Category:Digital Forensics XML

Digital Forensics XML (DFXML) is the effort to create an XML schema to allow for easy interoperability between different forensic tools.

Today there is no Digital Forensics XML standard and there is no fixed schema. Instead, we are slowly creating a set of tools that can produce or ingest XML with a common set of tags. It would be nice to have a more aggressive effort, but to date there has not been sufficient funding.

Given this state of affairs, our current strategy is to:

  • Develop a set of standardized tags and data representations for current XML tools.
  • Modify our tools to produce XML similar to the sample XML.
  • Develop a DTD and schema to allow XML validation.

XML Forensics Tools and Toolkits

  • The Python module implements objects for reading and writing DFXML.
  • The fiwalk C++ program produces DFXML for files from disk images using SleuthKit.
  • The frag_find hash-based carving tool produces a DFXML file indicating where items are found.
  • We are creating a DFXML strategy for distributing hash sets.

