TSK Autopsy Artifacts
The below tries to summarise the various sources (see bottom of the post) on how Autopsy 3 artifacts & attributes work and should be used.
General
- a file can have none to many artifacts
- use more than 1 artifact if the attributes don’t have a relationship to each other
- artifacts can represent the actual content of a container such as a PST or Log file where each artifact should be an email or log entry
- a artifact can have 1 to many attributes
- attributes should be related to each other
- standard and custom types of artifacts/attributes are referenced by their ID which is maintained by the Blackboard system
other “best practises”
- don’t use attribute contexts –> create custom attributes instead
- use TSK_GEN_INFO as a catch all if you don’t create a custom artifact and no others fit
- try not to use custom artifacts/attributes if possible
Which Artifact shows up where?
The below is a work in progress
Initial observations show you could add any kind of “attribute” to each artifact, the type of the artifact will determine the behaviour/use inside of Autopsy. Please note that it seems you can use the attribute TSK_TAG_NAME in other artifacts than TSK_TAG_FILE but this does not create tags and just confuses the reporting module making it believe there are tagged items when there are none.
TSK_TAG_FILE
probably a favourite of mine, custom table, items in the treeview, result tab view and thumbnails per tag work; the wiki states that separators work to build a tag hierarchy (sub tags?) but I have tried many separation characters (-/\|,:;) and scanned the source code using tags and cannot find support of this pre 3.1 API (maybe in the future):
TSK_GEN_INFO
plain fields in the result tab, no items in the tree view, no special table view:
TSK_INTERESTING_FILE_HIT
plain fields in the result tab, items in the tree view, special table view, no sub item in tree view for TSK_SET_NAME though 🙁 :
TSK_TOOL_OUTPUT
plain fields in the result tab, items in the tree view, special table view (shows data source –> image but not the file path like with other artifacts):
Sources
- http://sleuthkit.org/sleuthkit/docs/framework-docs/mod_bbpage.html
- http://wiki.sleuthkit.org/index.php?title=Artifact_Examples
- http://sleuthkit.org/sleuthkit/docs/framework-docs/TskBlackboard_8h.html
- https://github.com/sleuthkit/autopsy/blob/develop/Core/src/org/sleuthkit/autopsy/examples/SampleFileIngestModule.java