Origin

From truxwiki.com
Jump to navigation Jump to search

When Truxton stores files, it will tell you where the file came from. This is stored in the [OriginID] column of the [File] table in the database.

This information is also kept in the [Origin] database table.

Name Value Meaning
ORIGIN_UNKNOWN 0 We don't know where this file came from.
ORIGIN_NORMAL 1 The file came from the media as an overt file. It was a normal entry in the media's filesystem.
ORIGIN_UNDELETED 2 The file is the result of un-deleting it from the source filesystem.
ORIGIN_CARVED 3 The file is the result of searching a byte stream for a file format (carving).
ORIGIN_EXPANDED 4 The file came out of another file in Truxton. Child files of a Zip archive are ORIGIN_EXPANDED
ORIGIN_ASSOCIATED 5 The file was uploaded to Truxton by a user and associated with media.
ORIGIN_GENERATED 6 Truxton generated this file during exploitation. Snippet files are an example. Please see the note below about generated files.
ORIGIN_EMAIL_BODY 7 The file is the body of an email parsed by Truxton.
ORIGIN_EMAIL_ATTACHMENT 8 The file is an attachment to an email parsed by Truxton.
ORIGIN_VOLUME_SHADOW_COPY 9 The file came from a Volume Shadow in NTFS.
ORIGIN_MMS_ATTACHMENT 10 The file is the payload of an MMS message.
ORIGIN_STITCHED 11 The file was stitched back together from fragments scattered throughout the media free space. It is a de-fragmented carved file.
ORIGIN_SLACK 12 The file came from the slack space of a normal file in the filesystem of the media.
ORIGIN_VCARD_ATTACHMENT 13 The file was an attachment to a vCard entry.
ORIGIN_CHAT_MESSAGE 14 The file contains the body of a long chat message.

Generated Files

Files having an origin of ORIGIN_GENERATED are a special case in Truxton exploitation. Generated files are not routed through the ETL layer like other files. For example, the Truxton Geographic Report is a KMZ file. If this wasn't marked as generated, it would cause an endless loop in exploitation. The exception to the routing is generated files will be routed to only ETLs that registered for Type_All_Files_With_Or_Without_Contents or Type_All_Files_With_Contents.

If your ETL generates files that should not be exploited, only content indexed, mark their origin as ORIGIN_GENERATED. Otherwise, if you need the file to be exploited it is recommended to mark their origin as ORIGIN_EXPANDED.

The following files are generated by Truxton to help analyze seized media:

Expanded vs Generated Files

Expanded files come from other files in the media being exploited and can be routed to other ETL processes. For example, expanding a file archive will produce other files that should be exploited. Generated files, on the other hand, don't have to come from anywhere and should not go through the exploitation process. These files include Media Summary Report, Geographic Report, etc.

Typically, expanded files are produced during Load and Expansion stages while generated files come from the later stages, Summarizing through Finished.

Associated Files

A file associated with a piece of media came from outside the media and outside Truxton's processing. They are files that are not derived from information that came from the media. These files are relevant to the media but came from another source. Samples of associated files are:

  • Photographs of the media
  • Photographs of the area where the media was seized
  • Witness interview transcripts
  • Anything the investigator needs

Associated files are not routed through the ETL layer but they will go through content indexing.