ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.
fileobject is an XML Forensics XML tag which is used to describe information about a file.
The file object can contain information about:
- The file's name
- The file's hash code(s)
- The file's location on the disk.
- Embedded metadata
- Block hashes, a Bloom Filter, or a Similarity Digest for the file.
Other objects can be embedded in a fileobject object:
- The byte_runs object specifies where the file is located on the disk.
- A sector_hash object is a list of sector hash codes.
- The sector_hash object could contain a nsrl_bloom object, which would be a bloom filter that contains all of the sector hashes.
<fileobject> <filename>README.txt</filename> <id>2</id> <filesize>43</filesize> <partition>1</partition> <alloc>1</alloc> <used>1</used> <inode>6</inode> <type>1</type> <mode>511</mode> <nlink>1</nlink> <uid>0</uid> <gid>0</gid> <mtime>1258916904</mtime> <atime>1258876800</atime> <crtime>1258916900</crtime> <byte_runs> <run file_offset='0' fs_offset='37376' img_offset='37888' len='43'/> </byte_runs> <hashdigest type='md5'>2bbe5c3b554b14ff710a0a2e77ce8c4d</hashdigest> <hashdigest type='sha1'>b3ccdbe2db1c568e817c25bf516e3bf976a1dea6</hashdigest> </fileobject>
|<fileobject>||Every file is inside a <fileobject>|
|<orphan>YES</orphan>||YES means that the file is an ""orphan,"" with no file name.|
|<filesize>3210</filesize>||The file size in bytes.|
|<unalloc>1</unalloc>||A "1" means that the file was not allocated in the file system. This may mean that the file was deleted.|
|<used>1</used>||Not sure what this means.|
|<mtime>1114172320</mtime>||The file's modification time, as a Unix timestamp (number of seconds since January 1, 1970 UTC).|
|<ctime>1195819392</ctime>||The file's inode's creation time, as a Unix timestamp.|
|<atime>1195794000</atime>||The file's access time, as a unix timestamp.|
|<byte_runs>121130496:3210</byte_runs>||The file's fragments. Each fragment is represented as the byte offset from the beginning of the disk image (the first byte is byte #0) and a number of bytes.|
|<fragments>1</fragments>||The number of fragments in the file.|
|<hashdigest type='md5'>c27c0730b858bc60c8894300a98bba55</hashdigest>||The file's MD5, as a hexadecimal hash.|
|<hashdigest type='sha1'>0277680d624e609f23aec9e4265c2d7d24bd3824</hashdigest>||The file's SHA1, as a hexadecimal hash.|
|<partition>1</partition>||The partition number in which the file was found.|