Autopsy 3 Artifacts & Attributes quick overview

TSK Autopsy Artifacts

The below tries to summarise the various sources (see bottom of the post) on how Autopsy 3 artifacts & attributes work and should be used.

General

TSK Autopsy Artifact relationship

TSK Autopsy Artifact relationship

  • a file can have none to many artifacts
    • use more than 1 artifact if the attributes don’t have a relationship to each other
    • artifacts can represent the actual content of a container such as a PST or Log file where each artifact should be an email or log entry
  • a artifact can have 1 to many attributes
    • attributes should be related to each other
  • standard and custom types of artifacts/attributes are referenced by their ID which is maintained by the Blackboard system

other “best practises”

  • don’t use attribute contexts –> create custom attributes instead
  • use TSK_GEN_INFO as a catch all if you don’t create a custom artifact and no others fit
  • try not to use custom artifacts/attributes if possible

 Which Artifact shows up where?

The below is a work in progress

Initial observations show you could add any kind of “attribute” to each artifact, the type of the artifact will determine the behaviour/use inside of Autopsy. Please note that it seems you can use the attribute TSK_TAG_NAME in other artifacts than TSK_TAG_FILE but this does not create tags and just confuses the reporting module making it believe there are tagged items when there are none.

TSK_TAG_FILE

probably a favourite of mine, custom table, items in the treeview, result tab view and thumbnails per tag work; the wiki states that separators work to build a tag hierarchy (sub tags?) but I have tried many separation characters (-/\|,:;) and scanned the source code using tags and cannot find support of this pre 3.1 API (maybe in the future):

TSK_TAG_FILE

TSK_GEN_INFO

plain fields in the result tab, no items in the tree view, no special table view:

TSK_GEN_INFO

TSK_INTERESTING_FILE_HIT

plain fields in the result tab, items in the tree view, special table view, no sub item in tree view for TSK_SET_NAME though 🙁 :

TSK_INTERESTING_FILE_HIT

TSK_TOOL_OUTPUT

plain fields in the result tab, items in the tree view, special table view (shows data source –> image but not the file path like with other artifacts):

TSK_TOOL_OUTPUT

Sources

Bookmark the permalink.

Leave a Reply