|
|
(21 intermediate revisions by 6 users not shown) |
Line 1: |
Line 1: |
− | The TSK blackboard organizes data into artifacts. This page lists the standard artifacts and what attributes should be defined with them. For more details on the blackboard, refer to [http://sleuthkit.org/sleuthkit/docs/framework-docs/mod_bbpage.html http://sleuthkit.org/sleuthkit/docs/framework-docs/mod_bbpage.html]. | + | The TSK blackboard organizes data into artifacts. This page lists the standard artifacts and what attributes should be defined with them. |
| | | |
− | This page lists general names of artifacts and attributes. Below are links to the specific C++ and Java references.
| + | It has been moved to here: http://sleuthkit.org/sleuthkit/docs/jni-docs/latest/artifact_catalog_page.html |
− | * [http://sleuthkit.org/sleuthkit/docs/framework-docs/TskBlackboard_8h.html#aac7b5d32c4b75d65468bbd1e0cb11a44 C++ Artifacts]
| + | |
− | * [http://sleuthkit.org/sleuthkit/docs/framework-docs/TskBlackboard_8h.html#a133dead0ca74c17235430e12789258f4 C++ Attributes]
| + | |
− | * [http://www.sleuthkit.org/sleuthkit/docs/javadocs/org/sleuthkit/datamodel/BlackboardArtifact.ARTIFACT_TYPE.html Java Artifacts] (note that the C++ code has the full description of the artifacts)
| + | |
− | * [http://www.sleuthkit.org/sleuthkit/docs/javadocs/org/sleuthkit/datamodel/BlackboardAttribute.ATTRIBUTE_TYPE.html Java Attributes] (note that the C++ code has the full description of the attributes)
| + | |
− | | + | |
− | = Artifact Examples =
| + | |
− | | + | |
− | TSK_WEB_BOOKMARK
| + | |
− | * TSK_URL
| + | |
− | * TSK_DATETIME (context of "Last Visit Date")
| + | |
− | * TSK_DATETIME (context of "Date Added")
| + | |
− | * TSK_NAME (to store assigned name and folder)
| + | |
− | * TSK_PROG_NAME (browser this came from)
| + | |
− | * TSK_TITLE (Title of webpage)
| + | |
− | | + | |
− | TSK_WEB_COOKIE
| + | |
− | * TSK_URL
| + | |
− | * TSK_DATETIME (context of "Creation Date")
| + | |
− | * TSK_DATETIME (context of "Expiration Date"
| + | |
− | * TSK_NAME
| + | |
− | * TSK_VALUE
| + | |
− | * TSK_FLAG
| + | |
− | * TSK_PROG_NAME (browser this came from)
| + | |
− | | + | |
− | TSK_WEB_HISTORY
| + | |
− | * TSK_URL
| + | |
− | * TSK_DATETIME
| + | |
− | * TSK_PROG_NAME (browser this came from)
| + | |
− | * TSK_REFERRER
| + | |
− | * TSK_USERNAME
| + | |
− | * TSK_TITLE (title of webpage)
| + | |
− | | + | |
− | TSK_WEB_DOWNLOAD
| + | |
− | * TSK_URL (Location file was downloaded from)
| + | |
− | * TSK_DATETIME (time file was downloaded)
| + | |
− | * TSK_PATH (location saved to)
| + | |
− | | + | |
− | TSK_RECENT_OBJECT (MRU, recent docs, etc.)
| + | |
− | * TSK_PATH (path of recently accessed file)
| + | |
− | * TSK_DATETIME (date of access, if known)
| + | |
− | * TSK_PROG_NAME (program that access is associated with -- "Windows", "Word", etc.)
| + | |
− | | + | |
− | TSK_TRACKPOINT
| + | |
− | * TSK_GEO_LATITUDE
| + | |
− | * TSK_GEO_LONGITUDE
| + | |
− | * TSK_GEO_* (other geo-related attributes as needed and available)
| + | |
− | * TSK_DATETIME
| + | |
− | | + | |
− | TSK_INSTALLED_PROG
| + | |
− | * PROG_NAME (method of determining "Hashset", "Registry", etc. in context)
| + | |
− | | + | |
− | TSK_KEYWORD_HIT
| + | |
− | * TSK_KEYWORD (keyword that hit)
| + | |
− | * TSK_REGEXP (regular expression that was used - if used)
| + | |
− | * TSK_PREVIEW (45 chars of text before and after keyword hit)
| + | |
− | * TSK_SET_NAME (text name of a set/list that the keyword was part of)
| + | |
− | | + | |
− | TSK_HASHSET_HIT
| + | |
− | * TSK_SET_NAME (name or file name of hashset that hash was located in)
| + | |
− | | + | |
− | TSK_DEVICE_ATTACHED (for each time that a known device was attached to system USB ID, for example)
| + | |
− | * TSK_DEVICE_ID (ID of attached device)
| + | |
− | * TSK_DATETIME (Date that device was attached)
| + | |
− | * TSK_PATH (mount point for device)
| + | |
− | | + | |
− | TSK_INTERESTING_FILE (for a file that was found by it's name or other heuristic)
| + | |
− | * TSK_SET_NAME (name of set that defined the rule that flagged this file)
| + | |
− | | + | |
− | TSK_EMAIL_MSG (for an e-mail message that was found)
| + | |
− | * TSK_EMAIL_TO
| + | |
− | * TSK_EMAIL_CC
| + | |
− | * TSK_EMAIL_BCC
| + | |
− | * TSK_EMAIL_FROM
| + | |
− | * TSK_SUBJECT
| + | |
− | * TSK_EMAIL_CONTENT_* (message body. Use specific attribute for HTML, PlainText, or RTF. Use multiple content attributes if the message has both plain text and HTML)
| + | |
− | * TSK_DATETIME_RCVD
| + | |
− | * TSK_DATETIME_SENT
| + | |
− | * TSK_MSG_ID
| + | |
− | * TSK_MSG_REPLY_ID
| + | |
− | | + | |
− | | + | |
− | = General Information Artifact Examples =
| + | |
− | | + | |
− | == Word Document ==
| + | |
− | A module that analyzes a Microsoft Word file can pull text and metadata from the file. It should
| + | |
− | * Save the extracted text as a TEXT attribute in GEN_INFO
| + | |
− | * Save the last saved, printed, etc. dates as DATETIME attributes in GEN_INFO
| + | |
− | * Save the author as XX in GEN_INFO
| + | |
− | * Any images and embedded files that it can extract should be added to the central ImgDB as derived files and scheduled for processing.
| + | |
− | | + | |
− | | + | |
− | == JPEG File ==
| + | |
− | A module that analyzes a JPEG image file could:
| + | |
− | * Save the EXIF data (DATETIME, DEVICE, GEO) as attributes in GEN_INFO.
| + | |
The TSK blackboard organizes data into artifacts. This page lists the standard artifacts and what attributes should be defined with them.