ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between pages "Compiling Open Source Forensic Tools with MinGW" and "Digital Forensics XML Schema"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
 
Line 1: Line 1:
Many open source computer forensic tools can be cross-compiled with MinGW. This allows you to create Windows executable directly from a Macintosh computer or Linux machine without using the Microsoft VC++ environment.
+
Forensics XML, or Digital Forensics XML, is an XML format designed to help standardize output/logging for a variety of digital forensics tools. The format and schema originated with [[fiwalk]], but is being adopted by other tools.
 +
 
 +
=Background=
 +
Simson Garfinkel has developed a series of tools designed to generate and analyze forensic data, and is using this XML format to produce analysis-ready output [[http://www.simson.net/xml_forensics.pdf]].
 +
 
 +
=Schema=
 +
The schema is somewhat in flux, in that new elements will be added as necessary. However, the basic structure is unlikely to change.
  
==Installing MinGW==
 
;On a Mac using MacPorts:
 
 
<pre>
 
<pre>
$ sudo port selfupdate
 
$ sudo port install i386-mingw32-binutils i386-mingw32-gcc
 
$ sudo port install i386-mingw32-libunicows i386-mingw32-runtime
 
$ sudo port install i386-mingw32-w32api
 
</pre>
 
  
''note: If you get the error message 'warnings treated as errors' you will need to find the Makefile where -Werror is defined and erase it''
+
<!-- edited with XMLSpy v2006 sp2 U (http://www.altova.com) by ITACS (Naval Postgraduate School) -->
 +
<xs:schema xmlns="http://afflib.org/fiwalk/fileobject/" xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="http://afflib.org/fiwalk/fileobject/" elementFormDefault="qualified" attributeFormDefault="unqualified">
 +
<xs:element name="fileobject">
 +
<xs:annotation>
 +
<xs:documentation>fileobject is the key file element for the standard digital forensic XML</xs:documentation>
 +
</xs:annotation>
 +
<xs:complexType>
 +
<xs:sequence>
 +
<xs:element name="filename" type="xs:string" minOccurs="0"/>
 +
<xs:element name="id" type="xs:string" minOccurs="0"/>
 +
<xs:element name="filesize" type="xs:positiveInteger" minOccurs="0"/>
 +
<xs:element name="partition" type="xs:nonNegativeInteger" minOccurs="0"/>
 +
<xs:element name="alloc" type="xs:nonNegativeInteger" minOccurs="0"/>
 +
<xs:element name="used" type="xs:nonNegativeInteger" minOccurs="0"/>
 +
<xs:element name="inode" type="xs:nonNegativeInteger" minOccurs="0"/>
 +
<xs:element name="type" type="xs:nonNegativeInteger" minOccurs="0"/>
 +
<xs:element name="mode" type="xs:nonNegativeInteger" minOccurs="0"/>
 +
<xs:element name="nlink" type="xs:nonNegativeInteger" minOccurs="0"/>
 +
<xs:element name="uid" type="xs:nonNegativeInteger" minOccurs="0"/>
 +
<xs:element name="gid" type="xs:nonNegativeInteger" minOccurs="0"/>
 +
<xs:element name="mtime" type="xs:long" minOccurs="0"/>
 +
<xs:element name="atime" type="xs:long" minOccurs="0"/>
 +
<xs:element name="crtime" type="xs:long" minOccurs="0"/>
 +
<xs:element name="seq" type="xs:nonNegativeInteger" minOccurs="0"/>
 +
<xs:element ref="byte_runs" minOccurs="0"/>
 +
<xs:element ref="hashdigest" minOccurs="0" maxOccurs="unbounded"/>
 +
<xs:element name="libmagic" type="xs:string" minOccurs="0"/>
 +
</xs:sequence>
 +
</xs:complexType>
 +
</xs:element>
 +
<xs:element name="byte_runs">
 +
<xs:complexType>
 +
<xs:sequence>
 +
<xs:element ref="run" minOccurs="0" maxOccurs="unbounded"/>
 +
</xs:sequence>
 +
</xs:complexType>
 +
</xs:element>
 +
<xs:element name="run">
 +
<xs:complexType>
 +
<xs:attribute name="fs_offset" type="xs:nonNegativeInteger"/>
 +
<xs:attribute name="file_offset" type="xs:nonNegativeInteger"/>
 +
<xs:attribute name="img_offset" type="xs:nonNegativeInteger"/>
 +
<xs:attribute name="len" type="xs:nonNegativeInteger"/>
 +
</xs:complexType>
 +
</xs:element>
 +
<xs:element name="hashdigest">
 +
<xs:complexType>
 +
<xs:simpleContent>
 +
<xs:extension base="xs:string">
 +
<xs:attribute name="type" type="xs:string"/>
 +
</xs:extension>
 +
</xs:simpleContent>
 +
</xs:complexType>
 +
</xs:element>
 +
<xs:element name="volume"/>
 +
<xs:element name="fiwalk">
 +
<xs:complexType>
 +
<xs:sequence>
 +
<xs:element name="creator">
 +
<xs:complexType>
 +
<xs:sequence>
 +
<xs:element name="program" type="xs:string"/>
 +
<xs:element name="version" type="xs:string"/>
 +
<xs:element name="build_environment">
 +
<xs:complexType>
 +
<xs:sequence>
 +
<xs:element name="compiler"/>
 +
</xs:sequence>
 +
</xs:complexType>
 +
</xs:element>
 +
</xs:sequence>
 +
</xs:complexType>
 +
</xs:element>
 +
</xs:sequence>
 +
<xs:attribute name="xmloutputversion" type="xs:string" use="optional"/>
 +
</xs:complexType>
 +
</xs:element>
 +
</xs:schema>
 +
 
 +
<pre>

Revision as of 01:26, 22 April 2010

Forensics XML, or Digital Forensics XML, is an XML format designed to help standardize output/logging for a variety of digital forensics tools. The format and schema originated with fiwalk, but is being adopted by other tools.

Background

Simson Garfinkel has developed a series of tools designed to generate and analyze forensic data, and is using this XML format to produce analysis-ready output [[1]].

Schema

The schema is somewhat in flux, in that new elements will be added as necessary. However, the basic structure is unlikely to change.


<!-- edited with XMLSpy v2006 sp2 U (http://www.altova.com) by ITACS (Naval Postgraduate School) -->
<xs:schema xmlns="http://afflib.org/fiwalk/fileobject/" xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="http://afflib.org/fiwalk/fileobject/" elementFormDefault="qualified" attributeFormDefault="unqualified">
	<xs:element name="fileobject">
		<xs:annotation>
			<xs:documentation>fileobject is the key file element for the standard digital forensic XML</xs:documentation>
		</xs:annotation>
		<xs:complexType>
			<xs:sequence>
				<xs:element name="filename" type="xs:string" minOccurs="0"/>
				<xs:element name="id" type="xs:string" minOccurs="0"/>
				<xs:element name="filesize" type="xs:positiveInteger" minOccurs="0"/>
				<xs:element name="partition" type="xs:nonNegativeInteger" minOccurs="0"/>
				<xs:element name="alloc" type="xs:nonNegativeInteger" minOccurs="0"/>
				<xs:element name="used" type="xs:nonNegativeInteger" minOccurs="0"/>
				<xs:element name="inode" type="xs:nonNegativeInteger" minOccurs="0"/>
				<xs:element name="type" type="xs:nonNegativeInteger" minOccurs="0"/>
				<xs:element name="mode" type="xs:nonNegativeInteger" minOccurs="0"/>
				<xs:element name="nlink" type="xs:nonNegativeInteger" minOccurs="0"/>
				<xs:element name="uid" type="xs:nonNegativeInteger" minOccurs="0"/>
				<xs:element name="gid" type="xs:nonNegativeInteger" minOccurs="0"/>
				<xs:element name="mtime" type="xs:long" minOccurs="0"/>
				<xs:element name="atime" type="xs:long" minOccurs="0"/>
				<xs:element name="crtime" type="xs:long" minOccurs="0"/>
				<xs:element name="seq" type="xs:nonNegativeInteger" minOccurs="0"/>
				<xs:element ref="byte_runs" minOccurs="0"/>
				<xs:element ref="hashdigest" minOccurs="0" maxOccurs="unbounded"/>
				<xs:element name="libmagic" type="xs:string" minOccurs="0"/>
			</xs:sequence>
		</xs:complexType>
	</xs:element>
	<xs:element name="byte_runs">
		<xs:complexType>
			<xs:sequence>
				<xs:element ref="run" minOccurs="0" maxOccurs="unbounded"/>
			</xs:sequence>
		</xs:complexType>
	</xs:element>
	<xs:element name="run">
		<xs:complexType>
			<xs:attribute name="fs_offset" type="xs:nonNegativeInteger"/>
			<xs:attribute name="file_offset" type="xs:nonNegativeInteger"/>
			<xs:attribute name="img_offset" type="xs:nonNegativeInteger"/>
			<xs:attribute name="len" type="xs:nonNegativeInteger"/>
		</xs:complexType>
	</xs:element>
	<xs:element name="hashdigest">
		<xs:complexType>
			<xs:simpleContent>
				<xs:extension base="xs:string">
					<xs:attribute name="type" type="xs:string"/>
				</xs:extension>
			</xs:simpleContent>
		</xs:complexType>
	</xs:element>
	<xs:element name="volume"/>
	<xs:element name="fiwalk">
		<xs:complexType>
			<xs:sequence>
				<xs:element name="creator">
					<xs:complexType>
						<xs:sequence>
							<xs:element name="program" type="xs:string"/>
							<xs:element name="version" type="xs:string"/>
							<xs:element name="build_environment">
								<xs:complexType>
									<xs:sequence>
										<xs:element name="compiler"/>
									</xs:sequence>
								</xs:complexType>
							</xs:element>
						</xs:sequence>
					</xs:complexType>
				</xs:element>
			</xs:sequence>
			<xs:attribute name="xmloutputversion" type="xs:string" use="optional"/>
		</xs:complexType>
	</xs:element>
</xs:schema>

<pre>