Difference between pages "Compiling Open Source Forensic Tools with MinGW" and "Digital Forensics XML Schema"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
 
Line 1: Line 1:
Many open source computer forensic tools can be cross-compiled with MinGW. This allows you to create Windows executable directly from a Macintosh computer or Linux machine without using the Microsoft VC++ environment.
+
Forensics XML, or Digital Forensics XML, is an XML format designed to help standardize output/logging for a variety of digital forensics tools. The format and schema originated with [[fiwalk]], but is being adopted by other tools.
 +
 
 +
=Background=
 +
Simson Garfinkel has developed a series of tools designed to generate and analyze forensic data, and is using this XML format to produce analysis-ready output [[http://www.simson.net/xml_forensics.pdf]].
 +
 
 +
=Schema=
 +
The schema is somewhat in flux, in that new elements will be added as necessary. However, the basic structure is unlikely to change.
  
==Installing MinGW==
 
;On a Mac using MacPorts:
 
 
<pre>
 
<pre>
$ sudo port selfupdate
 
$ sudo port install i386-mingw32-binutils i386-mingw32-gcc
 
$ sudo port install i386-mingw32-libunicows i386-mingw32-runtime
 
$ sudo port install i386-mingw32-w32api
 
</pre>
 
  
''note: If you get the error message 'warnings treated as errors' you will need to find the Makefile where -Werror is defined and erase it''
+
<!-- edited with XMLSpy v2006 sp2 U (http://www.altova.com) by ITACS (Naval Postgraduate School) -->
 +
<xs:schema xmlns="http://afflib.org/fiwalk/fileobject/" xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="http://afflib.org/fiwalk/fileobject/" elementFormDefault="qualified" attributeFormDefault="unqualified">
 +
<xs:element name="fileobject">
 +
<xs:annotation>
 +
<xs:documentation>fileobject is the key file element for the standard digital forensic XML</xs:documentation>
 +
</xs:annotation>
 +
<xs:complexType>
 +
<xs:sequence>
 +
<xs:element name="filename" type="xs:string" minOccurs="0"/>
 +
<xs:element name="id" type="xs:string" minOccurs="0"/>
 +
<xs:element name="filesize" type="xs:positiveInteger" minOccurs="0"/>
 +
<xs:element name="partition" type="xs:nonNegativeInteger" minOccurs="0"/>
 +
<xs:element name="alloc" type="xs:nonNegativeInteger" minOccurs="0"/>
 +
<xs:element name="used" type="xs:nonNegativeInteger" minOccurs="0"/>
 +
<xs:element name="inode" type="xs:nonNegativeInteger" minOccurs="0"/>
 +
<xs:element name="type" type="xs:nonNegativeInteger" minOccurs="0"/>
 +
<xs:element name="mode" type="xs:nonNegativeInteger" minOccurs="0"/>
 +
<xs:element name="nlink" type="xs:nonNegativeInteger" minOccurs="0"/>
 +
<xs:element name="uid" type="xs:nonNegativeInteger" minOccurs="0"/>
 +
<xs:element name="gid" type="xs:nonNegativeInteger" minOccurs="0"/>
 +
<xs:element name="mtime" type="xs:long" minOccurs="0"/>
 +
<xs:element name="atime" type="xs:long" minOccurs="0"/>
 +
<xs:element name="crtime" type="xs:long" minOccurs="0"/>
 +
<xs:element name="seq" type="xs:nonNegativeInteger" minOccurs="0"/>
 +
<xs:element ref="byte_runs" minOccurs="0"/>
 +
<xs:element ref="hashdigest" minOccurs="0" maxOccurs="unbounded"/>
 +
<xs:element name="libmagic" type="xs:string" minOccurs="0"/>
 +
</xs:sequence>
 +
</xs:complexType>
 +
</xs:element>
 +
<xs:element name="byte_runs">
 +
<xs:complexType>
 +
<xs:sequence>
 +
<xs:element ref="run" minOccurs="0" maxOccurs="unbounded"/>
 +
</xs:sequence>
 +
</xs:complexType>
 +
</xs:element>
 +
<xs:element name="run">
 +
<xs:complexType>
 +
<xs:attribute name="fs_offset" type="xs:nonNegativeInteger"/>
 +
<xs:attribute name="file_offset" type="xs:nonNegativeInteger"/>
 +
<xs:attribute name="img_offset" type="xs:nonNegativeInteger"/>
 +
<xs:attribute name="len" type="xs:nonNegativeInteger"/>
 +
</xs:complexType>
 +
</xs:element>
 +
<xs:element name="hashdigest">
 +
<xs:complexType>
 +
<xs:simpleContent>
 +
<xs:extension base="xs:string">
 +
<xs:attribute name="type" type="xs:string"/>
 +
</xs:extension>
 +
</xs:simpleContent>
 +
</xs:complexType>
 +
</xs:element>
 +
<xs:element name="volume"/>
 +
<xs:element name="fiwalk">
 +
<xs:complexType>
 +
<xs:sequence>
 +
<xs:element name="creator">
 +
<xs:complexType>
 +
<xs:sequence>
 +
<xs:element name="program" type="xs:string"/>
 +
<xs:element name="version" type="xs:string"/>
 +
<xs:element name="build_environment">
 +
<xs:complexType>
 +
<xs:sequence>
 +
<xs:element name="compiler"/>
 +
</xs:sequence>
 +
</xs:complexType>
 +
</xs:element>
 +
</xs:sequence>
 +
</xs:complexType>
 +
</xs:element>
 +
</xs:sequence>
 +
<xs:attribute name="xmloutputversion" type="xs:string" use="optional"/>
 +
</xs:complexType>
 +
</xs:element>
 +
</xs:schema>
 +
 
 +
<pre>

Revision as of 21:26, 21 April 2010

Forensics XML, or Digital Forensics XML, is an XML format designed to help standardize output/logging for a variety of digital forensics tools. The format and schema originated with fiwalk, but is being adopted by other tools.

Background

Simson Garfinkel has developed a series of tools designed to generate and analyze forensic data, and is using this XML format to produce analysis-ready output [[1]].

Schema

The schema is somewhat in flux, in that new elements will be added as necessary. However, the basic structure is unlikely to change.


<!-- edited with XMLSpy v2006 sp2 U (http://www.altova.com) by ITACS (Naval Postgraduate School) -->
<xs:schema xmlns="http://afflib.org/fiwalk/fileobject/" xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="http://afflib.org/fiwalk/fileobject/" elementFormDefault="qualified" attributeFormDefault="unqualified">
	<xs:element name="fileobject">
		<xs:annotation>
			<xs:documentation>fileobject is the key file element for the standard digital forensic XML</xs:documentation>
		</xs:annotation>
		<xs:complexType>
			<xs:sequence>
				<xs:element name="filename" type="xs:string" minOccurs="0"/>
				<xs:element name="id" type="xs:string" minOccurs="0"/>
				<xs:element name="filesize" type="xs:positiveInteger" minOccurs="0"/>
				<xs:element name="partition" type="xs:nonNegativeInteger" minOccurs="0"/>
				<xs:element name="alloc" type="xs:nonNegativeInteger" minOccurs="0"/>
				<xs:element name="used" type="xs:nonNegativeInteger" minOccurs="0"/>
				<xs:element name="inode" type="xs:nonNegativeInteger" minOccurs="0"/>
				<xs:element name="type" type="xs:nonNegativeInteger" minOccurs="0"/>
				<xs:element name="mode" type="xs:nonNegativeInteger" minOccurs="0"/>
				<xs:element name="nlink" type="xs:nonNegativeInteger" minOccurs="0"/>
				<xs:element name="uid" type="xs:nonNegativeInteger" minOccurs="0"/>
				<xs:element name="gid" type="xs:nonNegativeInteger" minOccurs="0"/>
				<xs:element name="mtime" type="xs:long" minOccurs="0"/>
				<xs:element name="atime" type="xs:long" minOccurs="0"/>
				<xs:element name="crtime" type="xs:long" minOccurs="0"/>
				<xs:element name="seq" type="xs:nonNegativeInteger" minOccurs="0"/>
				<xs:element ref="byte_runs" minOccurs="0"/>
				<xs:element ref="hashdigest" minOccurs="0" maxOccurs="unbounded"/>
				<xs:element name="libmagic" type="xs:string" minOccurs="0"/>
			</xs:sequence>
		</xs:complexType>
	</xs:element>
	<xs:element name="byte_runs">
		<xs:complexType>
			<xs:sequence>
				<xs:element ref="run" minOccurs="0" maxOccurs="unbounded"/>
			</xs:sequence>
		</xs:complexType>
	</xs:element>
	<xs:element name="run">
		<xs:complexType>
			<xs:attribute name="fs_offset" type="xs:nonNegativeInteger"/>
			<xs:attribute name="file_offset" type="xs:nonNegativeInteger"/>
			<xs:attribute name="img_offset" type="xs:nonNegativeInteger"/>
			<xs:attribute name="len" type="xs:nonNegativeInteger"/>
		</xs:complexType>
	</xs:element>
	<xs:element name="hashdigest">
		<xs:complexType>
			<xs:simpleContent>
				<xs:extension base="xs:string">
					<xs:attribute name="type" type="xs:string"/>
				</xs:extension>
			</xs:simpleContent>
		</xs:complexType>
	</xs:element>
	<xs:element name="volume"/>
	<xs:element name="fiwalk">
		<xs:complexType>
			<xs:sequence>
				<xs:element name="creator">
					<xs:complexType>
						<xs:sequence>
							<xs:element name="program" type="xs:string"/>
							<xs:element name="version" type="xs:string"/>
							<xs:element name="build_environment">
								<xs:complexType>
									<xs:sequence>
										<xs:element name="compiler"/>
									</xs:sequence>
								</xs:complexType>
							</xs:element>
						</xs:sequence>
					</xs:complexType>
				</xs:element>
			</xs:sequence>
			<xs:attribute name="xmloutputversion" type="xs:string" use="optional"/>
		</xs:complexType>
	</xs:element>
</xs:schema>

<pre>