Difference between revisions of "Artifact Examples"

From SleuthKitWiki
Jump to: navigation, search
(Created page with "= Artifact Examples = Bookmark * URL * DATETIME * NAME/FOLDER * PROG_NAME Cookie * URL * DATETIME * NAME/VALUE * FLAG * PROG_NAME History * URL * DATETIME * PROG_NAME RecentO...")
 
Line 1: Line 1:
 
= Artifact Examples =  
 
= Artifact Examples =  
Bookmark
+
TSK_WEB_BOOKMARK
* URL
+
* TSK_URL
* DATETIME
+
* TSK_DATETIME (context of "Last Visit Date")
* NAME/FOLDER
+
* TSK_DATETIME (context of "Date Added")
* PROG_NAME
+
* TSK_NAME (to store assigned name and folder)
 +
* TSK_PROG_NAME
  
Cookie
+
TSK_WEB_COOKIE
* URL
+
* TSK_URL
* DATETIME
+
* TSK_DATETIME (context of "Creation Date")
* NAME/VALUE
+
* TSK_DATETIME (context of "Expiration Date"
* FLAG
+
* TSK_NAME
* PROG_NAME
+
* TSK_VALUE
 +
* TSK_FLAG
 +
* TSK_PROG_NAME
  
History
+
TSK_WEB_HISTORY
* URL
+
* TSK_URL
* DATETIME
+
* TSK_DATETIME
* PROG_NAME
+
* TSK_PROG_NAME
  
RecentObject
+
TSK_WEB_DOWNLOAD
* PATH
+
* TSK_URL
* PROG_NAME
+
* TSK_DATETIME
 +
* TSK_PATH  (location saved to)
  
TrackPoint
+
TSK_RECENT_OBJECT  (MRU, recent docs, etc.)
* GEO
+
* TSK_PATH
* DATETIME
+
* TSK_DATETIME
 +
* TSK_PROG_NAME
  
InstalledProgram
+
TSK_TRACKPOINT
* PROG_NAME  (source in context)   (XX: Perhaps these could all be stored in GEN_INFO if they are just single attribute)
+
* TSK_GEO
 +
* TSK_DATETIME
 +
 
 +
TSK_INSTALLED_PROG
 +
* PROG_NAME  (method of determining "Hashset", "Registry", etc. in context)
 +
 
 +
TSK_KEYWORD_HIT
 +
* TSK_KEYWORD (keyword that hit)
 +
* TSK_REGEXP (regular expression that was used - if used)
 +
* TSK_PREVIEW (40(?) chars of text before and after keyword hit)
 +
* TSK_KEYWORD_SET (text name of a set that the keyword was part of)
  
 
= General Information Artifact Examples =
 
= General Information Artifact Examples =
Line 42: Line 57:
 
A module that analyzes a JPEG image file could:
 
A module that analyzes a JPEG image file could:
 
* Save the EXIF data as DATETIME and DEVICE attributes in GEN_INFO.
 
* Save the EXIF data as DATETIME and DEVICE attributes in GEN_INFO.
 +
 +
= Other attributes =
 +
* TSK_CREDITCARD (ccv, etc in context)
 +
* TSK_IP
 +
* TSK_PHONE_NUMBER

Revision as of 15:22, 6 January 2012

Artifact Examples

TSK_WEB_BOOKMARK

  • TSK_URL
  • TSK_DATETIME (context of "Last Visit Date")
  • TSK_DATETIME (context of "Date Added")
  • TSK_NAME (to store assigned name and folder)
  • TSK_PROG_NAME

TSK_WEB_COOKIE

  • TSK_URL
  • TSK_DATETIME (context of "Creation Date")
  • TSK_DATETIME (context of "Expiration Date"
  • TSK_NAME
  • TSK_VALUE
  • TSK_FLAG
  • TSK_PROG_NAME

TSK_WEB_HISTORY

  • TSK_URL
  • TSK_DATETIME
  • TSK_PROG_NAME

TSK_WEB_DOWNLOAD

  • TSK_URL
  • TSK_DATETIME
  • TSK_PATH (location saved to)

TSK_RECENT_OBJECT (MRU, recent docs, etc.)

  • TSK_PATH
  • TSK_DATETIME
  • TSK_PROG_NAME

TSK_TRACKPOINT

  • TSK_GEO
  • TSK_DATETIME

TSK_INSTALLED_PROG

  • PROG_NAME (method of determining "Hashset", "Registry", etc. in context)

TSK_KEYWORD_HIT

  • TSK_KEYWORD (keyword that hit)
  • TSK_REGEXP (regular expression that was used - if used)
  • TSK_PREVIEW (40(?) chars of text before and after keyword hit)
  • TSK_KEYWORD_SET (text name of a set that the keyword was part of)

General Information Artifact Examples

Word Document

A module that analyzes a Microsoft Word file can pull text and metadata from the file. It should

  • Save the extracted text as a TEXT attribute in GEN_INFO
  • Save the last saved, printed, etc. dates as DATETIME attributes in GEN_INFO
  • Save the author as XX in GEN_INFO
  • Any images and embedded files that it can extract should be added to the central ImgDB as derived files and scheduled for processing.


JPEG File

A module that analyzes a JPEG image file could:

  • Save the EXIF data as DATETIME and DEVICE attributes in GEN_INFO.

Other attributes

  • TSK_CREDITCARD (ccv, etc in context)
  • TSK_IP
  • TSK_PHONE_NUMBER