From ForensicsWiki
Revision as of 19:09, 22 November 2009 by Simsong (Talk | contribs)

Jump to: navigation, search

fiwalk is a batch forensics analysis program written in C that uses SleuthKit. The program can output in XML or ARFF formats.

XML Example

<?xml version='1.0' encoding='ISO-8859-1'?>
<fiwalk xmloutputversion='0.2'>
    <dc:type>Disk Image</dc:type>
    <library name="tsk" version="3.0.1"></library>
    <library name="afflib" version="3.5.2"></library>
    <command_line>fiwalk -x /dev/disk2</command_line>
<!-- fs start: 512 -->
  <volume offset='512'>
       <run file_offset='0' fs_offset='37376' img_offset='37888' len='43'/>
<!-- end of volume -->
<!-- clock: 0 -->
    <stop_time>Sun Nov 22 11:08:36 2009</stop_time>

==XML Schema==

|XML Tag
|Every file is inside a <fileobject>
|YES means that the file is an ""orphan,"" with no file name.
|The file size in bytes.
|A "1" means that the file was not allocated in the file system. This may mean that the file was deleted.
|Not sure what this means.
|The file's modification time, as a Unix timestamp (number of seconds since January 1, 1970).
|The file's inode's creation time, as a Unix timestamp.
|The file's access time, as a unix timestamp.
|The file's fragments. Each fragment is represented as the byte offset from the beginning of the disk image (the first byte is byte #0) and a number of bytes.
|The number of fragments in the file.
|The file's MD5, as a hexadecimal hash.
|The file's SHA1, as a hexadecimal hash.
|The partition number in which the file was found.
|The sector number of the first fragment. (Can be computed by taking the byte offset of the first byte run and dividing by the disk's sector size.)