Difference between revisions of "Fiwalk"

From ForensicsWiki
Jump to: navigation, search
m
m (XML Schema)
Line 9: Line 9:
 
|-
 
|-
 
|<fileobject>
 
|<fileobject>
|
 
 
|Every file is inside a <fileobject>
 
|Every file is inside a <fileobject>
 
|-
 
|-

Revision as of 15:57, 2 December 2008

fiwalk is a batch forensics analysis program written in C that uses SleuthKit.

XML Schema

XML Tag Meaning
<fileobject> Every file is inside a <fileobject>
<orphan>YES</orphan> YES means that the file is an ""orphan,"" with no file name.
<filesize>3210</filesize> The file size in bytes.
<unalloc>1</unalloc> A "1" means that the file was not allocated in the file system. This may mean that the file was deleted.
<used>1</used> Not sure what this means.
<mtime>1114172320</mtime> The file's modification time, as a Unix timestamp (number of seconds since January 1, 1970).
<ctime>1195819392</ctime> The file's inode's creation time, as a Unix timestamp.
<atime>1195794000</atime> The file's access time, as a unix timestamp.
<byte_runs>121130496:3210</byte_runs> The file's fragments. Each fragment is represented as the byte offset from the beginning of the disk image (the first byte is byte #0) and a number of bytes.
<fragments>1</fragments> The number of fragments in the file.
<md5>c27c0730b858bc60c8894300a98bba55</md5> The file's MD5, as a hexadecimal hash.
<sha1>0277680d624e609f23aec9e4265c2d7d24bd3824</sha1> The file's SHA1, as a hexadecimal hash.
<partition>1</partition> The partition number in which the file was found.
<frag1startsector>236583</frag1startsector> The sector number of the first fragment. (Can be computed by taking the byte offset of the first byte run and dividing by the disk's sector size.)