TSK Autopsy Artifacts

The below tries to summarise the various sources (see bottom of the post) on how Autopsy 3 artifacts & attributes work and should be used.

General

TSK Autopsy Artifact relationship

• a file can have none to many artifacts
  • use more than 1 artifact if the attributes don’t have a relationship to each other
  • artifacts can represent the actual content of a container such as a PST or Log file where each artifact should be an email or log entry
• a artifact can have 1 to many attributes
  • attributes should be related to each other
• standard and custom types of artifacts/attributes are referenced by their ID which is maintained by the Blackboard system

other “best practises”

• don’t use attribute contexts –> create custom attributes instead
• use TSK_GEN_INFO as a catch all if you don’t create a custom artifact and no others fit
• try not to use custom artifacts/attributes if possible

 Which Artifact shows up where?

The below is a work in progress

Initial observations show you could add any kind of “attribute” to each artifact, the type of the artifact will determine the behaviour/use inside of Autopsy. Please note that it seems you can use the attribute TSK_TAG_NAME in other artifacts than TSK_TAG_FILE but this does not create tags and just confuses the reporting module making it believe there are tagged items when there are none.

TSK_TAG_FILE

probably a favourite of mine, custom table, items in the treeview, result tab view and thumbnails per tag work; the wiki states that separators work to build a tag hierarchy (sub tags?) but I have tried many separation characters (-/\|,:;) and scanned the source code using tags and cannot find support of this pre 3.1 API (maybe in the future):

TSK_GEN_INFO

plain fields in the result tab, no items in the tree view, no special table view:

TSK_INTERESTING_FILE_HIT

plain fields in the result tab, items in the tree view, special table view, no sub item in tree view for TSK_SET_NAME though 🙁 :

TSK_TOOL_OUTPUT

plain fields in the result tab, items in the tree view, special table view (shows data source –> image but not the file path like with other artifacts):

Sources

• http://sleuthkit.org/sleuthkit/docs/framework-docs/mod_bbpage.html
• http://wiki.sleuthkit.org/index.php?title=Artifact_Examples
• http://sleuthkit.org/sleuthkit/docs/framework-docs/TskBlackboard_8h.html
• https://github.com/sleuthkit/autopsy/blob/develop/Core/src/org/sleuthkit/autopsy/examples/SampleFileIngestModule.java