Skip to content
Snippets Groups Projects
Commit 965a7bd0 authored by Ann Priestman's avatar Ann Priestman
Browse files

Updated catalog

parent 6fce61da
Branches
Tags
No related merge requests found
Hide whitespace changes
Inline Side-by-side
bindings/java/doxygen/artifact_catalog.dox
+ 66
83
View file @ 965a7bd0
......@@ -359,7 +359,7 @@ Indication that the source file matches some set of criteria (possibly user defi
- TSK_SET_NAME (The name of the set of criteria which deemed this file interesting)
### OPTIONAL ATTRIBUTES
- TSK_COMMENT (Comment on the reason that the source artifact is interesting)=
- TSK_COMMENT (Comment on the reason that the source artifact is interesting)
- TSK_CATEGORY (The set membership rule that was satisfied. I.e. a particular mime)
......@@ -404,12 +404,10 @@ A message that is found in some content.
---
## TSK_METADATA
General metadata for some content.
---
## TSK_USER_CONTENT_SUSPECTED
### REQUIRED ATTRIBUTES
None
......@@ -494,17 +492,16 @@ The number of times a program/application was run.
### REQUIRED ATTRIBUTES
- TSK_PROG_NAME (Name of the application)
- TSK_COUNT (Number of times program was run, should be atleast 1)
- TSK_COUNT (Number of times program was run, should be at least 1)
### OPTIONAL ATTRIBUTES
- TSK_ASSOCIATED_ARTIFACT
- TSK_DATETIME (Timestamp that application was run last, in seconds since 1970-01-01T00:00:00Z)
---
## TSK_RECENT_OBJECT
Indicates recently accessed content. Example: Recent Documents or Recent Downloads.
Indicates recently accessed content. Examples: Recent Documents or Recent Downloads menu items on Windows.
### REQUIRED ATTRIBUTES
- TSK_PATH (Path to the recent object content in the data source)
......@@ -527,7 +524,7 @@ Details about a remote drive found in the data source.
- TSK_REMOTE_PATH (Fully qualified UNC path to the remote drive)
### OPTIONAL ATTRIBUTES
- TSK_LOCAL_PATH (The local path of this remote drive. This path may be mapped, ex. ‘D:/' or ‘F:/')
- TSK_LOCAL_PATH (The local path of this remote drive. This path may be mapped, e.g., 'D:/' or 'F:/')
......@@ -536,62 +533,57 @@ Details about a remote drive found in the data source.
An application or web user account.
### REQUIRED ATTRIBUTES
- TSK_PROG_NAME (The name of the service, i.e. Netflix)
- TSK_PROG_NAME (The name of the service, e.g., Netflix)
- TSK_USER_ID (User ID of the service account)
### OPTIONAL ATTRIBUTES
- TSK_CATEGORY (Type of service. I.e. Web, TV, Messaging)
- TSK_DATETIME_CREATED (Timestamp that this service account was created, in seconds since 1970-01-01T00:00:00Z)
- TSK_CATEGORY (Type of service, e.g., Web, TV, Messaging)
- TSK_DATETIME_CREATED (When this service account was created, in seconds since 1970-01-01T00:00:00Z)
- TSK_DESCRIPTION (Name of the mailbox, if this is an email account)
- TSK_DOMAIN
- TSK_DOMAIN (The sign on realm)
- TSK_EMAIL_REPLYTO (Email reply to address, if this is an email account)
- TSK_NAME (Display name of the user account)
- TSK_PASSWORD (Password of the service account)
- TSK_PATH (Path to the application installation, if it is local)
- TSK_SERVER_NAME (Name of the mail server, if this is an email account)
- TSK_URL (Url of the service, if the service is web based)
- TSK_URL_DECODED
- TSK_URL (URL of the service, if the service is a Web service)
- TSK_URL_DECODED (Decoded URL of the service, if the service is a Web service)
- TSK_USER_NAME (User name of the service account)
---
## TSK_SIM_ATTACHED
Details about a SIM card that was physically attached to the device. This event may be stored by an application or OS.
Details about a SIM card that was physically attached to the device.
### REQUIRED ATTRIBUTES
- At least one of:
- TSK_ICCID (ICCID number of this SIM card)
- TSK_IMSI (IMSI number of this SIM card)
### OPTIONAL ATTRIBUTES
- None.
---
## TSK_SPEED_DIAL_ENTRY
A speed dial entry found in an application, file or database.
A speed dial entry.
### REQUIRED ATTRIBUTES
- TSK_PHONE_NUMBER (Phone number of the speed dial entry)
### OPTIONAL ATTRIBUTES
- TSK_NAME_PERSON (Contact name of the speed dial entry)
- TSK_SHORTCUT (Keystroke shortcut)
- TSK_SHORTCUT (Keyboard shortcut)
---
## TSK_TL_EVENT
A special case artifact intended to be used by the Timeline UI.
An event in the timeline of a case.
### REQUIRED ATTRIBUTES
- TSK_TL_EVENT_TYPE (The type of the event, e.g.,
- TSK_DATETIME (The time
### OPTIONAL ATTRIBUTES
- TSK_DESCRIPTION ?
- TSK_TL_EVENT_TYPE (The type of the event, e.g., aTimelineEventType)
- TSK_DATETIME (When the event occurred, in seconds since 1970-01-01T00:00:00Z)
- TSK_DESCRIPTION (A description of the event)
......@@ -600,10 +592,7 @@ A special case artifact intended to be used by the Timeline UI.
An indication that some media file content was generated by the user.
### REQUIRED ATTRIBUTES
- TSK_DESCRIPTION (Description of the entry, such as a note)
### OPTIONAL ATTRIBUTES
- None.
- TSK_COMMENT (The reason why user-generated content is suspected)
......@@ -614,14 +603,11 @@ An indication that some data did not pass verification. One example would be ver
### REQUIRED ATTRIBUTES
- TSK_COMMENT (Reason for failure, what failed)
### OPTIONAL ATTRIBUTES
- None.
---
## TSK_WEB_BOOKMARK
A web bookmark entry found in an application, file or database.
A web bookmark entry.
### REQUIRED ATTRIBUTES
- TSK_URL (Bookmarked URL)
......@@ -637,49 +623,49 @@ A web bookmark entry found in an application, file or database.
---
## TSK_WEB_CACHE
A web cache entry found in an application, file or database. The resource that was cached may or may not be present in the data source.
A web cache entry. The resource that was cached may or may not be present in the data source.
### REQUIRED ATTRIBUTES
- TSK_PATH (Path to the source cache file. There are typically many cache files which each contain many cached resources)
- TSK_URL (URL of the resource cached in this entry)
### OPTIONAL ATTRIBUTES
- TSK_DATETIME_CREATED (Creation date of the cache entry)
- TSK_HEADERS (HTTP Headers on cache entry)
- TSK_PATH_ID (Object id of the source cache file)
- TSK_DATETIME_CREATED (Creation date of the cache entry, in seconds since 1970-01-01T00:00:00Z)
- TSK_HEADERS (HTTP headers on cache entry)
- TSK_PATH_ID (Object ID of the source cache file)
---
## TSK_WEB_COOKIE
A web cookie found in an application, file or database.
A Web cookie found.
### REQUIRED ATTRIBUTES
- TSK_URL (Source URL of the web cookie)
- TSK_NAME (The web cookie name attribute, ex. sessionToken)
- TSK_VALUE (The web cookie value attribute)
- TSK_NAME (The Web cookie name attribute, e.g., sessionToken)
- TSK_VALUE (The Web cookie value attribute)
### OPTIONAL ATTRIBUTES
- TSK_DATETIME_CREATED (Datetime this web cookie was created, in seconds since 1970-01-01T00:00:00Z)
- TSK_DATETIME_END (Expiration datetime of the web cookie, in seconds since 1970-01-01T00:00:00Z)
- TSK_DATETIME_START (Datetime this web cookie session was started, in seconds since 1970-01-01T00:00:00Z)
- TSK_DOMAIN (The domain this web cookie serves)
- TSK_PROG_NAME (Name of the application or application extractor that stored this web cookie)
- TSK_PATH (Path to the file containing the web cookie in the data source)
- TSK_DATETIME_CREATED (Datetime the Web cookie was created, in seconds since 1970-01-01T00:00:00Z)
- TSK_DATETIME_START (Datetime the Web cookie session was started, in seconds since 1970-01-01T00:00:00Z)
- TSK_DATETIME_END (Expiration datetime of the Web cookie, in seconds since 1970-01-01T00:00:00Z)
- TSK_DOMAIN (The domain the Web cookie serves)
- TSK_PROG_NAME (Name of the application or application extractor that stored the Web cookie)
- TSK_PATH (Path to the file containing the Web cookie in the data source)
---
## TSK_WEB_DOWNLOAD
A web download entry found in an application, file or database. The downloaded resource may or may not be present in the data source.
A Web download. The downloaded resource may or may not be present in the data source.
### REQUIRED ATTRIBUTES
- TSK_URL (URL that hosts this downloaded resource)
### OPTIONAL ATTRIBUTES
- TSK_DATETIME_ACCESSED (Last accessed timestamp, in seconds since 1970-01-01T00:00:00Z)
- TSK_DOMAIN (Domain that hosted this downloaded resource)
- TSK_PATH_ID (ID of the file instance in the data source)
- TSK_DOMAIN (Domain that hosted the downloaded resource)
- TSK_PATH_ID (Object ID of the file instance in the data source)
- TSK_PATH (Path to the downloaded resource in the datasource)
- TSK_PROG_NAME (Name of the application or application extractor that downloaded this resource)
......@@ -687,24 +673,24 @@ A web download entry found in an application, file or database. The downloaded r
---
## TSK_WEB_FORM_ADDRESS
Contains autofill data for a person's address. Form data is usually saved by a web browser.
Contains autofill data for a person's address. Form data is usually saved by a Web browser.
### REQUIRED ATTRIBUTES
- TSK_LOCATION (The address of the person. Ex: 123 Main St.)
- TSK_LOCATION (The address of the person, e.g., 123 Main St.)
### OPTIONAL ATTRIBUTES
- TSK_COUNT (Number of times this web form data was used)
- TSK_DATETIME_ACCESSED (Last accessed timestamp of this web form data, in seconds since 1970-01-01T00:00:00Z)
- TSK_DATETIME_MODIFIED (Last modified timestamp of this web form data, in seconds since 1970-01-01T00:00:00Z)
- TSK_EMAIL (Email of the person that this address is associated with)
- TSK_NAME_PERSON (Name of the person that this address is associated with)
- TSK_PHONE_NUMBER (Phone number of the person that this address is associated with)
- TSK_COUNT (Number of times the Web form data was used)
- TSK_DATETIME_ACCESSED (Last accessed timestamp of the Web form data, in seconds since 1970-01-01T00:00:00Z)
- TSK_DATETIME_MODIFIED (Last modified timestamp of the Web form data, in seconds since 1970-01-01T00:00:00Z)
- TSK_EMAIL (Email address from the form data)
- TSK_NAME_PERSON (Name of a person from the form data)
- TSK_PHONE_NUMBER (Phone number from the form data)
---
## TSK_WEB_FORM_AUTOFILL
Contains autofill data for a web form. Form data is usually saved by a web browser. Each field value pair in the form should be stored in seperate artifacts.
Contains autofill data for a Web form. Form data is usually saved by a Web browser. Each field value pair in the form should be stored in separate artifacts.
### REQUIRED ATTRIBUTES
- One pair of:
......@@ -712,67 +698,64 @@ Contains autofill data for a web form. Form data is usually saved by a web brows
- TSK_VALUE (Value of the autofill field)
### OPTIONAL ATTRIBUTES
- TSK_COUNT (Number of times this web form data has been used)
- TSK_DATETIME_ACCESSED (Datetime this web form data was last accessed, in seconds since 1970-01-01T00:00:00Z)
- TSK_DATETIME_CREATED (Datetime this web form autofill data was created, in seconds since 1970-01-01T00:00:00Z)
- TSK_COUNT (Number of times this Web form data has been used)
- TSK_DATETIME_CREATED (Datetime this Web form autofill data was created, in seconds since 1970-01-01T00:00:00Z)
- TSK_DATETIME_ACCESSED (Datetime this Web form data was last accessed, in seconds since 1970-01-01T00:00:00Z)
---
## TSK_WEB_HISTORY
A web history entry in an application, file or database. This indicates that the device or some user visited the web page.
A Web history entry.
### REQUIRED ATTRIBUTES
- TSK_URL (The visited URL)
- TSK_URL (The URL)
### OPTIONAL ATTRIBUTES
- TSK_DATETIME_ACCESSED (The datetime this URL was accessed, in seconds since 1970-01-01T00:00:00Z)
- TSK_DATETIME_ACCESSED (The datetime the URL was accessed, in seconds since 1970-01-01T00:00:00Z)
- TSK_DOMAIN (The domain name of the URL)
- TSK_PROG_NAME (The application or application extractor that stored this web history entry)
- TSK_REFERRER (The URL of the web page that linked to this page)
- TSK_TITLE (Title of the web page that was visited)
- TSK_URL_DECODED
- TSK_USER_NAME (Name of the user that viewed the web page)
- TSK_PROG_NAME (The application or application extractor that stored this Web history entry)
- TSK_REFERRER (The URL of a Web page that linked to the page)
- TSK_TITLE (Title of the Web page that was visited)
- TSK_URL_DECODED (The decoded URL)
- TSK_USER_NAME (Name of the user that viewed the Web page)
---
## TSK_WEB_SEARCH_QUERY
Details about a web search query that was found in an application, file or database.
Details about a Web search query.
### REQUIRED ATTRIBUTES
- TSK_TEXT (Web search query text)
### OPTIONAL ATTRIBUTES
- TSK_DATETIME_ACCESSED (The datetime this web search query was last used, in seconds since 1970-01-01T00:00:00Z)
- TSK_DATETIME_ACCESSED (When the Web search query was last used, in seconds since 1970-01-01T00:00:00Z)
- TSK_DOMAIN (Domain of the search engine used to execute the query)
- TSK_PROG_NAME (Application or application extractor that stored the web search query)
- TSK_PROG_NAME (Application or application extractor that stored the Web search query)
---
## TSK_WIFI_NETWORK
Details about a WiFi network. These may be stored by an application or OS upon connection.
Details about a WiFi network.
### REQUIRED ATTRIBUTES
- TSK_SSID (The name of the wifi network)
- TSK_SSID (The name of the WiFi network)
### OPTIONAL ATTRIBUTES
- TSK_DATETIME (Timestamp about this WiFi network, in seconds since 1970-01-01T00:00:00Z. This timestamp could be last connected time or creation time)
- TSK_DEVICE_ID (String that uniquely identifies the wifi network)
- TSK_DATETIME (Timestamp, in seconds since 1970-01-01T00:00:00Z. This timestamp could be last connected time or creation time)
- TSK_DEVICE_ID (String that uniquely identifies the WiFi network)
---
## TSK_WIFI_NETWORK_ADAPTER
Details about a WiFi adapter. These may be stored by an application or OS.
Details about a WiFi adapter.
### REQUIRED ATTRIBUTES
- TSK_MAC_ADDRESS (Mac address of the adapter)
### OPTIONAL ATTRIBUTES
- None.
......
bindings/java/doxygen/blackboard.dox
+ 1
4
View file @ 965a7bd0
......@@ -18,10 +18,7 @@ The second special type of artifact is the TSK_ASSOCIATED_OBJECT. All artifacts
\section jni_bb_access Accessing the Blackboard
Java modules can access the blackboard from either org.sleuthkit.datamodel.SleuthkitCase or a org.sleuthkit.datamodel.Content object. The methods associated with org.sleuthkit.datamodel.Content all limit the Blackboard to a specific file.
Refer to the <a href="http://wiki.sleuthkit.org/index.php?title=Artifact_Examples">artifact examples wiki page</a> for artifact and attribute combinations that are commonly used.
Java modules can access the blackboard from either org.sleuthkit.datamodel.SleuthkitCase or a org.sleuthkit.datamodel.Content object. The methods associated with org.sleuthkit.datamodel.Content all limit the Blackboard to a specific file.
\subsection jni_bb_access_post Posting to the Blackboard
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment