Difference between revisions of "Digital Forensics XML Schema"

From ForensicsWiki
Jump to: navigation, search
m
 
(10 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Forensics XML, or Digital Forensics XML, is an XML format designed to help standardize output/logging for a variety of digital forensics tools. The format and schema originated with [[fiwalk]], but is being adopted by other tools.
+
==Schemas==
 
+
The schemas are somewhat in flux, in that new elements will be added as necessary. However, the basic structure is unlikely to change.
=Background=
+
* [[Media:fileobject.xsd|fileobject schema]]
Simson Garfinkel has developed a series of tools designed to generate and analyze forensic data, and is using this XML format to produce analysis-ready output [[http://www.simson.net/xml_forensics.pdf]].
+
* [[Media:filehashset.xsd|filehashset schema]]
 
+
==See Also==
=Schema=
+
We have these DFXML Examples:
The schema is somewhat in flux, in that new elements will be added as necessary. However, the basic structure is unlikely to change.
+
* [[Source DFXML Example]]
 
+
[[Category:Digital Forensics XML]]
<pre>
+
 
+
<!-- edited with XMLSpy v2006 sp2 U (http://www.altova.com) by ITACS (Naval Postgraduate School) -->
+
<xs:schema xmlns="http://afflib.org/fiwalk/fileobject/" xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="http://afflib.org/fiwalk/fileobject/" elementFormDefault="qualified" attributeFormDefault="unqualified">
+
<xs:element name="fileobject">
+
<xs:annotation>
+
<xs:documentation>fileobject is the key file element for the standard digital forensic XML</xs:documentation>
+
</xs:annotation>
+
<xs:complexType>
+
<xs:sequence>
+
<xs:element name="filename" type="xs:string" minOccurs="0"/>
+
<xs:element name="id" type="xs:string" minOccurs="0"/>
+
<xs:element name="filesize" type="xs:positiveInteger" minOccurs="0"/>
+
<xs:element name="partition" type="xs:nonNegativeInteger" minOccurs="0"/>
+
<xs:element name="alloc" type="xs:nonNegativeInteger" minOccurs="0"/>
+
<xs:element name="used" type="xs:nonNegativeInteger" minOccurs="0"/>
+
<xs:element name="inode" type="xs:nonNegativeInteger" minOccurs="0"/>
+
<xs:element name="type" type="xs:nonNegativeInteger" minOccurs="0"/>
+
<xs:element name="mode" type="xs:nonNegativeInteger" minOccurs="0"/>
+
<xs:element name="nlink" type="xs:nonNegativeInteger" minOccurs="0"/>
+
<xs:element name="uid" type="xs:nonNegativeInteger" minOccurs="0"/>
+
<xs:element name="gid" type="xs:nonNegativeInteger" minOccurs="0"/>
+
<xs:element name="mtime" type="xs:long" minOccurs="0"/>
+
<xs:element name="atime" type="xs:long" minOccurs="0"/>
+
<xs:element name="crtime" type="xs:long" minOccurs="0"/>
+
<xs:element name="seq" type="xs:nonNegativeInteger" minOccurs="0"/>
+
<xs:element ref="byte_runs" minOccurs="0"/>
+
<xs:element ref="hashdigest" minOccurs="0" maxOccurs="unbounded"/>
+
<xs:element name="libmagic" type="xs:string" minOccurs="0"/>
+
</xs:sequence>
+
</xs:complexType>
+
</xs:element>
+
<xs:element name="byte_runs">
+
<xs:complexType>
+
<xs:sequence>
+
<xs:element ref="run" minOccurs="0" maxOccurs="unbounded"/>
+
</xs:sequence>
+
</xs:complexType>
+
</xs:element>
+
<xs:element name="run">
+
<xs:complexType>
+
<xs:attribute name="fs_offset" type="xs:nonNegativeInteger"/>
+
<xs:attribute name="file_offset" type="xs:nonNegativeInteger"/>
+
<xs:attribute name="img_offset" type="xs:nonNegativeInteger"/>
+
<xs:attribute name="len" type="xs:nonNegativeInteger"/>
+
</xs:complexType>
+
</xs:element>
+
<xs:element name="hashdigest">
+
<xs:complexType>
+
<xs:simpleContent>
+
<xs:extension base="xs:string">
+
<xs:attribute name="type" type="xs:string"/>
+
</xs:extension>
+
</xs:simpleContent>
+
</xs:complexType>
+
</xs:element>
+
<xs:element name="volume"/>
+
<xs:element name="fiwalk">
+
<xs:complexType>
+
<xs:sequence>
+
<xs:element name="creator">
+
<xs:complexType>
+
<xs:sequence>
+
<xs:element name="program" type="xs:string"/>
+
<xs:element name="version" type="xs:string"/>
+
<xs:element name="build_environment">
+
<xs:complexType>
+
<xs:sequence>
+
<xs:element name="compiler"/>
+
</xs:sequence>
+
</xs:complexType>
+
</xs:element>
+
</xs:sequence>
+
</xs:complexType>
+
</xs:element>
+
</xs:sequence>
+
<xs:attribute name="xmloutputversion" type="xs:string" use="optional"/>
+
</xs:complexType>
+
</xs:element>
+
</xs:schema>
+
 
+
<pre>
+

Latest revision as of 08:38, 27 April 2011

Schemas

The schemas are somewhat in flux, in that new elements will be added as necessary. However, the basic structure is unlikely to change.

See Also

We have these DFXML Examples: