TskBlackboard.h File Reference

Interface for class that will implement the black board. More...

#include <string>
#include <vector>
#include "tsk/framework/utilities/TskException.h"
#include "tsk/framework/framework_i.h"
#include "tsk/framework/services/TskImgDB.h"
#include "TskBlackboardArtifact.h"
#include "TskBlackboardAttribute.h"

Classes
class	TskArtifactNames
	Class used to store the pair of type and display names of artifacts. More...
class	TskAttributeNames
	Class used to store the pair of type and display names of attributes. More...
class	TskBlackboard
	An interface for setting and retrieving name/value pairs to the blackboard. More...

Enumerations
enum	TSK_ARTIFACT_TYPE {   TSK_GEN_INFO = 1, TSK_WEB_BOOKMARK = 2, TSK_WEB_COOKIE = 3, TSK_WEB_HISTORY = 4,   TSK_WEB_DOWNLOAD = 5, TSK_RECENT_OBJECT = 6, TSK_GPS_TRACKPOINT = 7, TSK_INSTALLED_PROG = 8,   TSK_KEYWORD_HIT = 9, TSK_HASHSET_HIT = 10, TSK_DEVICE_ATTACHED = 11, TSK_INTERESTING_FILE_HIT = 12,   TSK_EMAIL_MSG = 13, TSK_EXTRACTED_TEXT = 14, TSK_WEB_SEARCH_QUERY = 15, TSK_METADATA_EXIF = 16,   TSK_TAG_FILE = 17, TSK_TAG_ARTIFACT = 18, TSK_OS_INFO = 19, TSK_OS_ACCOUNT = 20,   TSK_SERVICE_ACCOUNT = 21, TSK_TOOL_OUTPUT = 22, TSK_CONTACT = 23, TSK_MESSAGE = 24,   TSK_CALLLOG = 25, TSK_CALENDAR_ENTRY = 26, TSK_SPEED_DIAL_ENTRY = 27, TSK_BLUETOOTH_PAIRING = 28,   TSK_GPS_BOOKMARK = 29, TSK_GPS_LAST_KNOWN_LOCATION = 30, TSK_GPS_SEARCH = 31, TSK_PROG_RUN = 32,   TSK_ENCRYPTION_DETECTED = 33, TSK_EXT_MISMATCH_DETECTED = 34, TSK_INTERESTING_ARTIFACT_HIT = 35, TSK_GPS_ROUTE = 36,   TSK_REMOTE_DRIVE = 37 }
	Built in artifact types. More...
enum	TSK_ATTRIBUTE_TYPE {   TSK_URL = 1, TSK_DATETIME = 2, TSK_NAME = 3, TSK_PROG_NAME = 4,   TSK_VALUE = 6, TSK_FLAG = 7, TSK_PATH = 8, TSK_KEYWORD = 10,   TSK_KEYWORD_REGEXP = 11, TSK_KEYWORD_PREVIEW = 12, TSK_KEYWORD_SET = 13, TSK_USER_NAME = 14,   TSK_DOMAIN = 15, TSK_PASSWORD = 16, TSK_NAME_PERSON = 17, TSK_DEVICE_MODEL = 18,   TSK_DEVICE_MAKE = 19, TSK_DEVICE_ID = 20, TSK_EMAIL = 21, TSK_HASH_MD5 = 22,   TSK_HASH_SHA1 = 23, TSK_HASH_SHA2_256 = 24, TSK_HASH_SHA2_512 = 25, TSK_TEXT = 26,   TSK_TEXT_FILE = 27, TSK_TEXT_LANGUAGE = 28, TSK_ENTROPY = 29, TSK_HASHSET_NAME = 30,   TSK_INTERESTING_FILE = 31, TSK_REFERRER = 32, TSK_DATETIME_ACCESSED = 33, TSK_IP_ADDRESS = 34,   TSK_PHONE_NUMBER = 35, TSK_PATH_ID = 36, TSK_SET_NAME = 37, TSK_MALWARE_DETECTED = 39,   TSK_STEG_DETECTED = 40, TSK_EMAIL_TO = 41, TSK_EMAIL_CC = 42, TSK_EMAIL_BCC = 43,   TSK_EMAIL_FROM = 44, TSK_EMAIL_CONTENT_PLAIN = 45, TSK_EMAIL_CONTENT_HTML = 46, TSK_EMAIL_CONTENT_RTF = 47,   TSK_MSG_ID = 48, TSK_MSG_REPLY_ID = 49, TSK_DATETIME_RCVD = 50, TSK_DATETIME_SENT = 51,   TSK_SUBJECT = 52, TSK_TITLE = 53, TSK_GEO_LATITUDE = 54, TSK_GEO_LONGITUDE = 55,   TSK_GEO_VELOCITY = 56, TSK_GEO_ALTITUDE = 57, TSK_GEO_BEARING = 58, TSK_GEO_HPRECISION = 59,   TSK_GEO_VPRECISION = 60, TSK_GEO_MAPDATUM = 61, TSK_FILE_TYPE_SIG = 62, TSK_FILE_TYPE_EXT = 63,   TSK_TAGGED_ARTIFACT = 64, TSK_TAG_NAME = 65, TSK_COMMENT = 66, TSK_URL_DECODED = 67,   TSK_DATETIME_CREATED = 68, TSK_DATETIME_MODIFIED = 69, TSK_PROCESSOR_ARCHITECTURE = 70, TSK_VERSION = 71,   TSK_USER_ID = 72, TSK_DESCRIPTION = 73, TSK_MESSAGE_TYPE =74, TSK_PHONE_NUMBER_HOME = 75,   TSK_PHONE_NUMBER_OFFICE = 76, TSK_PHONE_NUMBER_MOBILE = 77, TSK_PHONE_NUMBER_FROM = 78, TSK_PHONE_NUMBER_TO = 79,   TSK_DIRECTION = 80, TSK_EMAIL_HOME = 81, TSK_EMAIL_OFFICE = 82, TSK_DATETIME_START = 83,   TSK_DATETIME_END = 84, TSK_CALENDAR_ENTRY_TYPE = 85, TSK_LOCATION = 86, TSK_SHORTCUT = 87,   TSK_DEVICE_NAME = 88, TSK_CATEGORY = 89, TSK_EMAIL_REPLYTO = 90, TSK_SERVER_NAME = 91,   TSK_COUNT = 92, TSK_MIN_COUNT = 93, TSK_PATH_SOURCE = 94, TSK_PERMISSIONS = 95,   TSK_ASSOCIATED_ARTIFACT = 96, TSK_ISDELETED = 97, TSK_GEO_LATITUDE_START = 98, TSK_GEO_LATITUDE_END = 99,   TSK_GEO_LONGITUDE_START = 100, TSK_GEO_LONGITUDE_END = 101, TSK_READ_STATUS = 102, TSK_LOCAL_PATH = 103,   TSK_REMOTE_PATH = 104, TSK_TEMP_DIR = 105, TSK_PRODUCT_ID = 106, TSK_OWNER = 107,   TSK_ORGANIZATION = 108 }
	Built in attribute types. More...

Detailed Description

Interface for class that will implement the black board.

The black board is used to store data from analysis modules. The data is available to later modules in the pipeline and in the final reporting phase.

Enumeration Type Documentation

enum TSK_ARTIFACT_TYPE

Built in artifact types.

Refer to http://wiki.sleuthkit.org/index.php?title=Artifact_Examples for details on which attributes should be used for each artifact.

Refer to http://wiki.sleuthkit.org/index.php?title=Adding_Artifacts_and_Attributes for checklist of steps to add new artifacts and attributes.

Enumerator
TSK_GEN_INFO	The general info artifact, if information doesn't need its own artifact it should go here.
TSK_WEB_BOOKMARK	A web bookmark.
TSK_WEB_COOKIE	A web cookie.
TSK_WEB_HISTORY	A web history enrty.
TSK_WEB_DOWNLOAD	A web download.
TSK_RECENT_OBJECT	A recently used object (MRU, recent document, etc.).
TSK_GPS_TRACKPOINT	A trackpoint from a GPS log.
TSK_INSTALLED_PROG	An installed program.
TSK_KEYWORD_HIT	A keyword hit.
TSK_HASHSET_HIT	A hit within a known bad / notable hashset / hash database.
TSK_DEVICE_ATTACHED	An event for a device being attached to the host computer.
TSK_INTERESTING_FILE_HIT	A file that was flagged because it matched some search criteria for being interesting (i.e. because of its name, extension, etc.)
TSK_EMAIL_MSG	An e-mail message that was extracted from a file.
TSK_EXTRACTED_TEXT	Text that was extracted from a file.
TSK_WEB_SEARCH_QUERY	Web search engine query extracted from web history.
TSK_METADATA_EXIF	EXIF Metadata.
TSK_TAG_FILE	File tags.
TSK_TAG_ARTIFACT	Result tags.
TSK_OS_INFO	Information pertaining to an operating system.
TSK_OS_ACCOUNT	An operating system user account.
TSK_SERVICE_ACCOUNT	A network service user account.
TSK_TOOL_OUTPUT	Output from an external tool or module (raw text)
TSK_CONTACT	A Contact extracted from a phone, or from an Addressbook/Email/Messaging Application.
TSK_MESSAGE	An SMS/MMS message extracted from phone, or from another messaging application, like IM.
TSK_CALLLOG	A Phone call log extracted from a phones or softphone application.
TSK_CALENDAR_ENTRY	A Calendar entry from a phone, PIM or a Calendar application.
TSK_SPEED_DIAL_ENTRY	A speed dial entry from a phone.
TSK_BLUETOOTH_PAIRING	A bluetooth pairing entry.
TSK_GPS_BOOKMARK	GPS Bookmarks.
TSK_GPS_LAST_KNOWN_LOCATION	GPS Last known location.
TSK_GPS_SEARCH	GPS Searches.
TSK_PROG_RUN	Application run information.
TSK_ENCRYPTION_DETECTED	Encrypted File.
TSK_EXT_MISMATCH_DETECTED	Extension Mismatch.
TSK_INTERESTING_ARTIFACT_HIT	Any artifact interesting enough that it should be called out in the UI.
TSK_GPS_ROUTE	Route based on GPS coordinates.
TSK_REMOTE_DRIVE	Network drive.

enum TSK_ATTRIBUTE_TYPE

Built in attribute types.

Enumerator
TSK_URL	String of a URL, should start with http:// or ftp:// etc. You should also make a TskBlackoard::TSK_DOMAIN entry for the base domain name.
TSK_DATETIME	INT32: GMT based Unix time, defines number of secords elapsed since UTC Jan 1, 1970.
TSK_NAME	STRING: The name associated with an artifact.
TSK_PROG_NAME	String of name of a program that was installed on the system.
TSK_VALUE	Some value associated with an artifact.
TSK_FLAG	Some flag associated with an artifact.
TSK_PATH	A filesystem path. Should be fully qualified. Should set TSK_PATH_ID as well when this is set. TODO: Need to define this value more for cases with multiple images and multiple file systems per image.
TSK_KEYWORD	STRING: Keyword that was found in this file.
TSK_KEYWORD_REGEXP	STRING: A regular expression string.
TSK_KEYWORD_PREVIEW	STRING: A text preview.
TSK_KEYWORD_SET	STRING: A keyword set – Deprecated in favor of TSK_SET_NAME.
TSK_USER_NAME	String of a user name. Use TskBlackboard::TSK_DOMAIN to store the domain that the username is from (if it is known).
TSK_DOMAIN	String of a DNS Domain name, e.g. sleuthkit.org use TskBlackboad::TSK_URL for a full URL.
TSK_PASSWORD	String of a password that was found. Use TskBlackboard::TSK_USER_NAME and TskBlackboard::TSK_DOMAIN to link the password to a given user and site.
TSK_NAME_PERSON	String of a person name.
TSK_DEVICE_MODEL	String of manufacturer name of device that was connected (or somehow related to) the data being analyzed.
TSK_DEVICE_MAKE	String of make of a device that was connected (or somehow related to) the data being analyzed.
TSK_DEVICE_ID	String of ID/serial number of a device that was connected (or somehow related to) the data being analyzed.
TSK_EMAIL	String of e-mail address in the form of user@.nosp@m.host.nosp@m..com (note that there are also more specific TSK_EMAIL_TO and TSK_EMAIL_FROM attributes if you know the use of the address)
TSK_HASH_MD5	STRING: MD5 hash.
TSK_HASH_SHA1	STRING: SHA1 hash.
TSK_HASH_SHA2_256	STRING: SHA2 256 bit hash.
TSK_HASH_SHA2_512	STRING: SHA2 512 bit hash.
TSK_TEXT	String of text extracted from a file (should be part of TSK_EXTRACTED_TEXT artifact).
TSK_TEXT_FILE	String of path to file containing text. May be absolute or relative. If relative, will be evaluated relative to OUT_DIR setting. Should be part of TSK_EXTRACTED_TEXT artifact)
TSK_TEXT_LANGUAGE	String of the detected language in ISO 639-3 language code of TskBlackboard::TSK_TEXT data in the same artifact (TSK_EXTRACTED_TEXT, for example).
TSK_ENTROPY	DOUBLE: Entropy value of file.
TSK_HASHSET_NAME	String of the name or file name of the hashset – Deprecated in favor of TSK_SET_NAME.
TSK_INTERESTING_FILE	An interesting file hit, potentially file id, name, or path – Deprecated, use TSK_INTERESTING_FILE_HIT artifact instead.
TSK_REFERRER	String of referrer URL.
TSK_DATETIME_ACCESSED	datetime last time accessed
TSK_IP_ADDRESS	String of IP Address.
TSK_PHONE_NUMBER	String of phone number.
TSK_PATH_ID	Object ID from database that a TSK_PATH attribute corresponds to. Set to -1 if path is for a file that is not in database (i.e. deleted).
TSK_SET_NAME	STRING: The name of a set that was used to find this artifact (to be used for hash hits, keyword hits, interesting files, etc.)
TSK_MALWARE_DETECTED	STRING: The name of the malware that was detected in this file.
TSK_STEG_DETECTED	STRING: The name of the steganography technique that was detected in this file.
TSK_EMAIL_TO	String of an e-mail address that a message is being sent to directly (not cc:).
TSK_EMAIL_CC	String of an e-mail address that a message is being sent to as a cc:.
TSK_EMAIL_BCC	String of an e-mail address that a message is being sent to as a bcc:.
TSK_EMAIL_FROM	String of an e-mail address that a message is being sent from.
TSK_EMAIL_CONTENT_PLAIN	String of e-mail message body in plain text.
TSK_EMAIL_CONTENT_HTML	STring of e-mail message body in HTML.
TSK_EMAIL_CONTENT_RTF	STring of e-mail message body in RTF.
TSK_MSG_ID	String of a message ID (such as one of an e-mail message)
TSK_MSG_REPLY_ID	String of a message ID that a given message is in response to (such as one of an e-mail message)
TSK_DATETIME_RCVD	Time in Unix epoch that something was received.
TSK_DATETIME_SENT	Time in Unix epoch that something was sent.
TSK_SUBJECT	String of a subject (such as one of an e-mail message)
TSK_TITLE	String of a title (such as a webpage or other document)
TSK_GEO_LATITUDE	Floating point of latitude coordinate. Should be in WGS84. Positive North, Negative South.
TSK_GEO_LONGITUDE	Floating point of longitude coordinate. Should be in WGS84. Positive East, Negative West.
TSK_GEO_VELOCITY	Floating point of velocity in geo coordinate in meters per second.
TSK_GEO_ALTITUDE	Floating point of altitude in geo coordinate in meters.
TSK_GEO_BEARING	Floating point of bearing in geo coordinate in true degrees.
TSK_GEO_HPRECISION	Floating point of horizontal precision in geo coordinate in meters.
TSK_GEO_VPRECISION	Floating point of vertical precision in geo coordinate in meters.
TSK_GEO_MAPDATUM	String of map datum used for coordinates if not WGS84.
TSK_FILE_TYPE_SIG	String of file type based on signature detection in file content.
TSK_FILE_TYPE_EXT	String of file type based on file name extension.
TSK_TAGGED_ARTIFACT	Tagged artifact (associated result).
TSK_TAG_NAME	The tag name. Can contain slashes "/" to represent tag hierarchy.
TSK_COMMENT	Comment string.
TSK_URL_DECODED	Decoded URL.
TSK_DATETIME_CREATED	Time in Unix epoch that something was created.
TSK_DATETIME_MODIFIED	Time in Unix epoch that something was modified.
TSK_PROCESSOR_ARCHITECTURE	String of processor architecture. Naming convention from http://en.wikipedia.org/wiki/Comparison_of_CPU_architectures. So far, we've used x86, x86-64, and IA64.
TSK_VERSION	String for a software version.
TSK_USER_ID	User IDfor a user account, e.g., a Windows SID or Linux UID.
TSK_DESCRIPTION	String for a description associated with an artifact.
TSK_MESSAGE_TYPE	SMS or MMS or IM ...
TSK_PHONE_NUMBER_HOME	Phone number (Home)
TSK_PHONE_NUMBER_OFFICE	Phone number (Office)
TSK_PHONE_NUMBER_MOBILE	Phone Number (Mobile)
TSK_PHONE_NUMBER_FROM	Source Phone Number, originating a call or message.
TSK_DIRECTION	< Destination Phone Number, receiving a call or message Msg/Call direction: incoming, outgoing
TSK_EMAIL_HOME	Email (Home)"),.
TSK_EMAIL_OFFICE	Email (Office)
TSK_DATETIME_START	start time of an event - call log, Calendar entry
TSK_DATETIME_END	end time of an event - call log, Calendar entry
TSK_CALENDAR_ENTRY_TYPE	calendar entry type: meeting, task,
TSK_SHORTCUT	Short Cut string - short code or dial string for Speed dial, a URL short cut - e.g. bitly string, Windows Desktop Short cut name etc.
TSK_DEVICE_NAME	device name - a user assigned (usually) device name - such as "Joe's computer", "bob_win8", "BT Headset"
TSK_CATEGORY	category/type, possible value set varies by the artifact
TSK_EMAIL_REPLYTO	ReplyTo address.
TSK_SERVER_NAME	server name
TSK_COUNT	Count related to the artifact.
TSK_MIN_COUNT	Minimum number/count.
TSK_PATH_SOURCE	Path to a source file related to the artifact.
TSK_PERMISSIONS	Permissions.
TSK_ASSOCIATED_ARTIFACT	Artifact ID of a related artifact.
TSK_ISDELETED	the artifact is recovered from deleted content
TSK_GEO_LATITUDE_START	Starting location lattitude.
TSK_GEO_LATITUDE_END	Ending location lattitude.
TSK_GEO_LONGITUDE_START	Starting location longitude.
TSK_GEO_LONGITUDE_END	Ending Location longitude.
TSK_READ_STATUS	Message read status: 1 if read, 0 if unread.
TSK_LOCAL_PATH	Local path to a network share.
TSK_REMOTE_PATH	Remote path of the network share.
TSK_TEMP_DIR	Path to the default temp directory.
TSK_PRODUCT_ID	ID string.
TSK_OWNER	Registered owner for software.
TSK_ORGANIZATION	Registered organization for software.