Difference between revisions of "Fiwalk"

From ForensicsWiki
Jump to: navigation, search
m (New page: fiwalk is a batch forensics analysis program written in C that uses SleuthKit. ==XML Schema== ; <fileobject><orphan>YES</orphan> <filesize>3210</filesize> <unalloc>1</unalloc> <used>1</...)
 
m
Line 3: Line 3:
 
==XML Schema==
 
==XML Schema==
  
;
+
{|
<fileobject><orphan>YES</orphan>
+
|XML Tag
<filesize>3210</filesize>
+
|Meaning
<unalloc>1</unalloc>
+
|
<used>1</used>
+
|-
<mtime>1114172320</mtime>
+
|<fileobject>
<ctime>1195819392</ctime>
+
|
<atime>1195794000</atime>
+
|Every file is inside a <fileobject>
<byte_runs>121130496:3210</byte_runs>
+
|-
<fragments>1</fragments>
+
|<orphan>YES</orphan>
<md5>c27c0730b858bc60c8894300a98bba55</md5>
+
|YES means that the file is an ""orphan,"" with no file name.
<sha1>0277680d624e609f23aec9e4265c2d7d24bd3824</sha1>
+
|-
<partition>1</partition>
+
|<filesize>3210</filesize>
<frag1startsector>236583</frag1startsector>
+
|The file size in bytes.
</fileobject>
+
|-
 +
|<unalloc>1</unalloc>
 +
|A "1" means that the file was not allocated in the file system. This may mean that the file was deleted.
 +
|-
 +
|<used>1</used>
 +
|Not sure what this means.
 +
|-
 +
|<mtime>1114172320</mtime>
 +
|The file's modification time, as a Unix timestamp (number of seconds since January 1, 1970).
 +
|-
 +
|<ctime>1195819392</ctime>
 +
|The file's inode's creation time, as a Unix timestamp.
 +
|-
 +
|<atime>1195794000</atime>
 +
|The file's access time, as a unix timestamp.
 +
|-
 +
|<byte_runs>121130496:3210</byte_runs>
 +
|The file's fragments. Each fragment is represented as the byte offset from the beginning of the disk image (the first byte is byte #0) and a number of bytes.
 +
|-
 +
|<fragments>1</fragments>
 +
|The number of fragments in the file.
 +
|-
 +
|<md5>c27c0730b858bc60c8894300a98bba55</md5>
 +
|The file's MD5, as a hexadecimal hash.
 +
|-
 +
|<sha1>0277680d624e609f23aec9e4265c2d7d24bd3824</sha1>
 +
|The file's SHA1, as a hexadecimal hash.
 +
|-
 +
|<partition>1</partition>
 +
|The partition number in which the file was found.
 +
|-
 +
|<frag1startsector>236583</frag1startsector>
 +
|The sector number of the first fragment. (Can be computed by taking the byte offset of the first byte run and dividing by the disk's sector size.)
 +
|}

Revision as of 15:57, 2 December 2008

fiwalk is a batch forensics analysis program written in C that uses SleuthKit.

XML Schema

XML Tag Meaning
<fileobject> Every file is inside a <fileobject>
<orphan>YES</orphan> YES means that the file is an ""orphan,"" with no file name.
<filesize>3210</filesize> The file size in bytes.
<unalloc>1</unalloc> A "1" means that the file was not allocated in the file system. This may mean that the file was deleted.
<used>1</used> Not sure what this means.
<mtime>1114172320</mtime> The file's modification time, as a Unix timestamp (number of seconds since January 1, 1970).
<ctime>1195819392</ctime> The file's inode's creation time, as a Unix timestamp.
<atime>1195794000</atime> The file's access time, as a unix timestamp.
<byte_runs>121130496:3210</byte_runs> The file's fragments. Each fragment is represented as the byte offset from the beginning of the disk image (the first byte is byte #0) and a number of bytes.
<fragments>1</fragments> The number of fragments in the file.
<md5>c27c0730b858bc60c8894300a98bba55</md5> The file's MD5, as a hexadecimal hash.
<sha1>0277680d624e609f23aec9e4265c2d7d24bd3824</sha1> The file's SHA1, as a hexadecimal hash.
<partition>1</partition> The partition number in which the file was found.
<frag1startsector>236583</frag1startsector> The sector number of the first fragment. (Can be computed by taking the byte offset of the first byte run and dividing by the disk's sector size.)