object |
Trace |
|
|
TSK_ACCOUNT_TYPE |
uco-observable.Account |
uco-observable.Account.accountType |
sms_and_contacts.json |
TSK_ASSOCIATED_ARTIFACT |
uco-core.Relationship |
uco-core.Relationship.target |
accounts.json |
TSK_BANK_NAME |
uco-observable.Account; uco-core.Identity |
uco-observable.Account.accountIssuer; uco-core.Identity.name |
|
TSK_BRAND_NAME |
N/A (Gap)🔴 |
|
|
TSK_CALENDAR_ENTRY_TYPE |
uco-observable.CalendarEntry |
uco-observable.CalendarEntry.eventType ?? |
|
TSK_CARD_DISCRETIONARY |
N/A (Gap)🔴 |
|
|
TSK_CARD_EXPIRATION |
uco-observable.Account |
uco-observable.Account.expirationTime |
|
TSK_CARD_LRC |
N/A (Gap)🔴 |
|
|
TSK_CARD_NUMBER |
uco-observable.Account |
uco-observable.Account.accountIdentifier |
|
TSK_CARD_SCHEME |
N/A (Gap)🔴 |
|
|
TSK_CARD_SERVICE_CODE |
N/A (Gap)🔴 |
|
|
TSK_CARD_TYPE |
N/A (Gap)🔴 |
|
|
TSK_CATEGORY |
More information needed |
|
|
TSK_CITY |
uco-core.SimpleAddress |
uco-core.SimpleAddress.locality |
location.json |
TSK_COMMENT |
uco-core.UcoObject OR uco-core.Annotation |
uco-core.UcoObject.description OR uco-core.Annotation.statement |
|
TSK_COUNT |
N/A (Gap)🔴 |
|
|
TSK_COUNTRY |
uco-core.SimpleAddress |
uco-core.SimpleAddress.country |
location.json |
TSK_DATETIME |
More information needed |
|
|
TSK_DATETIME_ACCESSED |
uco-observable.File |
uco-observable.File.accessedTime |
file.json |
TSK_DATETIME_CREATED |
uco-observable.File |
uco-observable.File.createdTime |
file.json |
TSK_DATETIME_END |
|
endTime |
forensic_lifecycle.json |
TSK_DATETIME_MODIFIED |
uco-observable.File |
uco-observable.File.modifiedTime |
file.json |
TSK_DATETIME_RCVD |
More information needed |
|
|
TSK_DATETIME_SENT |
uco-observable.Message |
uco-observable.Message.sentTime |
|
TSK_DATETIME_START |
|
startTime |
forensic_lifecycle.json |
TSK_DESCRIPTION |
uco-core.UcoObject |
uco-core.UcoObject.description |
exif_data.json |
TSK_DEVICE_ID |
uco-core.UcoObject |
uco-core.UcoObject.id |
device.json |
TSK_DEVICE_MAKE |
uco-observable.Device |
uco-observable.Device.manufacturer |
device.json |
TSK_DEVICE_MODEL |
uco-observable.Device |
uco-observable.Device.model |
device.json |
TSK_DEVICE_NAME |
uco-core.UcoObject |
uco-core.UcoObject.name |
device.json |
TSK_DIRECTION |
More information needed |
|
|
TSK_DOMAIN |
uco-observable.DomainName |
uco-observable.DomainName.value |
device.json |
TSK_EMAIL |
uco-observable.EmailAddress |
uco-observable.EmailAddress.value |
|
TSK_EMAIL_BCC |
uco-observable.EmailMessage |
uco-observable.EmailMessage.bcc |
|
TSK_EMAIL_CC |
uco-observable.EmailMessage |
uco-observable.EmailMessage.cc |
|
TSK_EMAIL_CONTENT_HTML |
uco-observable.EmailMessage |
uco-observable.EmailMessage.body OR uco-observable.EmailMessage.bodyRaw |
|
TSK_EMAIL_CONTENT_PLAIN |
uco-observable.EmailMessage |
uco-observable.EmailMessage.body OR uco-observable.EmailMessage.bodyRaw |
|
TSK_EMAIL_CONTENT_RTF |
uco-observable.EmailMessage |
uco-observable.EmailMessage.body OR uco-observable.EmailMessage.bodyRaw |
|
TSK_EMAIL_FROM |
uco-observable.EmailMessage |
uco-observable.EmailMessage.from |
|
TSK_EMAIL_HOME |
N/A (Gap)🔴 |
|
|
TSK_EMAIL_OFFICE |
N/A (Gap)🔴 |
|
|
TSK_EMAIL_REPLYTO |
uco-observable.EmailMessage |
uco-observable.EmailMessage.inReplyTo |
|
TSK_EMAIL_TO |
uco-observable.EmailMessage |
uco-observable.EmailMessage.to |
|
TSK_ENCRYPTION_DETECTED |
uco-observable.ContentData |
uco-observable.ContentData.isEncrypted |
file.json |
TSK_ENTROPY |
uco-observable.ContentData |
uco-observable.ContentData.entropy |
|
TSK_FILE_TYPE_EXT |
uco-observable.File |
uco-observable.File.extension |
file.json |
TSK_FILE_TYPE_SIG |
uco-observable.ContentData |
uco-observable.ContentData.magicNumber |
file.json |
TSK_FLAG |
Not Applicable to be mapped |
|
|
TSK_GEO_ALTITUDE |
uco-core.Location with uco-core.LatLongCoordinates |
uco-core.LatLongCoordinates.altitude |
|
TSK_GEO_BEARING |
N/A (Gap)🔴 |
|
|
TSK_GEO_HPRECISION |
uco-core.Location with uco-core.GPSCoordinates |
uco-core.GPSCoordinates.hdop |
|
TSK_GEO_LATITUDE |
uco-core.Location with uco-core.LatLongCoordinates |
uco-core.LatLongCoordinates.latitude |
location.json |
TSK_GEO_LATITUDE_END |
N/A (Gap)🔴 |
|
|
TSK_GEO_LATITUDE_START |
N/A (Gap)🔴 |
|
|
TSK_GEO_LONGITUDE |
uco-core.Location with uco-core.LatLongCoordinates |
uco-core.LatLongCoordinates.longitude |
location.json |
TSK_GEO_LONGITUDE_END |
N/A (Gap)🔴 |
|
|
TSK_GEO_LONGITUDE_START |
N/A (Gap)🔴 |
|
|
TSK_GEO_MAPDATUM |
N/A (Gap)🔴 |
|
|
TSK_GEO_VELOCITY |
N/A (Gap)🔴 |
|
|
TSK_GEO_VPRECISION |
uco-core.Location with uco-core.GPSCoordinates |
uco-core.GPSCoordinates.vdop |
|
TSK_HASH_MD5 |
uco-core.Hash |
uco-core.Hash.hashMethod="MD5"; uco-core.Hash.hashValue |
file.json |
TSK_HASH_SHA1 |
uco-core.Hash |
uco-core.Hash.hashMethod="SHA1"; uco-core.Hash.hashValue |
|
TSK_HASH_SHA256 |
uco-core.Hash |
uco-core.Hash.hashMethod="SHA256"; uco-core.Hash.hashValue |
file.json |
TSK_HASH_SHA512 |
uco-core.Hash |
uco-core.Hash.hashMethod="SHA512"; uco-core.Hash.hashValue |
|
TSK_HASHSET_NAME |
More information needed |
|
|
TSK_INTERESTING_FILE |
More information needed |
|
|
TSK_IP_ADDRESS |
uco-observable.IPv4Address |
uco-observable.IPv4Address.value |
device.json |
TSK_ISDELETED |
N/A (Gap)🔴 |
|
|
TSK_KEYWORD |
N/A (Gap)🔴 |
|
|
TSK_KEYWORD_PREVIEW |
More information needed |
|
|
TSK_KEYWORD_REGEXP |
N/A (Gap)🔴 |
|
|
TSK_KEYWORD_SEARCH_DOCUMENT_ID |
Not Applicable to be mapped |
|
|
TSK_KEYWORD_SEARCH_TYPE |
N/A (Gap)🔴 |
|
|
TSK_KEYWORD_SET |
N/A (Gap)🔴 |
|
|
TSK_LOCAL_PATH |
uco-observable.File (for objective location) OR uco-observable.PathRelation (for subjective containment) |
uco-observable.File.filePath OR uco-observable.PathRelation.path |
file.json |
TSK_LOCATION |
uco-core.Location with uco-core.LatLongCoordinates OR uco-core.GPSCoordinates OR uco-core.SimpleAddress |
|
location.json |
TSK_MALWARE_DETECTED |
Not Applicable to be mapped |
|
|
TSK_MESSAGE_TYPE |
uco-observable.Message |
uco-observable.Message.messageType |
|
TSK_MIN_COUNT |
Not Applicable to be mapped |
|
|
TSK_MSG_ID |
uco-observable.Message |
uco-observable.Message.messageID |
|
TSK_MSG_REPLY_ID |
Not Applicable to be mapped |
|
|
TSK_NAME |
uco-core.UcoObject OR uco-core.Identity |
uco-core.UcoObject.name OR uco-core.Identity.name |
|
TSK_NAME_PERSON |
uco-core.Person |
uco-core.Person.name |
|
TSK_ORGANIZATION |
uco-core.Organization |
uco-core.Organization.name |
|
TSK_OWNER |
uco-observable.FilePermissions |
uco-observable.FilePermissions.owner |
|
TSK_PASSWORD |
uco-observable.AccountAuthentication OR uco-observable.EncryptedStream |
uco-observable.AccountAuthentication.password OR uco-observable.EncryptedStream.encryptionKey |
accounts.json |
TSK_PATH |
uco-observable.File (for objective location) OR uco-observable.PathRelation (for subjective containment) |
uco-observable.File.filePath OR uco-observable.PathRelation.path |
|
TSK_PATH_ID |
More information needed |
|
|
TSK_PATH_SOURCE |
N/A (Gap)🔴 |
|
|
TSK_PERMISSIONS |
N/A (Gap)🔴 |
|
|
TSK_PHONE_NUMBER |
uco-observable.PhoneAccount |
uco-observable.PhoneAccount.phoneNumber |
sms_and_contacts.json |
TSK_PHONE_NUMBER_FROM |
uco-observable.PhoneCall OR uco-observable.Message |
uco-observable.PhoneCall.from OR uco-observable.Message.from (references uco-observable.PhoneAccount.phoneNumber) |
sms_and_contacts.json |
TSK_PHONE_NUMBER_HOME |
N/A (Gap)🔴 |
|
|
TSK_PHONE_NUMBER_MOBILE |
N/A (Gap)🔴 |
|
|
TSK_PHONE_NUMBER_OFFICE |
N/A (Gap)🔴 |
|
|
TSK_PHONE_NUMBER_TO |
uco-observable.PhoneCall OR uco-observable.Message |
uco-observable.PhoneCall.to OR uco-observable.Message.to (references uco-observable.PhoneAccount.phoneNumber) |
sms_and_contacts.json |
TSK_PROCESSOR_ARCHITECTURE |
uco-observable.ComputerSpecification |
uco-observable.ComputerSpecification.processorArchitecture |
|
TSK_PRODUCT_ID |
N/A (Gap)🔴 |
|
|
TSK_PROG_NAME |
More information needed |
|
|
TSK_READ_STATUS |
More information needed |
|
|
TSK_REFERRER |
N/A (Gap)🔴 |
|
|
TSK_REMOTE_PATH |
More information needed |
|
|
TSK_SERVER_NAME |
More information needed |
|
|
TSK_SET_NAME |
N/A (Gap)🔴 |
|
|
TSK_SHORTCUT |
N/A (Gap)🔴 |
|
|
TSK_STEG_DETECTED |
??? Action? |
|
|
TSK_SUBJECT |
More information needed |
|
|
TSK_TAG_NAME |
Not Applicable to be mapped |
|
|
TSK_TAGGED_ARTIFACT |
Not Applicable to be mapped |
|
|
TSK_TEMP_DIR |
N/A (Gap)🔴 |
|
|
TSK_TEXT |
N/A (Gap)🔴 |
|
|
TSK_TEXT_FILE |
Not Applicable to be mapped |
|
|
TSK_TEXT_LANGUAGE |
More information needed |
|
|
TSK_TITLE |
N/A (Gap)🔴 |
|
|
TSK_URL |
uco-observable.URL |
uco-observable.URL.fullValue |
|
TSK_URL_DECODED |
More information needed |
|
|
TSK_USER_ID |
uco-observable.Account OR uco-observable.DigitalAccount |
uco-observable.Account.accountIdentifier OR uco-observable.DigitalAccount.accountLogin |
accounts.json |
TSK_USER_NAME |
uco-observable.DigitalAccount |
uco-observable.DigitalAccount.accountLogin |
accounts.json |
TSK_VALUE |
More information needed |
|
|
TSK_VERSION |
More information needed |
|
|