|
Sleuth Kit Java Bindings (JNI)
4.6.0
Java bindings for using The Sleuth Kit
|
|
Sleuth Kit Java Bindings (JNI)
4.6.0
Java bindings for using The Sleuth Kit
|
NOTE: This is a work in progress
The Java code and database in Sleuth Kit contain special classes and tables to deal with communications between two parties. This page outlines what a developer should do when they are parsing communications data so that it can be properly displayed and used by other code (such as the Autopsy Communications UI).
First, lets cover the terminology that we use.
An Account is an entity with a type and an identifier that is unique to the type. Common examples of types include:
Accounts are found in forensics when parsing structured data (such as email messages) or keyword searching.
Two accounts have a relationship if they are believed to have communicated in some way. Examples of interactions that cause a relationship are:
When there are multiple people involved with an email message, a relationship is made between each of them. For example, if A sends a message to B and CC:s C, then there will be relationships between A <-> B, A <-> C, and B <-> C. Relationships in The Sleuth Kit are not directional.
A relationship source is where we learned about the relationship. This typically comes from Blackboard Artifacts, but may come from generic files in the future.
Now lets cover what you should do when you are parsing some communications data and want to store it in the TSK database. Let's assume we are parsing a smart phone app that has messages.
When you encounter a message, the first thing to do is store information about the accounts. TSK wants to know about each file that had a reference of the account. You should call org.sleuthkit.datamodel.CommunicationsManager.createAccountFileInstance() for each file that you encounter a given account.
Behind the scenes, createAccountFileInstance will make an entry in the accounts table for each unique account on a given device and will make a org.sleuthkit.datamodel.BlackboardArtifact for each unique account in a given file.
If you want to create a custom account type, call org.sleuthkit.datamodel.CommunicationsManager.addAccountType().
You also need to make sure that you store the org.sleuthkit.datamodel.BlackboardArtifact that used the accounts. You can do this before or after calling createAccountFileInstance(). The order does not matter.
For a messaging app, you would make org.sleuthkit.datamodel.BlackboardArtifact objects with a type of org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_MESSAGE. That artifact would store various name and value pairs using org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE values.
The final step is to create store the relationships between the accounts. You can do this via org.sleuthkit.datamodel.CommunicationsManager.addRelationships(). This method will require you to pass in the org.sleuthkit.datamodel.AccountInstance objects that you created and the org.sleuthkit.datamodel.BlackboardArtifact that you created for the message or other source.
For details of how this is stored in the database, refer to the wiki.
Copyright © 2011-2018 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a
Creative Commons Attribution-Share Alike 3.0 United States License.
