This document reflects current standard usage of artifact and attribute types for posting analysis results to the case blackboard in Autopsy. Refer to \ref mod_bbpage for more background on the blackboard and how to make artifacts.
The catalog section below has one entry for each standard artifact type. Each entry lists the required and optional attributes of artifacts of the type.
The catalog section below has one entry for each standard artifact type divided by categories. Each entry lists the required and optional attributes of artifacts of the type. The category types are:
- \ref art_catalog_analysis "Analysis Result": Result from an analysis technique on a given object with a given configuration. Includes Conclusion, Relevance Score, and Confidence.
- \ref art_catalog_data "Data Artifact": Data that was originally embedded by an application/OS in a file or other data container.
NOTE:
- While we have listed some attributes as "Required", nothing will enforce that they exist. Modules that use artifacts from the blackboard should assume that some of the attributes may not actually exist.
...
...
@@ -15,9 +17,143 @@ For the full list of types, refer to:
\section art_catalog_analysis Analysis Result Types
In alphabetical order.
---
## TSK_DATA_SOURCE_USAGE
Describes how a data source was used, e.g., as a SIM card or an OS drive (such as for Windows or Android).
### REQUIRED ATTRIBUTES
- TSK_DESCRIPTION (Description of the usage, e.g., "OS Drive (Windows Vista)").
---
## TSK_ENCRYPTION_DETECTED
An indication that the content is encrypted.
### REQUIRED ATTRIBUTES
- TSK_COMMENT (A comment on the encryption, e.g., encryption type or password)
---
## TSK_ENCRYPTION_SUSPECTED
An indication that the content is likely encrypted.
### REQUIRED ATTRIBUTES
- TSK_COMMENT (Reason for suspecting encryption)
---
## TSK_EXT_MISMATCH_DETECTED
An indication that the registered extensions for a file's mime type do not match the file's extension.
### REQUIRED ATTRIBUTES
None
---
## TSK_FACE_DETECTED
An indication that a human face was detected in some content.
### REQUIRED ATTRIBUTES
None
---
## TSK_HASHSET_HIT
Indicates that the MD5 hash of a file matches a set of known MD5s (possibly user defined).
### REQUIRED ATTRIBUTES
- TSK_SET_NAME (Name of hashset containing the file's MD5)
### OPTIONAL ATTRIBUTES
- TSK_COMMENT (Additional comments about the hit)
---
## TSK_INTERESTING_ARTIFACT_HIT
Indicates that the source artifact matches some set of criteria which deem it interesting. Artifacts with this meta artifact will be brought to the attention of the user.
### REQUIRED ATTRIBUTES
- TSK_ASSOCIATED_ARTIFACT (The source artifact)
- TSK_SET_NAME (The name of the set of criteria which deemed this artifact interesting)
### OPTIONAL ATTRIBUTES
- TSK_COMMENT (Comment on the reason that the source artifact is interesting)
- TSK_CATEGORY (The set membership rule that was satisfied)
---
## TSK_INTERESTING_FILE_HIT
Indication that the source file matches some set of criteria (possibly user defined) which deem it interesting. Files with this artifact will be brought to the attention of the user.
### REQUIRED ATTRIBUTES
- TSK_SET_NAME (The name of the set of criteria which deemed this file interesting)
### OPTIONAL ATTRIBUTES
- TSK_COMMENT (Comment on the reason that the source artifact is interesting)
- TSK_CATEGORY (The set membership rule that was satisfied. I.e. a particular mime)
---
## TSK_KEYWORD_HIT
Indication that the source artifact or file contains a keyword. Keywords are grouped into named sets.
### REQUIRED ATTRIBUTES
- TSK_KEYWORD (Keyword that was found in the artifact or file)
- TSK_KEYWORD_SEARCH_TYPE (Specifies the type of match, e.g., an exact match, a substring match, or a regex match)
- TSK_SET_NAME (The set name that the keyword was contained in)
- TSK_KEYWORD_REGEXP (The regular expression that matched, only required for regex matches)
- TSK_ASSOCIATED_ARTIFACT (Only required if the keyword hit source is an artifact)
### OPTIONAL ATTRIBUTES
- TSK_KEYWORD_PREVIEW (Snippet of text around keyword)
---
## TSK_OBJECT_DETECTED
Indicates that an object was detected in a media file. Typically used by computer vision software to classify images.
### REQUIRED ATTRIBUTES
- TSK_COMMENT (What was detected)
### OPTIONAL ATTRIBUTES
- TSK_DESCRIPTION (Additional comments about the object or observer, e.g., what detected the object)
---
## TSK_USER_CONTENT_SUSPECTED
An indication that some media file content was generated by the user.
### REQUIRED ATTRIBUTES
- TSK_COMMENT (The reason why user-generated content is suspected)
---
## TSK_VERIFICATION_FAILED
An indication that some data did not pass verification. One example would be verifying a SHA-1 hash.
### REQUIRED ATTRIBUTES
- TSK_COMMENT (Reason for failure, what failed)
---
## TSK_WEB_ACCOUNT_TYPE
A web account type entry.
### REQUIRED ATTRIBUTES
- TSK_DOMAIN (Domain of the URL)
- TSK_TEXT (Indicates type of account (admin/moderator/user) and possible platform)
- TSK_URL (URL indicating the user has an account on this domain)
---
## TSK_WEB_CATEGORIZATION
The categorization of a web host using a specific usage type, e.g. mail.google.com would correspond to Web Email.
### REQUIRED ATTRIBUTES
- TSK_NAME (The usage category identifier, e.g. Web Email)
- TSK_DOMAIN (The domain of the host, e.g. google.com)
- TSK_HOST (The full host, e.g. mail.google.com)
---
## TSK_YARA_HIT
Indicates that the some content of the file was a hit for a YARA rule match.
### REQUIRED ATTRIBUTES
- TSK_RULE (The rule that was a hit for this file)
- TSK_SET_NAME (Name of the rule set containing the matching rule YARA rule)
<br><br>
\section art_catalog_data Data Artifact Types
---
## TSK_ACCOUNT
...
...
@@ -141,13 +277,6 @@ A contact book entry in an application file or database.
---
## TSK_DATA_SOURCE_USAGE
Describes how a data source was used, e.g., as a SIM card or an OS drive (such as for Windows or Android).
### REQUIRED ATTRIBUTES
- TSK_DESCRIPTION (Description of the usage, e.g., "OS Drive (Windows Vista)").
---
## TSK_DELETED_PROG
...
...
@@ -213,26 +342,6 @@ An email message found in an application file or database.
- TSK_SUBJECT (Subject of the email message)
- TSK_THREAD_ID (ID specified by the analysis module to group emails into threads for display purposes)
---
## TSK_ENCRYPTION_DETECTED
An indication that the content is encrypted.
### REQUIRED ATTRIBUTES
- TSK_COMMENT (A comment on the encryption, e.g., encryption type or password)
---
## TSK_ENCRYPTION_SUSPECTED
An indication that the content is likely encrypted.
### REQUIRED ATTRIBUTES
- TSK_COMMENT (Reason for suspecting encryption)
---
## TSK_EXTRACTED_TEXT
Text extracted from some content.
...
...
@@ -240,26 +349,6 @@ Text extracted from some content.
### REQUIRED ATTRIBUTES
TSK_TEXT (The extracted text)
---
## TSK_EXT_MISMATCH_DETECTED
An indication that the registered extensions for a file's mime type do not match the file's extension.
### REQUIRED ATTRIBUTES
None
---
## TSK_FACE_DETECTED
An indication that a human face was detected in some content.
### REQUIRED ATTRIBUTES
None
---
## TSK_GEN_INFO
A generic information artifact. Each content object will have at most one TSK_GEN_INFO artifact, which is easily accessed through org.sleuthkit.datamodel.AbstractContent.getGenInfoArtifact() and related methods. The TSK_GEN_INFO object is useful for storing values related to the content object without making a new artifact type.
...
...
@@ -359,18 +448,6 @@ A Global Positioning System (GPS) track artifact records the track, or path, of
---
## TSK_HASHSET_HIT
Indicates that the MD5 hash of a file matches a set of known MD5s (possibly user defined).
### REQUIRED ATTRIBUTES
- TSK_SET_NAME (Name of hashset containing the file's MD5)
### OPTIONAL ATTRIBUTES
- TSK_COMMENT (Additional comments about the hit)
---
## TSK_INSTALLED_PROG
Details about an installed program.
...
...
@@ -385,51 +462,6 @@ Details about an installed program.
- TSK_PATH_SOURCE (Path to an Android Package Kit (APK) file for an Android program)
- TSK_PERMISSIONS (Permissions of the installed program)
---
## TSK_INTERESTING_ARTIFACT_HIT
Indicates that the source artifact matches some set of criteria which deem it interesting. Artifacts with this meta artifact will be brought to the attention of the user.
### REQUIRED ATTRIBUTES
- TSK_ASSOCIATED_ARTIFACT (The source artifact)
- TSK_SET_NAME (The name of the set of criteria which deemed this artifact interesting)
### OPTIONAL ATTRIBUTES
- TSK_COMMENT (Comment on the reason that the source artifact is interesting)
- TSK_CATEGORY (The set membership rule that was satisfied)
---
## TSK_INTERESTING_FILE_HIT
Indication that the source file matches some set of criteria (possibly user defined) which deem it interesting. Files with this artifact will be brought to the attention of the user.
### REQUIRED ATTRIBUTES
- TSK_SET_NAME (The name of the set of criteria which deemed this file interesting)
### OPTIONAL ATTRIBUTES
- TSK_COMMENT (Comment on the reason that the source artifact is interesting)
- TSK_CATEGORY (The set membership rule that was satisfied. I.e. a particular mime)
---
## TSK_KEYWORD_HIT
Indication that the source artifact or file contains a keyword. Keywords are grouped into named sets.
### REQUIRED ATTRIBUTES
- TSK_KEYWORD (Keyword that was found in the artifact or file)
- TSK_KEYWORD_SEARCH_TYPE (Specifies the type of match, e.g., an exact match, a substring match, or a regex match)
- TSK_SET_NAME (The set name that the keyword was contained in)
- TSK_KEYWORD_REGEXP (The regular expression that matched, only required for regex matches)
- TSK_ASSOCIATED_ARTIFACT (Only required if the keyword hit source is an artifact)
### OPTIONAL ATTRIBUTES
- TSK_KEYWORD_PREVIEW (Snippet of text around keyword)
---
## TSK_MESSAGE
A message that is found in some content.
...
...
@@ -485,18 +517,6 @@ EXIF metadata found in an image or audio file.
- TSK_GEO_LONGITUDE (The camera's longitude when the image/audio was taken)
---
## TSK_OBJECT_DETECTED
Indicates that an object was detected in a media file. Typically used by computer vision software to classify images.
### REQUIRED ATTRIBUTES
- TSK_COMMENT (What was detected)
### OPTIONAL ATTRIBUTES
- TSK_DESCRIPTION (Additional comments about the object or observer, e.g., what detected the object)
---
## TSK_OS_ACCOUNT
Details about an operating system account recovered from the data source. Examples include user or administrator accounts.
...
...
@@ -676,18 +696,7 @@ An event in the timeline of a case.
- TSK_DATETIME (When the event occurred, in seconds since 1970-01-01T00:00:00Z)
- TSK_DESCRIPTION (A description of the event)
---
## TSK_USER_CONTENT_SUSPECTED
An indication that some media file content was generated by the user.
### REQUIRED ATTRIBUTES
- TSK_COMMENT (The reason why user-generated content is suspected)
---
## TSK_USER_DEVICE_EVENT
Activity on the system or from an application. Example usage is a mobile device being locked and unlocked.
...
...
@@ -702,27 +711,6 @@ Activity on the system or from an application. Example usage is a mobile device
- TSK_PROG_NAME (Name of the program doing the activity)
- TSK_VALUE (Connection type)
---
## TSK_VERIFICATION_FAILED
An indication that some data did not pass verification. One example would be verifying a SHA-1 hash.
### REQUIRED ATTRIBUTES
- TSK_COMMENT (Reason for failure, what failed)
---
## TSK_WEB_ACCOUNT_TYPE
A web account type entry.
### REQUIRED ATTRIBUTES
- TSK_DOMAIN (Domain of the URL)
- TSK_TEXT (Indicates type of account (admin/moderator/user) and possible platform)
- TSK_URL (URL indicating the user has an account on this domain)
---
## TSK_WEB_BOOKMARK
A web bookmark entry.
...
...
@@ -737,8 +725,6 @@ A web bookmark entry.
- TSK_NAME (Name of the bookmark entry)
- TSK_TITLE (Title of the web page that was bookmarked)
---
## TSK_WEB_CACHE
A web cache entry. The resource that was cached may or may not be present in the data source.
...
...
@@ -753,19 +739,6 @@ A web cache entry. The resource that was cached may or may not be present in the
- TSK_PATH_ID (Object ID of the source cache file)
- TSK_DOMAIN (Domain of the URL)
---
## TSK_WEB_CATEGORIZATION
The categorization of a web host using a specific usage type, e.g. mail.google.com would correspond to Web Email.
### REQUIRED ATTRIBUTES
- TSK_NAME (The usage category identifier, e.g. Web Email)
- TSK_DOMAIN (The domain of the host, e.g. google.com)
- TSK_HOST (The full host, e.g. mail.google.com)
---
## TSK_WEB_COOKIE
A Web cookie found.
...
...
@@ -887,14 +860,4 @@ Details about a WiFi adapter.
---
## TSK_YARA_HIT
Indicates that the some content of the file was a hit for a YARA rule match.
### REQUIRED ATTRIBUTES
- TSK_RULE (The rule that was a hit for this file)
- TSK_SET_NAME (Name of the rule set containing the matching rule YARA rule)
