Difference between revisions of "Digital Forensics XML Schema"

From Forensics Wiki
Jump to: navigation, search
(Created page with 'Forensics XML, or Digital Forensics XML, is an XML format designed to help standardize output/logging for a variety of digital forensics tools. The format and schema originated w…')
 
(Schema)
Line 5: Line 5:
  
 
=Schema=
 
=Schema=
The [[Media:Forensics XML schema]] is available for download. The schema is somewhat in flux, in that new elements will be added as necessary. However, the basic structure is unlikely to change.
+
The schema is somewhat in flux, in that new elements will be added as necessary. However, the basic structure is unlikely to change.
 +
 
 +
<pre>
 +
 
 +
<!-- edited with XMLSpy v2006 sp2 U (http://www.altova.com) by ITACS (Naval Postgraduate School) -->
 +
<xs:schema xmlns="http://afflib.org/fiwalk/fileobject/" xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="http://afflib.org/fiwalk/fileobject/" elementFormDefault="qualified" attributeFormDefault="unqualified">
 +
<xs:element name="fileobject">
 +
<xs:annotation>
 +
<xs:documentation>fileobject is the key file element for the standard digital forensic XML</xs:documentation>
 +
</xs:annotation>
 +
<xs:complexType>
 +
<xs:sequence>
 +
<xs:element name="filename" type="xs:string" minOccurs="0"/>
 +
<xs:element name="id" type="xs:string" minOccurs="0"/>
 +
<xs:element name="filesize" type="xs:positiveInteger" minOccurs="0"/>
 +
<xs:element name="partition" type="xs:nonNegativeInteger" minOccurs="0"/>
 +
<xs:element name="alloc" type="xs:nonNegativeInteger" minOccurs="0"/>
 +
<xs:element name="used" type="xs:nonNegativeInteger" minOccurs="0"/>
 +
<xs:element name="inode" type="xs:nonNegativeInteger" minOccurs="0"/>
 +
<xs:element name="type" type="xs:nonNegativeInteger" minOccurs="0"/>
 +
<xs:element name="mode" type="xs:nonNegativeInteger" minOccurs="0"/>
 +
<xs:element name="nlink" type="xs:nonNegativeInteger" minOccurs="0"/>
 +
<xs:element name="uid" type="xs:nonNegativeInteger" minOccurs="0"/>
 +
<xs:element name="gid" type="xs:nonNegativeInteger" minOccurs="0"/>
 +
<xs:element name="mtime" type="xs:long" minOccurs="0"/>
 +
<xs:element name="atime" type="xs:long" minOccurs="0"/>
 +
<xs:element name="crtime" type="xs:long" minOccurs="0"/>
 +
<xs:element name="seq" type="xs:nonNegativeInteger" minOccurs="0"/>
 +
<xs:element ref="byte_runs" minOccurs="0"/>
 +
<xs:element ref="hashdigest" minOccurs="0" maxOccurs="unbounded"/>
 +
<xs:element name="libmagic" type="xs:string" minOccurs="0"/>
 +
</xs:sequence>
 +
</xs:complexType>
 +
</xs:element>
 +
<xs:element name="byte_runs">
 +
<xs:complexType>
 +
<xs:sequence>
 +
<xs:element ref="run" minOccurs="0" maxOccurs="unbounded"/>
 +
</xs:sequence>
 +
</xs:complexType>
 +
</xs:element>
 +
<xs:element name="run">
 +
<xs:complexType>
 +
<xs:attribute name="fs_offset" type="xs:nonNegativeInteger"/>
 +
<xs:attribute name="file_offset" type="xs:nonNegativeInteger"/>
 +
<xs:attribute name="img_offset" type="xs:nonNegativeInteger"/>
 +
<xs:attribute name="len" type="xs:nonNegativeInteger"/>
 +
</xs:complexType>
 +
</xs:element>
 +
<xs:element name="hashdigest">
 +
<xs:complexType>
 +
<xs:simpleContent>
 +
<xs:extension base="xs:string">
 +
<xs:attribute name="type" type="xs:string"/>
 +
</xs:extension>
 +
</xs:simpleContent>
 +
</xs:complexType>
 +
</xs:element>
 +
<xs:element name="volume"/>
 +
<xs:element name="fiwalk">
 +
<xs:complexType>
 +
<xs:sequence>
 +
<xs:element name="creator">
 +
<xs:complexType>
 +
<xs:sequence>
 +
<xs:element name="program" type="xs:string"/>
 +
<xs:element name="version" type="xs:string"/>
 +
<xs:element name="build_environment">
 +
<xs:complexType>
 +
<xs:sequence>
 +
<xs:element name="compiler"/>
 +
</xs:sequence>
 +
</xs:complexType>
 +
</xs:element>
 +
</xs:sequence>
 +
</xs:complexType>
 +
</xs:element>
 +
</xs:sequence>
 +
<xs:attribute name="xmloutputversion" type="xs:string" use="optional"/>
 +
</xs:complexType>
 +
</xs:element>
 +
</xs:schema>
 +
 
 +
<pre>

Revision as of 16:49, 21 April 2010

Forensics XML, or Digital Forensics XML, is an XML format designed to help standardize output/logging for a variety of digital forensics tools. The format and schema originated with fiwalk, but is being adopted by other tools.

Background

Simson Garfinkel has developed a series of tools designed to generate and analyze forensic data, and is using this XML format to produce analysis-ready output[[1]].

Schema

The schema is somewhat in flux, in that new elements will be added as necessary. However, the basic structure is unlikely to change.


<!-- edited with XMLSpy v2006 sp2 U (http://www.altova.com) by ITACS (Naval Postgraduate School) -->
<xs:schema xmlns="http://afflib.org/fiwalk/fileobject/" xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="http://afflib.org/fiwalk/fileobject/" elementFormDefault="qualified" attributeFormDefault="unqualified">
	<xs:element name="fileobject">
		<xs:annotation>
			<xs:documentation>fileobject is the key file element for the standard digital forensic XML</xs:documentation>
		</xs:annotation>
		<xs:complexType>
			<xs:sequence>
				<xs:element name="filename" type="xs:string" minOccurs="0"/>
				<xs:element name="id" type="xs:string" minOccurs="0"/>
				<xs:element name="filesize" type="xs:positiveInteger" minOccurs="0"/>
				<xs:element name="partition" type="xs:nonNegativeInteger" minOccurs="0"/>
				<xs:element name="alloc" type="xs:nonNegativeInteger" minOccurs="0"/>
				<xs:element name="used" type="xs:nonNegativeInteger" minOccurs="0"/>
				<xs:element name="inode" type="xs:nonNegativeInteger" minOccurs="0"/>
				<xs:element name="type" type="xs:nonNegativeInteger" minOccurs="0"/>
				<xs:element name="mode" type="xs:nonNegativeInteger" minOccurs="0"/>
				<xs:element name="nlink" type="xs:nonNegativeInteger" minOccurs="0"/>
				<xs:element name="uid" type="xs:nonNegativeInteger" minOccurs="0"/>
				<xs:element name="gid" type="xs:nonNegativeInteger" minOccurs="0"/>
				<xs:element name="mtime" type="xs:long" minOccurs="0"/>
				<xs:element name="atime" type="xs:long" minOccurs="0"/>
				<xs:element name="crtime" type="xs:long" minOccurs="0"/>
				<xs:element name="seq" type="xs:nonNegativeInteger" minOccurs="0"/>
				<xs:element ref="byte_runs" minOccurs="0"/>
				<xs:element ref="hashdigest" minOccurs="0" maxOccurs="unbounded"/>
				<xs:element name="libmagic" type="xs:string" minOccurs="0"/>
			</xs:sequence>
		</xs:complexType>
	</xs:element>
	<xs:element name="byte_runs">
		<xs:complexType>
			<xs:sequence>
				<xs:element ref="run" minOccurs="0" maxOccurs="unbounded"/>
			</xs:sequence>
		</xs:complexType>
	</xs:element>
	<xs:element name="run">
		<xs:complexType>
			<xs:attribute name="fs_offset" type="xs:nonNegativeInteger"/>
			<xs:attribute name="file_offset" type="xs:nonNegativeInteger"/>
			<xs:attribute name="img_offset" type="xs:nonNegativeInteger"/>
			<xs:attribute name="len" type="xs:nonNegativeInteger"/>
		</xs:complexType>
	</xs:element>
	<xs:element name="hashdigest">
		<xs:complexType>
			<xs:simpleContent>
				<xs:extension base="xs:string">
					<xs:attribute name="type" type="xs:string"/>
				</xs:extension>
			</xs:simpleContent>
		</xs:complexType>
	</xs:element>
	<xs:element name="volume"/>
	<xs:element name="fiwalk">
		<xs:complexType>
			<xs:sequence>
				<xs:element name="creator">
					<xs:complexType>
						<xs:sequence>
							<xs:element name="program" type="xs:string"/>
							<xs:element name="version" type="xs:string"/>
							<xs:element name="build_environment">
								<xs:complexType>
									<xs:sequence>
										<xs:element name="compiler"/>
									</xs:sequence>
								</xs:complexType>
							</xs:element>
						</xs:sequence>
					</xs:complexType>
				</xs:element>
			</xs:sequence>
			<xs:attribute name="xmloutputversion" type="xs:string" use="optional"/>
		</xs:complexType>
	</xs:element>
</xs:schema>

<pre>