Sleuth Kit Java Bindings (JNI)  4.6
Java bindings for using The Sleuth Kit
The Blackboard

Overview

The blackboard allows modules (in Autopsy or other frameworks) to communicate and store results. A module can post data to the blackboard so that subsequent modules can see its results. It can also query the blackboard to see what previous modules have posted.

Concepts

The blackboard is a collection of artifacts. Each artifact has a type, such as web browser history, EXIF, or GPS track points. The Sleuth Kit has many artifact types already defined (see org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE and the artifact catalog) and you can also create your own.

Each artifact has a set of name-value pairs called attributes. Attributes also have types, such as URL, Created Date, or Device Make. The Sleuth Kit has many attribute types already defined (see org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE) and you can also create your own. See the artifact catalog for a list of artifacts and the attributes that should be associated with each.

When a module wants to store its results in the blackboard, it makes an artifact of the correct type and then adds attributes to it. Other modules can then query the blackboard for artifacts of a given type or artifacts associated with a given file.

There are two special types of artifacts that are used a bit differently than the rest. The first is the org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO artifact. A Content object should have only one artifact of this type and it is used to store single attributes that are not related to each other and that do not need their own artifact. There are special methods to access this artifact to ensure that only a single TSK_GEN_INFO artifact is created per Content object and that you get a cached version of the artifact. These methods will be given in the relevant sections below.

The second special type of artifact is the TSK_ASSOCIATED_OBJECT. All artifacts are created as the child of a file or artifact. This TSK_ASSOCIATED_OBJECT is used to make additional relationships with files and artifacts apart from this parent-child relationship. See the Associated Objects section below.

Accessing the Blackboard

Java modules can access the blackboard from either org.sleuthkit.datamodel.SleuthkitCase or a org.sleuthkit.datamodel.Content object. The methods associated with org.sleuthkit.datamodel.Content all limit the Blackboard to a specific file.

Posting to the Blackboard

The first thing you need to do is create the artifact. All artifacts must be associated with a Content object. You can do this by creating an instance of org.sleuthkit.datamodel.BlackboardArtifact by calling either:

If you want to create an attribute in the TSK_GEN_INFO artifact, use org.sleuthkit.datamodel.Content.getGenInfoArtifact() to ensure that you do not create a second TSK_GEN_INFO artifact for the file and to ensure that you used the cached version (which will be faster for you).

Next, you need to make attributes and add them to the artifact. Attributes are created by making a new instance of org.sleuthkit.datamodel.BlackboardAttribute using one of the various constructors. After you create one with the correct type and value, you add it to the artifact using org.sleuthkit.datamodel.BlackboardArtifact.addAttribute() (or org.sleuthkit.datamodel.BlackboardArtifact.addAttributes() if you have several to add - it’s faster).

Creating Multiple Artifacts or Multiple Attributes

In some cases, it may not be clear if you should post multiple single-attribute artifacts for a file or post a single multiple-attribute artifact. Here are some guidelines:

  • If a single file is associated with multiple items of the same type (e.g., log entries in a log file, bookmarks in a bookmark file, cookies in a cookie database), then each instance should be posted as a separate artifact so that you can differentiate them and keep all related attributes clearly grouped (e.g., it is clear which date goes with which log entry).
  • All attributes in artifacts other than in org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO artifacts should be closely related to each other.

Artifact Helpers

Artifact helpers are a set of classes that make it easier for module developers to create artifacts. These classes provide methods that abstract the details of artifacts and attributes, and provide simpler and more readable API.

The following helpers are available:

  • org.sleuthkit.datamodel.blackboardutils.WebBrowserArtifactsHelper - provides methods for some creating web browser related artifacts
    • addWebBookmark(): creates TSK_WEB_BOOKMARK artifact for browser bookmarks
    • addWebCookie(): creates TSK_WEB_COOKIE artifact for browser cookies
    • addWebDownload(): creates TSK_WEB_DOWNLOAD artifact for web downloads.
    • addWebFormAddress(): creates TSK_WEB_FORM_ADDRESS artifact for form address data
    • addWebFormAutofill(): creates TSK_WEB_FORM_AUTOFILL artifact for autofill data
    • addWebHistory(): creates TSK_WEB_HISTORY artifact for web history.
  • org.sleuthkit.datamodel.blackboardutils.CommunicationArtifactsHelper - provides methods for communication related artifacts: contacts, call logs, messages.
    • addCalllog(): creates TSK_CALLLOG artifact for call logs.
    • addContact() creates TSK_CONTACT artifact for contacts.
    • addMessage() creates a TSK_MESSAGE artifact for messages.
    • addAttachments() adds attachments to a message.

Associated Objects

Artifacts should be created as children of the file that they were derived or parsed from. For example, a TSK_WEB_DOWNLOAD artifact would be a child of the browser's SQLite database that was parsed. This creates a relationship between the source file and the artifact. But, sometimes you also want to make a relationship between the artifact and another file (or artifact). This is where the TSK_ASSOCIATED_OBJECT artifact comes in.

For example, suppose you have a module that parses a SQLite database that has a log of downloaded files. Each entry might contain the URL the file was downloaded from, timestamp information, and the location the file was saved to on disk. This data would be saved in a TSK_WEB_DOWNLOAD artifact that would be a child of the SQLite database. But suppose the downloaded file also exists in our image. It would be helpful to link that file to our TSK_WEB_DOWNLOAD artifact to show when and where it was download from.

We achieve this relationship by creating a TSK_ASSOCIATED_OBJECT artifact on the downloaded file. This artifact stores the ID of the TSK_WEB_DOWNLOAD artifact in TSK_ASSOCIATED_ARTIFACT attribute so we have a direct link from the file to the artifact that shows where it came from.

associated_object.png

Querying the Blackboard

You can find artifacts using a variety of ways:

Custom Artifacts and Attributes

This section outlines how to create artifact and attribute types because the standard ones do not meet your needs. These custom artifacts will be displayed in the Autopsy UI alongside the built in artifacts and will also appear in the reports. However, before you make a custom type, you should consider the TSK_INTERESTING_FILE_HIT artifact. It is very generic and we have used it in the past when we did not want to make a new artifact type. You create the artifact, use the TSK_SET_NAME attribute to define the equivalent name of the custom artifact that you wanted to create, and then add whatever attributes you want.

Making Custom Artifacts and Attributes

org.sleuthkit.datamodel.SleuthkitCase.addBlackboardArtifactType() is used to create a custom artifact. Give it the display and unique name and it will return a org.sleuthkit.datamodel.BlackboardArtifact.Type object with a unique ID. You will need to call this once for each case to create the artifact ID. You can then use this ID to make an artifact of the given type. To check if the artifact type has already been added to the blackboard or to get the ID after it was created, use org.sleuthkit.datamodel.SleuthkitCase.getArtifactType().

To create custom attributes, use org.sleuthkit.datamodel.SleuthkitCase.addArtifactAttributeType() to create the type and get its ID. Like artifacts, you must create the type for each new case. To get a type after it has been created in the case, use org.sleuthkit.datamodel.SleuthkitCase.getAttributeType().


Copyright © 2011-2018 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.