Origin
When Truxton stores files, it will tell you where the file came from.
This is stored in the [OriginID]
column of the [File]
table in the database.
This information is also kept in the [Origin]
database table.
Name | Value | Meaning |
---|---|---|
ORIGIN_UNKNOWN
|
0 | We don't know where this file came from. |
ORIGIN_NORMAL
|
1 | The file came from the media as an overt file. It was a normal entry in the media's filesystem. |
ORIGIN_UNDELETED
|
2 | The file is the result of un-deleting it from the source filesystem. |
ORIGIN_CARVED
|
3 | The file is the result of searching a byte stream for a file format (carving). |
ORIGIN_EXPANDED
|
4 | The file came out of another file in Truxton. Child files of a Zip archive are ORIGIN_EXPANDED
|
ORIGIN_ASSOCIATED
|
5 | The file was uploaded to Truxton by a user and associated with media. |
ORIGIN_GENERATED
|
6 | Truxton generated this file during exploitation. Snippet files are an example. Please see the note below about generated files. |
ORIGIN_EMAIL_BODY
|
7 | The file is the body of an email parsed by Truxton. |
ORIGIN_EMAIL_ATTACHMENT
|
8 | The file is an attachment to an email parsed by Truxton. |
ORIGIN_VOLUME_SHADOW_COPY
|
9 | The file came from a Volume Shadow in NTFS. |
ORIGIN_MMS_ATTACHMENT
|
10 | The file is the payload of an MMS message. |
ORIGIN_STITCHED
|
11 | The file was stitched back together from fragments scattered throughout the media free space. It is a de-fragmented carved file. |
ORIGIN_SLACK
|
12 | The file came from the slack space of a normal file in the filesystem of the media. |
ORIGIN_VCARD_ATTACHMENT
|
13 | The file was an attachment to a vCard entry. |
ORIGIN_CHAT_MESSAGE
|
14 | The file contains the body of a long chat message. |
Generated Files
Files having an origin of ORIGIN_GENERATED
are a special case in Truxton exploitation.
Generated files are not routed through the ETL layer like other files.
For example, the Truxton Geographic Report is a KMZ file.
If this wasn't marked as generated, it would cause an endless loop in exploitation.
The exception to the routing is generated files will be routed to only ETLs that registered for Type_All_Files_With_Or_Without_Contents
or Type_All_Files_With_Contents
.
If your ETL generates files that should not be exploited, only content indexed, mark their origin as ORIGIN_GENERATED
. Otherwise, if you need the file to be exploited it is recommended to mark their origin as ORIGIN_EXPANDED
.
The following files are generated by Truxton to help analyze seized media:
- Type_File_Details - A JSON file that contains information about a file in Truxton
- Type_RegRipper_Report - The report generated by RegRipper
- Type_Media_Snippet - A Snippet is information in an XML file that is used to generate reports
- Type_USB_Information - Data collected about USB devices in a piece of seized media
- Type_Password_Dump - a pwdump file containing the logon information for the seized media
- Type_Load_Log - The log file for Truxton loads
- Truxton Media Geographic Report - This KMZ file contains all of the geographic data from the seized media.
Expanded vs Generated Files
Expanded files come from other files in the media being exploited and can be routed to other ETL processes. For example, expanding a file archive will produce other files that should be exploited. Generated files, on the other hand, don't have to come from anywhere and should not go through the exploitation process. These files include Media Summary Report, Geographic Report, etc.
Typically, expanded files are produced during Load and Expansion stages while generated files come from the later stages, Summarizing through Finished.
Associated Files
A file associated with a piece of media came from outside the media and outside Truxton's processing. They are files that are not derived from information that came from the media. These files are relevant to the media but came from another source. Samples of associated files are:
- Photographs of the media
- Photographs of the area where the media was seized
- Witness interview transcripts
- Anything the investigator needs
Associated files are not routed through the ETL layer but they will go through content indexing.