ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between revisions of "Fileobject"

From ForensicsWiki
Jump to: navigation, search
m (Created page with ''''fileobject' is an XML Forensics XML tag which is used to describe information about a file. The file object can contain information about: * The file's name * The file's hash…')
 
 
(4 intermediate revisions by one other user not shown)
Line 1: Line 1:
'''fileobject' is an XML Forensics XML tag which is used to describe information about a file.
+
'''fileobject''' is an XML [[Forensics XML]] tag which is used to describe information about a file.
  
 
The file object can contain information about:
 
The file object can contain information about:
Line 7: Line 7:
 
* Embedded metadata
 
* Embedded metadata
 
* Block hashes, a Bloom Filter, or a Similarity Digest for the file.
 
* Block hashes, a Bloom Filter, or a Similarity Digest for the file.
 +
 +
Other objects can be embedded in a '''fileobject''' object:
 +
* The '''byte_runs''' object specifies where the file is located on the disk.
 +
* A '''sector_hash''' object is a list of sector hash codes.
 +
* The sector_hash object could contain a '''nsrl_bloom''' object, which would be a bloom filter that contains all of the sector hashes. 
  
 
==XML Sample==
 
==XML Sample==
Line 34: Line 39:
 
     </fileobject>
 
     </fileobject>
 
</pre>
 
</pre>
[[Category:XML Forensics]]
+
 
 +
{|
 +
|XML Tag
 +
|Meaning
 +
|
 +
|-
 +
|<fileobject>
 +
|Every file is inside a <fileobject>
 +
|-
 +
|<orphan>YES</orphan>
 +
|YES means that the file is an ""orphan,"" with no file name.
 +
|-
 +
|<filesize>3210</filesize>
 +
|The file size in bytes.
 +
|-
 +
|<unalloc>1</unalloc>
 +
|A "1" means that the file was not allocated in the file system. This may mean that the file was deleted.
 +
|-
 +
|<used>1</used>
 +
|Not sure what this means.
 +
|-
 +
|<mtime>1114172320</mtime>
 +
|The file's modification time, as a Unix timestamp (number of seconds since January 1, 1970 UTC).
 +
|-
 +
|<ctime>1195819392</ctime>
 +
|The file's inode's creation time, as a Unix timestamp.
 +
|-
 +
|<atime>1195794000</atime>
 +
|The file's access time, as a unix timestamp.
 +
|-
 +
|<byte_runs>121130496:3210</byte_runs>
 +
|The file's fragments. Each fragment is represented as the byte offset from the beginning of the disk image (the first byte is byte #0) and a number of bytes.
 +
|-
 +
|<fragments>1</fragments>
 +
|The number of fragments in the file.
 +
|-
 +
|<hashdigest type='md5'>c27c0730b858bc60c8894300a98bba55</hashdigest>
 +
|The file's MD5, as a hexadecimal hash. 
 +
|-
 +
|<hashdigest type='sha1'>0277680d624e609f23aec9e4265c2d7d24bd3824</hashdigest>
 +
|The file's SHA1, as a hexadecimal hash.
 +
|-
 +
|<partition>1</partition>
 +
|The partition number in which the file was found.
 +
|}
 +
 
 +
 
 +
[[Category:Digital Forensics XML]]

Latest revision as of 21:37, 21 April 2010

fileobject is an XML Forensics XML tag which is used to describe information about a file.

The file object can contain information about:

  • The file's name
  • The file's hash code(s)
  • The file's location on the disk.
  • Embedded metadata
  • Block hashes, a Bloom Filter, or a Similarity Digest for the file.

Other objects can be embedded in a fileobject object:

  • The byte_runs object specifies where the file is located on the disk.
  • A sector_hash object is a list of sector hash codes.
  • The sector_hash object could contain a nsrl_bloom object, which would be a bloom filter that contains all of the sector hashes.

XML Sample


    <fileobject>
      <filename>README.txt</filename>
      <id>2</id>
      <filesize>43</filesize>
      <partition>1</partition>
      <alloc>1</alloc>
      <used>1</used>
      <inode>6</inode>
      <type>1</type>
      <mode>511</mode>
      <nlink>1</nlink>
      <uid>0</uid>
      <gid>0</gid>
      <mtime>1258916904</mtime>
      <atime>1258876800</atime>
      <crtime>1258916900</crtime>
      <byte_runs>
       <run file_offset='0' fs_offset='37376' img_offset='37888' len='43'/>
      </byte_runs>
      <hashdigest type='md5'>2bbe5c3b554b14ff710a0a2e77ce8c4d</hashdigest>
      <hashdigest type='sha1'>b3ccdbe2db1c568e817c25bf516e3bf976a1dea6</hashdigest>
    </fileobject>
XML Tag Meaning
<fileobject> Every file is inside a <fileobject>
<orphan>YES</orphan> YES means that the file is an ""orphan,"" with no file name.
<filesize>3210</filesize> The file size in bytes.
<unalloc>1</unalloc> A "1" means that the file was not allocated in the file system. This may mean that the file was deleted.
<used>1</used> Not sure what this means.
<mtime>1114172320</mtime> The file's modification time, as a Unix timestamp (number of seconds since January 1, 1970 UTC).
<ctime>1195819392</ctime> The file's inode's creation time, as a Unix timestamp.
<atime>1195794000</atime> The file's access time, as a unix timestamp.
<byte_runs>121130496:3210</byte_runs> The file's fragments. Each fragment is represented as the byte offset from the beginning of the disk image (the first byte is byte #0) and a number of bytes.
<fragments>1</fragments> The number of fragments in the file.
<hashdigest type='md5'>c27c0730b858bc60c8894300a98bba55</hashdigest> The file's MD5, as a hexadecimal hash.
<hashdigest type='sha1'>0277680d624e609f23aec9e4265c2d7d24bd3824</hashdigest> The file's SHA1, as a hexadecimal hash.
<partition>1</partition> The partition number in which the file was found.