TSK Autopsy Artifacts
The below tries to summarise the various sources (see bottom of the post) on how Autopsy 3 artifacts & attributes work and should be used.
- a file can have none to many artifacts
- use more than 1 artifact if the attributes don’t have a relationship to each other
- artifacts can represent the actual content of a container such as a PST or Log file where each artifact should be an email or log entry
- a artifact can have 1 to many attributes
- attributes should be related to each other
- standard and custom types of artifacts/attributes are referenced by their ID which is maintained by the Blackboard system
other “best practises”
- don’t use attribute contexts –> create custom attributes instead
- use TSK_GEN_INFO as a catch all if you don’t create a custom artifact and no others fit
- try not to use custom artifacts/attributes if possible
Which Artifact shows up where?
The below is a work in progress
Initial observations show you could add any kind of “attribute” to each artifact, the type of the artifact will determine the behaviour/use inside of Autopsy. Please note that it seems you can use the attribute TSK_TAG_NAME in other artifacts than TSK_TAG_FILE but this does not create tags and just confuses the reporting module making it believe there are tagged items when there are none.
probably a favourite of mine, custom table, items in the treeview, result tab view and thumbnails per tag work; the wiki states that separators work to build a tag hierarchy (sub tags?) but I have tried many separation characters (-/\|,:;) and scanned the source code using tags and cannot find support of this pre 3.1 API (maybe in the future):
plain fields in the result tab, no items in the tree view, no special table view:
plain fields in the result tab, items in the tree view, special table view, no sub item in tree view for TSK_SET_NAME though 🙁 :
plain fields in the result tab, items in the tree view, special table view (shows data source –> image but not the file path like with other artifacts):