Artifact Examples

From SleuthKitWiki
Revision as of 15:22, 6 January 2012 by Carrier (Talk | contribs)

Jump to: navigation, search

Artifact Examples

TSK_WEB_BOOKMARK

  • TSK_URL
  • TSK_DATETIME (context of "Last Visit Date")
  • TSK_DATETIME (context of "Date Added")
  • TSK_NAME (to store assigned name and folder)
  • TSK_PROG_NAME

TSK_WEB_COOKIE

  • TSK_URL
  • TSK_DATETIME (context of "Creation Date")
  • TSK_DATETIME (context of "Expiration Date"
  • TSK_NAME
  • TSK_VALUE
  • TSK_FLAG
  • TSK_PROG_NAME

TSK_WEB_HISTORY

  • TSK_URL
  • TSK_DATETIME
  • TSK_PROG_NAME

TSK_WEB_DOWNLOAD

  • TSK_URL
  • TSK_DATETIME
  • TSK_PATH (location saved to)

TSK_RECENT_OBJECT (MRU, recent docs, etc.)

  • TSK_PATH
  • TSK_DATETIME
  • TSK_PROG_NAME

TSK_TRACKPOINT

  • TSK_GEO
  • TSK_DATETIME

TSK_INSTALLED_PROG

  • PROG_NAME (method of determining "Hashset", "Registry", etc. in context)

TSK_KEYWORD_HIT

  • TSK_KEYWORD (keyword that hit)
  • TSK_REGEXP (regular expression that was used - if used)
  • TSK_PREVIEW (40(?) chars of text before and after keyword hit)
  • TSK_KEYWORD_SET (text name of a set that the keyword was part of)

General Information Artifact Examples

Word Document

A module that analyzes a Microsoft Word file can pull text and metadata from the file. It should

  • Save the extracted text as a TEXT attribute in GEN_INFO
  • Save the last saved, printed, etc. dates as DATETIME attributes in GEN_INFO
  • Save the author as XX in GEN_INFO
  • Any images and embedded files that it can extract should be added to the central ImgDB as derived files and scheduled for processing.


JPEG File

A module that analyzes a JPEG image file could:

  • Save the EXIF data as DATETIME and DEVICE attributes in GEN_INFO.

Other attributes

  • TSK_CREDITCARD (ccv, etc in context)
  • TSK_IP
  • TSK_PHONE_NUMBER