The TSK blackboard organizes data into artifacts. This page lists the standard artifacts and what attributes should be defined with them. For more details on the blackboard, refer to http://sleuthkit.org/sleuthkit/docs/framework-docs/mod_bbpage.html.
This page lists general names of artifacts and attributes. Below are links to the specific C++ and Java references.
- C++ Artifacts
- C++ Attributes
- Java Artifacts
- Java Attributes
UPDATE THE ABOVE
- TSK_DATETIME (context of "Last Visit Date")
- TSK_DATETIME (context of "Date Added")
- TSK_NAME (to store assigned name and folder)
- TSK_DATETIME (context of "Creation Date")
- TSK_DATETIME (context of "Expiration Date"
- TSK_PATH (location saved to)
TSK_RECENT_OBJECT (MRU, recent docs, etc.)
- PROG_NAME (method of determining "Hashset", "Registry", etc. in context)
- TSK_KEYWORD (keyword that hit)
- TSK_REGEXP (regular expression that was used - if used)
- TSK_PREVIEW (40(?) chars of text before and after keyword hit)
- TSK_KEYWORD_SET (text name of a set that the keyword was part of)
General Information Artifact Examples
A module that analyzes a Microsoft Word file can pull text and metadata from the file. It should
- Save the extracted text as a TEXT attribute in GEN_INFO
- Save the last saved, printed, etc. dates as DATETIME attributes in GEN_INFO
- Save the author as XX in GEN_INFO
- Any images and embedded files that it can extract should be added to the central ImgDB as derived files and scheduled for processing.
A module that analyzes a JPEG image file could:
- Save the EXIF data as DATETIME and DEVICE attributes in GEN_INFO.
- TSK_CREDITCARD (ccv, etc in context)