The TSK blackboard organizes data into artifacts. This page lists the standard artifacts and what attributes should be defined with them. For more details on the blackboard, refer to http://sleuthkit.org/sleuthkit/docs/framework-docs/mod_bbpage.html.
This page lists general names of artifacts and attributes. Below are links to the specific C++ and Java references.
- C++ Artifacts
- C++ Attributes
- Java Artifacts
- Java Attributes
UPDATE THE ABOVE
- TSK_DATETIME (context of "Last Visit Date")
- TSK_DATETIME (context of "Date Added")
- TSK_NAME (to store assigned name and folder)
- TSK_DATETIME (context of "Creation Date")
- TSK_DATETIME (context of "Expiration Date"
- TSK_URL (Location file was downloaded from)
- TSK_DATETIME (time file was downloaded)
- TSK_PATH (location saved to)
TSK_RECENT_OBJECT (MRU, recent docs, etc.)
- TSK_PATH (path of recently accessed file)
- TSK_DATETIME (date of access, if known)
- TSK_PROG_NAME (program that access is associated with -- "Windows", "Word", etc.)
- PROG_NAME (method of determining "Hashset", "Registry", etc. in context)
- TSK_KEYWORD (keyword that hit)
- TSK_REGEXP (regular expression that was used - if used)
- TSK_PREVIEW (45 chars of text before and after keyword hit)
- TSK_SET_NAME (text name of a set/list that the keyword was part of)
- TSK_SET_NAME (name or file name of hashset that hash was located in)
TSK_DEVICE_ATTACHED (for each time that a known device was attached to system USB ID, for example)
- TSK_DEVICE_ID (ID of attached device)
- TSK_DATETIME (Date that device was attached)
- TSK_PATH (mount point for device)
TSK_INTERESTING_FILE (for a file that was found by it's name or other heuristic)
- TSK_SET_NAME (name of set that defined the rule that flagged this file)
General Information Artifact Examples
A module that analyzes a Microsoft Word file can pull text and metadata from the file. It should
- Save the extracted text as a TEXT attribute in GEN_INFO
- Save the last saved, printed, etc. dates as DATETIME attributes in GEN_INFO
- Save the author as XX in GEN_INFO
- Any images and embedded files that it can extract should be added to the central ImgDB as derived files and scheduled for processing.
A module that analyzes a JPEG image file could:
- Save the EXIF data as DATETIME and DEVICE attributes in GEN_INFO.
- TSK_CREDITCARD (ccv, etc in context)