Difference between revisions of "Fiwalk"

From ForensicsWiki
Jump to: navigation, search
m
(Temporary Distribution Point: Update distribution status)
 
(14 intermediate revisions by one other user not shown)
Line 1: Line 1:
fiwalk is a batch forensics analysis program written in C that uses SleuthKit.
+
{{Infobox_Software |
 +
  name = fiwalk |
 +
  maintainer = [[Simson Garfinkel]] |
 +
  os = {{Linux}}, {{MacOS}}, {{FreeBSD}} |
 +
  genre = [[Carving]] |
 +
  license = {{Public Domain}} |
 +
  website = https://github.com/kfairbanks/sleuthkit
 +
}}
  
==XML Schema==
+
fiwalk is a batch forensics analysis program written in C that uses SleuthKit. The program can output in XML or ARFF formats.
  
{|
+
==Temporary Distribution Point==
|XML Tag
+
fiwalk has been integrated with SleuthKit and can be downloaded from Github at https://github.com/sleuthkit/sleuthkit.
|Meaning
+
 
|
+
==Legacy Distribution==
|-
+
'''fiwalk''' is a program that processes a disk image using the SleuthKit library and outputs its results in Digital Forensics XML, the Attribute Relationship File Format (ARFF) format used by the Weka Datamining Toolkit, or an easy-to-read textual format.
|<fileobject>
+
 
|
+
The fiwalk source code comes with fiwalk.py, a Python module that makes it easy to create digital forensics programs. Also included are several demonstration programs that use fiwalk.py:
|Every file is inside a <fileobject>
+
;iblkfind.py
|-
+
:Given a disk block in a disk image, this program tells you which file(s) map that sector.
|<orphan>YES</orphan>
+
;icarvingtruth.py
|YES means that the file is an ""orphan,"" with no file name.
+
:Given two or more images of the same disk at different points in time, this program files that are present in the earlier images that can only be recovered from the later images using file carving techniques.
|-
+
;idifference.py
|<filesize>3210</filesize>
+
:Given two or more images of the same disk at different points in time, this program tells you what changes took place between each one.
|The file size in bytes.
+
;iextract.py
|-
+
:Allows the extraction of files that match a particular pattern.
|<unalloc>1</unalloc>
+
;igrep.py
|A "1" means that the file was not allocated in the file system. This may mean that the file was deleted.
+
:Searches every file in a disk image for a particular string. When found, prints, the file and the offset within the file that the string was found.
|-
+
;ihistogram.py
|<used>1</used>
+
:Prints a histogram of file types found in the disk image.
|Not sure what this means.
+
;imap.py
|-
+
:Displays a “map” of where files are present in the disk image.
|<mtime>1114172320</mtime>
+
;imicrosoft_redact.py
|The file's modification time, as a Unix timestamp (number of seconds since January 1, 1970).
+
:Modifies a disk image of a bootable Microsoft operating system so that the image can no longer be boot and so that any Microsoft copyrighted file in the \Windows directory cannot be executed. This allows the disk image of a Microsoft operating system to be distributed without implicitly violating Microsoft’s copyright.
|-
+
;iredact.py
|<ctime>1195819392</ctime>
+
:An experimental disk redaction program which allows the removal of specific files matching specific criteria.
|The file's inode's creation time, as a Unix timestamp.
+
;iverify.py
|-
+
:Given a disk image and a previously created XML file, verifies that each file in the DFXML file is still present in the disk image.
|<atime>1195794000</atime>
+
;sanitize_xml.py
|The file's access time, as a unix timestamp.
+
:Given a DFXML file, sanitize file names so that no personally identifiable information is leaked if the DFXML file is distributed.
|-
+
 
|<byte_runs>121130496:3210</byte_runs>
+
 
|The file's fragments. Each fragment is represented as the byte offset from the beginning of the disk image (the first byte is byte #0) and a number of bytes.
+
==XML Example==
|-
+
<pre>
|<fragments>1</fragments>
+
<?xml version='1.0' encoding='ISO-8859-1'?>
|The number of fragments in the file.
+
<fiwalk xmloutputversion='0.2'>
|-
+
  <metadata
|<md5>c27c0730b858bc60c8894300a98bba55</md5>
+
  xmlns='http://example.org/myapp/'
|The file's MD5, as a hexadecimal hash.
+
  xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
|-
+
  xmlns:dc='http://purl.org/dc/elements/1.1/'>
|<sha1>0277680d624e609f23aec9e4265c2d7d24bd3824</sha1>
+
    <dc:type>Disk Image</dc:type>
|The file's SHA1, as a hexadecimal hash.
+
  </metadata>
|-
+
  <creator>
|<partition>1</partition>
+
    <program>fiwalk</program>
|The partition number in which the file was found.
+
    <version>0.5.7</version>
|-
+
    <os>Darwin</os>
|<frag1startsector>236583</frag1startsector>
+
    <library name="tsk" version="3.0.1"></library>
|The sector number of the first fragment. (Can be computed by taking the byte offset of the first byte run and dividing by the disk's sector size.)
+
    <library name="afflib" version="3.5.2"></library>
|}
+
    <command_line>fiwalk -x /dev/disk2</command_line>
 +
  </creator>
 +
  <source>
 +
    <imagefile>/dev/disk2</imagefile>
 +
  </source>
 +
<!-- fs start: 512 -->
 +
  <volume offset='512'>
 +
    <Partition_Offset>512</Partition_Offset>
 +
    <block_size>512</block_size>
 +
    <ftype>2</ftype>
 +
    <ftype_str>fat12</ftype_str>
 +
    <block_count>5062</block_count>
 +
    <first_block>0</first_block>
 +
    <last_block>5061</last_block>
 +
    <fileobject>
 +
      <filename>README.txt</filename>
 +
      <id>2</id>
 +
      <filesize>43</filesize>
 +
      <partition>1</partition>
 +
      <alloc>1</alloc>
 +
      <used>1</used>
 +
      <inode>6</inode>
 +
      <type>1</type>
 +
      <mode>511</mode>
 +
      <nlink>1</nlink>
 +
      <uid>0</uid>
 +
      <gid>0</gid>
 +
      <mtime>1258916904</mtime>
 +
      <atime>1258876800</atime>
 +
      <crtime>1258916900</crtime>
 +
      <byte_runs>
 +
      <run file_offset='0' fs_offset='37376' img_offset='37888' len='43'/>
 +
      </byte_runs>
 +
      <hashdigest type='md5'>2bbe5c3b554b14ff710a0a2e77ce8c4d</hashdigest>
 +
      <hashdigest type='sha1'>b3ccdbe2db1c568e817c25bf516e3bf976a1dea6</hashdigest>
 +
    </fileobject>
 +
  </volume>
 +
<!-- end of volume -->
 +
<!-- clock: 0 -->
 +
  <runstats>
 +
    <user_seconds>0</user_seconds>
 +
    <system_seconds>0</system_seconds>
 +
    <maxrss>1814528</maxrss>
 +
    <reclaims>546</reclaims>
 +
    <faults>1</faults>
 +
    <swaps>0</swaps>
 +
    <inputs>56</inputs>
 +
    <outputs>0</outputs>
 +
    <stop_time>Sun Nov 22 11:08:36 2009</stop_time>
 +
  </runstats>
 +
</fiwalk>
 +
</pre>
 +
 
 +
==Availability==
 +
fiwalk can be downloaded from http://afflib.org/fiwalk
 +
 
 +
==See Also==
 +
* [[fileobject]]
 +
* [http://domex.nps.edu/deep/Fiwalk.html fiwalk on the DEEP website]
 +
 
 +
[[Category:Digital Forensics XML]]

Latest revision as of 13:08, 13 September 2013

fiwalk
Maintainer: Simson Garfinkel
OS: Linux,MacOS,FreeBSD
Genre: Carving
License: Public Domain
Website: https://github.com/kfairbanks/sleuthkit

fiwalk is a batch forensics analysis program written in C that uses SleuthKit. The program can output in XML or ARFF formats.

Temporary Distribution Point

fiwalk has been integrated with SleuthKit and can be downloaded from Github at https://github.com/sleuthkit/sleuthkit.

Legacy Distribution

fiwalk is a program that processes a disk image using the SleuthKit library and outputs its results in Digital Forensics XML, the Attribute Relationship File Format (ARFF) format used by the Weka Datamining Toolkit, or an easy-to-read textual format.

The fiwalk source code comes with fiwalk.py, a Python module that makes it easy to create digital forensics programs. Also included are several demonstration programs that use fiwalk.py:

iblkfind.py
Given a disk block in a disk image, this program tells you which file(s) map that sector.
icarvingtruth.py
Given two or more images of the same disk at different points in time, this program files that are present in the earlier images that can only be recovered from the later images using file carving techniques.
idifference.py
Given two or more images of the same disk at different points in time, this program tells you what changes took place between each one.
iextract.py
Allows the extraction of files that match a particular pattern.
igrep.py
Searches every file in a disk image for a particular string. When found, prints, the file and the offset within the file that the string was found.
ihistogram.py
Prints a histogram of file types found in the disk image.
imap.py
Displays a “map” of where files are present in the disk image.
imicrosoft_redact.py
Modifies a disk image of a bootable Microsoft operating system so that the image can no longer be boot and so that any Microsoft copyrighted file in the \Windows directory cannot be executed. This allows the disk image of a Microsoft operating system to be distributed without implicitly violating Microsoft’s copyright.
iredact.py
An experimental disk redaction program which allows the removal of specific files matching specific criteria.
iverify.py
Given a disk image and a previously created XML file, verifies that each file in the DFXML file is still present in the disk image.
sanitize_xml.py
Given a DFXML file, sanitize file names so that no personally identifiable information is leaked if the DFXML file is distributed.


XML Example

<?xml version='1.0' encoding='ISO-8859-1'?>
<fiwalk xmloutputversion='0.2'>
  <metadata 
  xmlns='http://example.org/myapp/' 
  xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' 
  xmlns:dc='http://purl.org/dc/elements/1.1/'>
    <dc:type>Disk Image</dc:type>
  </metadata>
  <creator>
    <program>fiwalk</program>
    <version>0.5.7</version>
    <os>Darwin</os>
    <library name="tsk" version="3.0.1"></library>
    <library name="afflib" version="3.5.2"></library>
    <command_line>fiwalk -x /dev/disk2</command_line>
  </creator>
  <source>
    <imagefile>/dev/disk2</imagefile>
  </source>
<!-- fs start: 512 -->
  <volume offset='512'>
    <Partition_Offset>512</Partition_Offset>
    <block_size>512</block_size>
    <ftype>2</ftype>
    <ftype_str>fat12</ftype_str>
    <block_count>5062</block_count>
    <first_block>0</first_block>
    <last_block>5061</last_block>
    <fileobject>
      <filename>README.txt</filename>
      <id>2</id>
      <filesize>43</filesize>
      <partition>1</partition>
      <alloc>1</alloc>
      <used>1</used>
      <inode>6</inode>
      <type>1</type>
      <mode>511</mode>
      <nlink>1</nlink>
      <uid>0</uid>
      <gid>0</gid>
      <mtime>1258916904</mtime>
      <atime>1258876800</atime>
      <crtime>1258916900</crtime>
      <byte_runs>
       <run file_offset='0' fs_offset='37376' img_offset='37888' len='43'/>
      </byte_runs>
      <hashdigest type='md5'>2bbe5c3b554b14ff710a0a2e77ce8c4d</hashdigest>
      <hashdigest type='sha1'>b3ccdbe2db1c568e817c25bf516e3bf976a1dea6</hashdigest>
    </fileobject>
  </volume>
<!-- end of volume -->
<!-- clock: 0 -->
  <runstats>
    <user_seconds>0</user_seconds>
    <system_seconds>0</system_seconds>
    <maxrss>1814528</maxrss>
    <reclaims>546</reclaims>
    <faults>1</faults>
    <swaps>0</swaps>
    <inputs>56</inputs>
    <outputs>0</outputs>
    <stop_time>Sun Nov 22 11:08:36 2009</stop_time>
  </runstats>
</fiwalk>

Availability

fiwalk can be downloaded from http://afflib.org/fiwalk

See Also