From 965a7bd0ced39ce9a79f4392b69d3c35ae931d54 Mon Sep 17 00:00:00 2001 From: Ann Priestman <apriestman@basistech.com> Date: Thu, 9 Jan 2020 09:10:33 -0500 Subject: [PATCH] Updated catalog --- bindings/java/doxygen/artifact_catalog.dox | 149 +++++++++------------ bindings/java/doxygen/blackboard.dox | 5 +- 2 files changed, 67 insertions(+), 87 deletions(-) diff --git a/bindings/java/doxygen/artifact_catalog.dox b/bindings/java/doxygen/artifact_catalog.dox index 3edf69615..a5294ab41 100644 --- a/bindings/java/doxygen/artifact_catalog.dox +++ b/bindings/java/doxygen/artifact_catalog.dox @@ -359,7 +359,7 @@ Indication that the source file matches some set of criteria (possibly user defi - TSK_SET_NAME (The name of the set of criteria which deemed this file interesting) ### OPTIONAL ATTRIBUTES -- TSK_COMMENT (Comment on the reason that the source artifact is interesting)= +- TSK_COMMENT (Comment on the reason that the source artifact is interesting) - TSK_CATEGORY (The set membership rule that was satisfied. I.e. a particular mime) @@ -404,12 +404,10 @@ A message that is found in some content. --- ## TSK_METADATA +General metadata for some content. - - ---- -## TSK_USER_CONTENT_SUSPECTED - +### REQUIRED ATTRIBUTES +None @@ -494,17 +492,16 @@ The number of times a program/application was run. ### REQUIRED ATTRIBUTES - TSK_PROG_NAME (Name of the application) -- TSK_COUNT (Number of times program was run, should be atleast 1) +- TSK_COUNT (Number of times program was run, should be at least 1) ### OPTIONAL ATTRIBUTES -- TSK_ASSOCIATED_ARTIFACT - TSK_DATETIME (Timestamp that application was run last, in seconds since 1970-01-01T00:00:00Z) --- ## TSK_RECENT_OBJECT -Indicates recently accessed content. Example: Recent Documents or Recent Downloads. +Indicates recently accessed content. Examples: Recent Documents or Recent Downloads menu items on Windows. ### REQUIRED ATTRIBUTES - TSK_PATH (Path to the recent object content in the data source) @@ -527,7 +524,7 @@ Details about a remote drive found in the data source. - TSK_REMOTE_PATH (Fully qualified UNC path to the remote drive) ### OPTIONAL ATTRIBUTES -- TSK_LOCAL_PATH (The local path of this remote drive. This path may be mapped, ex. �D:/' or �F:/') +- TSK_LOCAL_PATH (The local path of this remote drive. This path may be mapped, e.g., 'D:/' or 'F:/') @@ -536,62 +533,57 @@ Details about a remote drive found in the data source. An application or web user account. ### REQUIRED ATTRIBUTES -- TSK_PROG_NAME (The name of the service, i.e. Netflix) +- TSK_PROG_NAME (The name of the service, e.g., Netflix) - TSK_USER_ID (User ID of the service account) ### OPTIONAL ATTRIBUTES -- TSK_CATEGORY (Type of service. I.e. Web, TV, Messaging) -- TSK_DATETIME_CREATED (Timestamp that this service account was created, in seconds since 1970-01-01T00:00:00Z) +- TSK_CATEGORY (Type of service, e.g., Web, TV, Messaging) +- TSK_DATETIME_CREATED (When this service account was created, in seconds since 1970-01-01T00:00:00Z) - TSK_DESCRIPTION (Name of the mailbox, if this is an email account) -- TSK_DOMAIN +- TSK_DOMAIN (The sign on realm) - TSK_EMAIL_REPLYTO (Email reply to address, if this is an email account) - TSK_NAME (Display name of the user account) - TSK_PASSWORD (Password of the service account) - TSK_PATH (Path to the application installation, if it is local) - TSK_SERVER_NAME (Name of the mail server, if this is an email account) -- TSK_URL (Url of the service, if the service is web based) -- TSK_URL_DECODED +- TSK_URL (URL of the service, if the service is a Web service) +- TSK_URL_DECODED (Decoded URL of the service, if the service is a Web service) - TSK_USER_NAME (User name of the service account) --- ## TSK_SIM_ATTACHED -Details about a SIM card that was physically attached to the device. This event may be stored by an application or OS. +Details about a SIM card that was physically attached to the device. ### REQUIRED ATTRIBUTES - At least one of: - TSK_ICCID (ICCID number of this SIM card) - TSK_IMSI (IMSI number of this SIM card) -### OPTIONAL ATTRIBUTES -- None. - --- ## TSK_SPEED_DIAL_ENTRY -A speed dial entry found in an application, file or database. +A speed dial entry. ### REQUIRED ATTRIBUTES - TSK_PHONE_NUMBER (Phone number of the speed dial entry) ### OPTIONAL ATTRIBUTES - TSK_NAME_PERSON (Contact name of the speed dial entry) -- TSK_SHORTCUT (Keystroke shortcut) +- TSK_SHORTCUT (Keyboard shortcut) --- ## TSK_TL_EVENT -A special case artifact intended to be used by the Timeline UI. +An event in the timeline of a case. ### REQUIRED ATTRIBUTES -- TSK_TL_EVENT_TYPE (The type of the event, e.g., -- TSK_DATETIME (The time - -### OPTIONAL ATTRIBUTES -- TSK_DESCRIPTION ? +- TSK_TL_EVENT_TYPE (The type of the event, e.g., aTimelineEventType) +- TSK_DATETIME (When the event occurred, in seconds since 1970-01-01T00:00:00Z) +- TSK_DESCRIPTION (A description of the event) @@ -600,10 +592,7 @@ A special case artifact intended to be used by the Timeline UI. An indication that some media file content was generated by the user. ### REQUIRED ATTRIBUTES -- TSK_DESCRIPTION (Description of the entry, such as a note) - -### OPTIONAL ATTRIBUTES -- None. +- TSK_COMMENT (The reason why user-generated content is suspected) @@ -614,14 +603,11 @@ An indication that some data did not pass verification. One example would be ver ### REQUIRED ATTRIBUTES - TSK_COMMENT (Reason for failure, what failed) -### OPTIONAL ATTRIBUTES -- None. - --- ## TSK_WEB_BOOKMARK -A web bookmark entry found in an application, file or database. +A web bookmark entry. ### REQUIRED ATTRIBUTES - TSK_URL (Bookmarked URL) @@ -637,49 +623,49 @@ A web bookmark entry found in an application, file or database. --- ## TSK_WEB_CACHE -A web cache entry found in an application, file or database. The resource that was cached may or may not be present in the data source. +A web cache entry. The resource that was cached may or may not be present in the data source. ### REQUIRED ATTRIBUTES - TSK_PATH (Path to the source cache file. There are typically many cache files which each contain many cached resources) - TSK_URL (URL of the resource cached in this entry) ### OPTIONAL ATTRIBUTES -- TSK_DATETIME_CREATED (Creation date of the cache entry) -- TSK_HEADERS (HTTP Headers on cache entry) -- TSK_PATH_ID (Object id of the source cache file) +- TSK_DATETIME_CREATED (Creation date of the cache entry, in seconds since 1970-01-01T00:00:00Z) +- TSK_HEADERS (HTTP headers on cache entry) +- TSK_PATH_ID (Object ID of the source cache file) --- ## TSK_WEB_COOKIE -A web cookie found in an application, file or database. +A Web cookie found. ### REQUIRED ATTRIBUTES - TSK_URL (Source URL of the web cookie) -- TSK_NAME (The web cookie name attribute, ex. sessionToken) -- TSK_VALUE (The web cookie value attribute) +- TSK_NAME (The Web cookie name attribute, e.g., sessionToken) +- TSK_VALUE (The Web cookie value attribute) ### OPTIONAL ATTRIBUTES -- TSK_DATETIME_CREATED (Datetime this web cookie was created, in seconds since 1970-01-01T00:00:00Z) -- TSK_DATETIME_END (Expiration datetime of the web cookie, in seconds since 1970-01-01T00:00:00Z) -- TSK_DATETIME_START (Datetime this web cookie session was started, in seconds since 1970-01-01T00:00:00Z) -- TSK_DOMAIN (The domain this web cookie serves) -- TSK_PROG_NAME (Name of the application or application extractor that stored this web cookie) -- TSK_PATH (Path to the file containing the web cookie in the data source) +- TSK_DATETIME_CREATED (Datetime the Web cookie was created, in seconds since 1970-01-01T00:00:00Z) +- TSK_DATETIME_START (Datetime the Web cookie session was started, in seconds since 1970-01-01T00:00:00Z) +- TSK_DATETIME_END (Expiration datetime of the Web cookie, in seconds since 1970-01-01T00:00:00Z) +- TSK_DOMAIN (The domain the Web cookie serves) +- TSK_PROG_NAME (Name of the application or application extractor that stored the Web cookie) +- TSK_PATH (Path to the file containing the Web cookie in the data source) --- ## TSK_WEB_DOWNLOAD -A web download entry found in an application, file or database. The downloaded resource may or may not be present in the data source. +A Web download. The downloaded resource may or may not be present in the data source. ### REQUIRED ATTRIBUTES - TSK_URL (URL that hosts this downloaded resource) ### OPTIONAL ATTRIBUTES - TSK_DATETIME_ACCESSED (Last accessed timestamp, in seconds since 1970-01-01T00:00:00Z) -- TSK_DOMAIN (Domain that hosted this downloaded resource) -- TSK_PATH_ID (ID of the file instance in the data source) +- TSK_DOMAIN (Domain that hosted the downloaded resource) +- TSK_PATH_ID (Object ID of the file instance in the data source) - TSK_PATH (Path to the downloaded resource in the datasource) - TSK_PROG_NAME (Name of the application or application extractor that downloaded this resource) @@ -687,24 +673,24 @@ A web download entry found in an application, file or database. The downloaded r --- ## TSK_WEB_FORM_ADDRESS -Contains autofill data for a person's address. Form data is usually saved by a web browser. +Contains autofill data for a person's address. Form data is usually saved by a Web browser. ### REQUIRED ATTRIBUTES -- TSK_LOCATION (The address of the person. Ex: 123 Main St.) +- TSK_LOCATION (The address of the person, e.g., 123 Main St.) ### OPTIONAL ATTRIBUTES -- TSK_COUNT (Number of times this web form data was used) -- TSK_DATETIME_ACCESSED (Last accessed timestamp of this web form data, in seconds since 1970-01-01T00:00:00Z) -- TSK_DATETIME_MODIFIED (Last modified timestamp of this web form data, in seconds since 1970-01-01T00:00:00Z) -- TSK_EMAIL (Email of the person that this address is associated with) -- TSK_NAME_PERSON (Name of the person that this address is associated with) -- TSK_PHONE_NUMBER (Phone number of the person that this address is associated with) +- TSK_COUNT (Number of times the Web form data was used) +- TSK_DATETIME_ACCESSED (Last accessed timestamp of the Web form data, in seconds since 1970-01-01T00:00:00Z) +- TSK_DATETIME_MODIFIED (Last modified timestamp of the Web form data, in seconds since 1970-01-01T00:00:00Z) +- TSK_EMAIL (Email address from the form data) +- TSK_NAME_PERSON (Name of a person from the form data) +- TSK_PHONE_NUMBER (Phone number from the form data) --- ## TSK_WEB_FORM_AUTOFILL -Contains autofill data for a web form. Form data is usually saved by a web browser. Each field value pair in the form should be stored in seperate artifacts. +Contains autofill data for a Web form. Form data is usually saved by a Web browser. Each field value pair in the form should be stored in separate artifacts. ### REQUIRED ATTRIBUTES - One pair of: @@ -712,67 +698,64 @@ Contains autofill data for a web form. Form data is usually saved by a web brows - TSK_VALUE (Value of the autofill field) ### OPTIONAL ATTRIBUTES -- TSK_COUNT (Number of times this web form data has been used) -- TSK_DATETIME_ACCESSED (Datetime this web form data was last accessed, in seconds since 1970-01-01T00:00:00Z) -- TSK_DATETIME_CREATED (Datetime this web form autofill data was created, in seconds since 1970-01-01T00:00:00Z) +- TSK_COUNT (Number of times this Web form data has been used) +- TSK_DATETIME_CREATED (Datetime this Web form autofill data was created, in seconds since 1970-01-01T00:00:00Z) +- TSK_DATETIME_ACCESSED (Datetime this Web form data was last accessed, in seconds since 1970-01-01T00:00:00Z) --- ## TSK_WEB_HISTORY -A web history entry in an application, file or database. This indicates that the device or some user visited the web page. +A Web history entry. ### REQUIRED ATTRIBUTES -- TSK_URL (The visited URL) +- TSK_URL (The URL) ### OPTIONAL ATTRIBUTES -- TSK_DATETIME_ACCESSED (The datetime this URL was accessed, in seconds since 1970-01-01T00:00:00Z) +- TSK_DATETIME_ACCESSED (The datetime the URL was accessed, in seconds since 1970-01-01T00:00:00Z) - TSK_DOMAIN (The domain name of the URL) -- TSK_PROG_NAME (The application or application extractor that stored this web history entry) -- TSK_REFERRER (The URL of the web page that linked to this page) -- TSK_TITLE (Title of the web page that was visited) -- TSK_URL_DECODED -- TSK_USER_NAME (Name of the user that viewed the web page) +- TSK_PROG_NAME (The application or application extractor that stored this Web history entry) +- TSK_REFERRER (The URL of a Web page that linked to the page) +- TSK_TITLE (Title of the Web page that was visited) +- TSK_URL_DECODED (The decoded URL) +- TSK_USER_NAME (Name of the user that viewed the Web page) --- ## TSK_WEB_SEARCH_QUERY -Details about a web search query that was found in an application, file or database. +Details about a Web search query. ### REQUIRED ATTRIBUTES - TSK_TEXT (Web search query text) ### OPTIONAL ATTRIBUTES -- TSK_DATETIME_ACCESSED (The datetime this web search query was last used, in seconds since 1970-01-01T00:00:00Z) +- TSK_DATETIME_ACCESSED (When the Web search query was last used, in seconds since 1970-01-01T00:00:00Z) - TSK_DOMAIN (Domain of the search engine used to execute the query) -- TSK_PROG_NAME (Application or application extractor that stored the web search query) +- TSK_PROG_NAME (Application or application extractor that stored the Web search query) --- ## TSK_WIFI_NETWORK -Details about a WiFi network. These may be stored by an application or OS upon connection. +Details about a WiFi network. ### REQUIRED ATTRIBUTES -- TSK_SSID (The name of the wifi network) +- TSK_SSID (The name of the WiFi network) ### OPTIONAL ATTRIBUTES -- TSK_DATETIME (Timestamp about this WiFi network, in seconds since 1970-01-01T00:00:00Z. This timestamp could be last connected time or creation time) -- TSK_DEVICE_ID (String that uniquely identifies the wifi network) +- TSK_DATETIME (Timestamp, in seconds since 1970-01-01T00:00:00Z. This timestamp could be last connected time or creation time) +- TSK_DEVICE_ID (String that uniquely identifies the WiFi network) --- ## TSK_WIFI_NETWORK_ADAPTER -Details about a WiFi adapter. These may be stored by an application or OS. +Details about a WiFi adapter. ### REQUIRED ATTRIBUTES - TSK_MAC_ADDRESS (Mac address of the adapter) -### OPTIONAL ATTRIBUTES -- None. - diff --git a/bindings/java/doxygen/blackboard.dox b/bindings/java/doxygen/blackboard.dox index fdf1efda5..7fb38c757 100644 --- a/bindings/java/doxygen/blackboard.dox +++ b/bindings/java/doxygen/blackboard.dox @@ -18,10 +18,7 @@ The second special type of artifact is the TSK_ASSOCIATED_OBJECT. All artifacts \section jni_bb_access Accessing the Blackboard -Java modules can access the blackboard from either org.sleuthkit.datamodel.SleuthkitCase or a org.sleuthkit.datamodel.Content object. The methods associated with org.sleuthkit.datamodel.Content all limit the Blackboard to a specific file. - -Refer to the <a href="http://wiki.sleuthkit.org/index.php?title=Artifact_Examples">artifact examples wiki page</a> for artifact and attribute combinations that are commonly used. - +Java modules can access the blackboard from either org.sleuthkit.datamodel.SleuthkitCase or a org.sleuthkit.datamodel.Content object. The methods associated with org.sleuthkit.datamodel.Content all limit the Blackboard to a specific file. \subsection jni_bb_access_post Posting to the Blackboard -- GitLab