From Forensics Wiki
Revision as of 22:19, 23 November 2009 by Simsong (Talk | contribs)

Jump to: navigation, search

fiwalk is a batch forensics analysis program written in C that uses SleuthKit. The program can output in XML or ARFF formats.

XML Example

<?xml version='1.0' encoding='ISO-8859-1'?>
<fiwalk xmloutputversion='0.2'>
    <dc:type>Disk Image</dc:type>
    <library name="tsk" version="3.0.1"></library>
    <library name="afflib" version="3.5.2"></library>
    <command_line>fiwalk -x /dev/disk2</command_line>
<!-- fs start: 512 -->
  <volume offset='512'>
       <run file_offset='0' fs_offset='37376' img_offset='37888' len='43'/>
      <hashdigest type='md5'>2bbe5c3b554b14ff710a0a2e77ce8c4d</hashdigest>
      <hashdigest type='sha1'>b3ccdbe2db1c568e817c25bf516e3bf976a1dea6</hashdigest>
<!-- end of volume -->
<!-- clock: 0 -->
    <stop_time>Sun Nov 22 11:08:36 2009</stop_time>

XML Schema

XML Tag Meaning
<fileobject> Every file is inside a <fileobject>
<orphan>YES</orphan> YES means that the file is an ""orphan,"" with no file name.
<filesize>3210</filesize> The file size in bytes.
<unalloc>1</unalloc> A "1" means that the file was not allocated in the file system. This may mean that the file was deleted.
<used>1</used> Not sure what this means.
<mtime>1114172320</mtime> The file's modification time, as a Unix timestamp (number of seconds since January 1, 1970).
<ctime>1195819392</ctime> The file's inode's creation time, as a Unix timestamp.
<atime>1195794000</atime> The file's access time, as a unix timestamp.
<byte_runs>121130496:3210</byte_runs> The file's fragments. Each fragment is represented as the byte offset from the beginning of the disk image (the first byte is byte #0) and a number of bytes.
<fragments>1</fragments> The number of fragments in the file.
<md5>c27c0730b858bc60c8894300a98bba55</md5> The file's MD5, as a hexadecimal hash.
<sha1>0277680d624e609f23aec9e4265c2d7d24bd3824</sha1> The file's SHA1, as a hexadecimal hash.
<partition>1</partition> The partition number in which the file was found.
<frag1startsector>236583</frag1startsector> The sector number of the first fragment. (Can be computed by taking the byte offset of the first byte run and dividing by the disk's sector size.)

See Also