPS_ALTITUDE (altitude for the location)
| + | |
− | * TSK_NAME (location name)
| + | |
− | * TSK_LOCATION (descriptive address of the location - e.g. a street address)
| + | |
− | * TSK_DATETIME (date/time when the bookmark was created)
| + | |
− | | + | |
− | '''TSK_GPS_LAST_KNOWN_LOCATION''' (a last known GPS location)
| + | |
− | * TSK_GPS_LATITUDE (latitude for the location)
| + | |
− | * TSK_GPS_LONGITUDE (longitude for the location)
| + | |
− | * TSK_GPS_ALTITUDE (altitude for the location)
| + | |
− | * TSK_NAME (location name)
| + | |
− | * TSK_LOCATION (descriptive address of the location - e.g. a street address)
| + | |
− | * TSK_DATETIME (date/time when the location was recorded)
| + | |
− | | + | |
− | '''TSK_GPS_SEARCH''' (a GPS location reported as a result of a search)
| + | |
− | * TSK_GPS_LATITUDE (latitude for the location)
| + | |
− | * TSK_GPS_LONGITUDE (longitude for the location)
| + | |
− | * TSK_GPS_ALTITUDE (altitude for the location)
| + | |
− | * TSK_NAME (location name)
| + | |
− | * TSK_LOCATION (descriptive address of the location - e.g. a street address)
| + | |
− | * TSK_DATETIME (date/time when the location was searched)
| + | |
− | | + | |
− | '''TSK_REMOTE_DRIVE''' (a network drive)
| + | |
− | * TSK_LOCAL_PATH (local path to a network share)
| + | |
− | * TSK_REMOTE_PATH (remote path of the network share)
| + | |
− | | + | |
− | = General Information Artifact Examples =
| + | |
− | | + | |
− | == Word Document ==
| + | |
− | A module that analyzes a Microsoft Word file can pull text and metadata from the file. It should
| + | |
− | * Save the extracted text as a TEXT attribute in GEN_INFO
| + | |
− | * Save the last saved, printed, etc. dates as DATETIME attributes in GEN_INFO
| + | |
− | * Save the author as XX in GEN_INFO
| + | |
− | * Any images and embedded files that it can extract should be added to the central ImgDB as derived files and scheduled for processing.
| + | |
− | | + | |
− | | + | |
− | == JPEG File ==
| + | |
− | A module that analyzes a JPEG image file could:
| + | |
− | * Save the EXIF data (DATETIME, DEVICE, GEO) as attributes in GEN_INFO.
| + | |
− | | + | |
− | | + | |
− | = Changes in API =
| + | |
− | == Deprecated since API 3.1 ==
| + | |
− | Avoid the usage of the below as the behaviour has changed since the update to 3.1. TSK_TAG_FILE for example will not separate them by TSK_TAG_NAME anymore and they will all get grouped together as "Tagged Files" under extracted content.
| + | |
− | | + | |
− | '''BlackboardArtifact.ARTIFACT_TYPE'''
| + | |
− | * TSK_TAG_ARTIFACT
| + | |
− | * TSK_TAG_FILE
| + | |
− |
| + | |
− | '''BlackboardAttribute.ATTRIBUTE_TYPE'''
| + | |
− | * TSK_ENCRYPTION_DETECTED
| + | |
− | * TSK_HASHSET_NAME
| + | |
− | * TSK_INTERESTING_FILE
| + | |
− | * TSK_KEYWORD_SET
| + | |
− | * TSK_TAGGED_ARTIFACT
| + | |
− | * TSK_TAG_NAME
| + | |
The TSK blackboard organizes data into artifacts. This page lists the standard artifacts and what attributes should be defined with them.