Difference between revisions of "Fileobject"

From ForensicsWiki
Jump to: navigation, search
Line 39: Line 39:
[[Category:XML Forensics]]
[[Category:Digital Forensics XML]]

Revision as of 06:43, 25 November 2009

fileobject is an XML Forensics XML tag which is used to describe information about a file.

The file object can contain information about:

  • The file's name
  • The file's hash code(s)
  • The file's location on the disk.
  • Embedded metadata
  • Block hashes, a Bloom Filter, or a Similarity Digest for the file.

Other objects can be embedded in a fileobject object:

  • The byte_runs object specifies where the file is located on the disk.
  • A sector_hash object is a list of sector hash codes.
  • The sector_hash object could contain a nsrl_bloom object, which would be a bloom filter that contains all of the sector hashes.

XML Sample

       <run file_offset='0' fs_offset='37376' img_offset='37888' len='43'/>
      <hashdigest type='md5'>2bbe5c3b554b14ff710a0a2e77ce8c4d</hashdigest>
      <hashdigest type='sha1'>b3ccdbe2db1c568e817c25bf516e3bf976a1dea6</hashdigest>