Artifacts
Artifacts window helps you to work with various pieces of forensically important data, automatically extracted by Belkasoft from data sources which you added to your case. Examples of an artifact are a chat, a document, an email, a picture, a registry key, a video and so forth.
The window is divided into several parts. At the left you can see Structure and Overview tabs.
Structure
On the Structure tab you can see where exactly your artifacts are stored: at the top level there is a data source, which may have different artifact type nodes like Audios, Chats, Documents, and so on. Under each subnode you will see the profile name, for example, Telegram profile.
Overview
Unlike Structure, the Overview tab contains all artifacts of the same type under the same node. For example, if you have several data sources and each has several chat applications such as WhatsApp, Skype and Telegram, all these chats will be shown under the Chats node in the Overview while in Structure they all will have different nodes. To summarize, Overview is more lightweight and gives you an easier overview, while Structure gives you more details about artifact origins.
Artifact list
The middle part of the window shows you a list of artifacts, which you selected in either the Structure or Overview tab. There are various types of views available depending on the selected artifact type. For example, if you have selected a chat, there is a bubble view and a table view. Bubble view mimics what's viewed on the device and is easier to share with non-technical people, while table view allows you to fit more information on screen and to select columns you need.
In the table view you can sort the list by any column. To do so just click on the column header. You can also filter by any column having the funnel icon. Find more information in Filtering chapter.
Tools
At the bottom of the middle part you will find Tools.
Tools contain Item text, Hex Viewer and other viewers depending on how the original item is stored. If it was stored in an SQLite database, there will be a SQLite viewer. If it was a registry or Plist item, a corresponding viewer will be shown.
To open a viewer full screen, click on the corresponding icon at the right of the viewer name.
You can hide the Tools pane using icon.
Properties
At the right side of the Artifacts window, there is Properties pane. Here you can review the properties of an item currently selected in the item list. You can also copy any property or its part.
Top part
At the top there is the Report button, the mini-timeline, and the global filter button.
Report button creates a report for all items checked in the currently shown tab at the left, either Structure or Overview. If you need to create a report for items checked in the item list, right click there.
Mini-timeline shows you how artifacts spread over time. You can click inside and select a date range. The product will filter all items and show only those which fall under the selected range. You can adjust the range by dragging its left and right border. Clear the selection by single clicking anywhere on the timeline.
At the right of the mini-timeline, there is a global filter icon. Click on it to apply, edit or reset global filters. When a filter is applied, this icon turns orange. Find more information in the Filtering chapter.