Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Added new attributes and artfiacts

  • Loading branch information...
commit 75936ddc5236e02295702e114e45130782698592 1 parent 8fd8246
@bcarrier bcarrier authored
View
3  bindings/java/src/org/sleuthkit/datamodel/BlackboardArtifact.java
@@ -51,7 +51,8 @@
TSK_INSTALLED_PROG(8, "TSK_INSTALLED_PROG", "Installed Programs"),
TSK_KEYWORD_HIT(9, "TSK_KEYWORD_HIT", "Keyword Hits"),
TSK_HASHSET_HIT(10, "TSK_HASHSET_HIT", "Hashset Hits"),
- TSK_DEVICE_ATTACHED(11, "TSK_DEVICE_ATTACHED", "Device Attached");
+ TSK_DEVICE_ATTACHED(11, "TSK_DEVICE_ATTACHED", "Device Attached"),
+ TSK_INTERESTING_FILE_HIT(12, "TSK_INTERESTING_FILE_HIT", "Interesting File");
/* SEE ABOVE -- KEEP C++ CODE IN SYNC */
private String label;
private int typeID;
View
6 bindings/java/src/org/sleuthkit/datamodel/BlackboardAttribute.java
@@ -127,7 +127,11 @@ static public TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE fromType(long type) {
TSK_LAST_ACCESSED(33, "TSK_LAST_ACCESSED", "Last Time Accessed"), // @@@ Review this instead of using DATETIME
TSK_IP_ADDRESS(34, "TSK_IP_ADDRESS", "IP Address"),
TSK_PHONE_NUMBER(35, "TSK_PHONE_NUMBER", "Phone Number"),
- TSK_PATH_ID(36, "TSK_PATH_ID", "Path ID");
+ TSK_PATH_ID(36, "TSK_PATH_ID", "Path ID"),
+ TSK_SET_NAME(37, "TSK_SET_NAME", "Set Name"),
+ TSK_ENCRYPTION_DETECTED(38, "TSK_ENCRYPTION_DETECTED", "Encryption Detected"),
+ TSK_MALWARE_DETECTED(39, "TSK_MALWARE_DETECTED", "Malware Detected"),
+ TSK_STEG_DETECTED(40, "TSK_STEG_DETECTED", "Steganography Detected");
/* SEE ABOVE -- ALSO ADD TO C++ CODE */
private String label;
View
7 framework/Services/TskBlackboard.cpp
@@ -23,6 +23,7 @@ map<int, TskArtifactNames> initializeArtifactTypeMap(){
retval.insert(pair<int, TskArtifactNames>(TSK_KEYWORD_HIT, TskArtifactNames("TSK_KEYWORD_HIT", "Keyword Hit")));
retval.insert(pair<int, TskArtifactNames>(TSK_HASHSET_HIT, TskArtifactNames("TSK_HASHSET_HIT", "Hashset Hit")));
retval.insert(pair<int, TskArtifactNames>(TSK_DEVICE_ATTACHED, TskArtifactNames("TSK_DEVICE_ATTACHED", "Device Attached")));
+ retval.insert(pair<int, TskArtifactNames>(TSK_INTERESTING_FILE_HIT, TskArtifactNames("TSK_INTERESTING_FILE_HIT", "Interesting File")));
return retval;
}
@@ -63,6 +64,10 @@ map<int, TskAttributeNames> initializeAttributeTypeMap(){
retval.insert(pair<int, TskAttributeNames>(TSK_IP_ADDRESS, TskAttributeNames("TSK_IP_ADDRESS", "IP Address")));
retval.insert(pair<int, TskAttributeNames>(TSK_PHONE_NUMBER, TskAttributeNames("TSK_PHONE_NUMBER", "Phone Number")));
retval.insert(pair<int, TskAttributeNames>(TSK_PATH_ID, TskAttributeNames("TSK_PATH_ID", "Id of Path")));
+ retval.insert(pair<int, TskAttributeNames>(TSK_SET_NAME, TskAttributeNames("TSK_SET_NAME", "Set Name")));
+ retval.insert(pair<int, TskAttributeNames>(TSK_ENCRYPTION_DETECTED, TskAttributeNames("TSK_ENCRYPTION_DETECTED", "File Encryption Detected")));
+ retval.insert(pair<int, TskAttributeNames>(TSK_MALWARE_DETECTED, TskAttributeNames("TSK_MALWARE_DETECTED", "Malware Detected")));
+ retval.insert(pair<int, TskAttributeNames>(TSK_STEG_DETECTED, TskAttributeNames("TSK_STEG_DETECTED", "Steganography Detected")));
return retval;
}
@@ -151,4 +156,4 @@ map<int, TskArtifactNames> TskBlackboard::getAllArtifactTypes(){
}
map<int, TskAttributeNames> TskBlackboard::getAllAttributeTypes(){
return attribute_type_table;
-}
+}
View
5 framework/Services/TskBlackboard.h
@@ -57,6 +57,7 @@ typedef enum TSK_ARTIFACT_TYPE {
TSK_KEYWORD_HIT = 9,///< A keyword hit.
TSK_HASHSET_HIT = 10, ///< A hit within a known bad / notable hashset / hash database.
TSK_DEVICE_ATTACHED = 11, ///< An event for a device being attached to the host computer
+ TSK_INTERESTING_FILE_HIT = 12, ///< A file that was flagged because it matched some search criteria for being interesting (i.e. because of its name, extension, etc.)
/* SEE ABOVE:
* - KEEP JAVA CODE IN SYNC
* - UPDATE map in TskBlackboard.cpp
@@ -111,6 +112,10 @@ typedef enum TSK_ATTRIBUTE_TYPE {
TSK_IP_ADDRESS = 34,///<String of IP Address
TSK_PHONE_NUMBER = 35,///<String of phone number
TSK_PATH_ID = 36,///< Object ID from database that a TSK_PATH attribute corresponds to. Set to -1 if path is for a file that is not in database (i.e. deleted).
+ TSK_SET_NAME = 37,///< STRING: The name of a set that was used to find this artifact (to be used for hash hits, keyword hits, interesting files, etc.)
+ TSK_ENCRYPTION_DETECTED = 38,///< STRING: The type of encryption that is believed to have been used on the file.
+ TSK_MALWARE_DETECTED = 39,///< STRING: The name of the malware that was detected in this file.
+ TSK_STEG_DETECTED = 40,///< STRING: The name of the steganography technique that was detected in this file.
/* SEE ABOVE:
* - KEEP JAVA CODE IN SYNC
* - UPDATE map in TskBlackBoard.cpp too */
Please sign in to comment.
Something went wrong with that request. Please try again.