Difference between pages "Word Document (DOCX)" and "Fiwalk"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
 
m
 
Line 1: Line 1:
DOCX is the file format for Microsoft Office 2007 and later.
+
fiwalk is a batch forensics analysis program written in C that uses SleuthKit. The program can output in XML or ARFF formats.
  
DOCX should not be confused with [[DOC]], the format used by earlier versions of Microsoft Office
+
fiwalk can be downloaded from http://afflib.org/fiwalk
  
= Container Format =
+
==XML Example==
 +
<pre>
 +
<?xml version='1.0' encoding='ISO-8859-1'?>
 +
<fiwalk xmloutputversion='0.2'>
 +
  <metadata
 +
  xmlns='http://example.org/myapp/'
 +
  xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 +
  xmlns:dc='http://purl.org/dc/elements/1.1/'>
 +
    <dc:type>Disk Image</dc:type>
 +
  </metadata>
 +
  <creator>
 +
    <program>fiwalk</program>
 +
    <version>0.5.7</version>
 +
    <os>Darwin</os>
 +
    <library name="tsk" version="3.0.1"></library>
 +
    <library name="afflib" version="3.5.2"></library>
 +
    <command_line>fiwalk -x /dev/disk2</command_line>
 +
  </creator>
 +
  <source>
 +
    <imagefile>/dev/disk2</imagefile>
 +
  </source>
 +
<!-- fs start: 512 -->
 +
  <volume offset='512'>
 +
    <Partition_Offset>512</Partition_Offset>
 +
    <block_size>512</block_size>
 +
    <ftype>2</ftype>
 +
    <ftype_str>fat12</ftype_str>
 +
    <block_count>5062</block_count>
 +
    <first_block>0</first_block>
 +
    <last_block>5061</last_block>
 +
    <fileobject>
 +
      <filename>README.txt</filename>
 +
      <id>2</id>
 +
      <filesize>43</filesize>
 +
      <partition>1</partition>
 +
      <alloc>1</alloc>
 +
      <used>1</used>
 +
      <inode>6</inode>
 +
      <type>1</type>
 +
      <mode>511</mode>
 +
      <nlink>1</nlink>
 +
      <uid>0</uid>
 +
      <gid>0</gid>
 +
      <mtime>1258916904</mtime>
 +
      <atime>1258876800</atime>
 +
      <crtime>1258916900</crtime>
 +
      <byte_runs>
 +
      <run file_offset='0' fs_offset='37376' img_offset='37888' len='43'/>
 +
      </byte_runs>
 +
      <hashdigest type='md5'>2bbe5c3b554b14ff710a0a2e77ce8c4d</hashdigest>
 +
      <hashdigest type='sha1'>b3ccdbe2db1c568e817c25bf516e3bf976a1dea6</hashdigest>
 +
    </fileobject>
 +
  </volume>
 +
<!-- end of volume -->
 +
<!-- clock: 0 -->
 +
  <runstats>
 +
    <user_seconds>0</user_seconds>
 +
    <system_seconds>0</system_seconds>
 +
    <maxrss>1814528</maxrss>
 +
    <reclaims>546</reclaims>
 +
    <faults>1</faults>
 +
    <swaps>0</swaps>
 +
    <inputs>56</inputs>
 +
    <outputs>0</outputs>
 +
    <stop_time>Sun Nov 22 11:08:36 2009</stop_time>
 +
  </runstats>
 +
</fiwalk>
 +
</pre>
  
DOCX consists of a [[ZIP]] file containing XML and binaries. Content can be analysed without modification by unzipping the file (Eg, in WinZIP) and analysing the contents of the archive.
 
  
= Relationship to OOXML =
+
==See Also==
 +
* [[fileobject]]
 +
* [http://domex.nps.edu/deep/Fiwalk.html fiwalk on the DEEP website]
  
For most purposes OOXML may be considered a subset of DOCX (DOCX contains additional features, like OLE serialization).
+
[[Category:Digital Forensics XML]]
 
+
Documentation on OOXML may provide a guide to analysing a DOCX file.
+
 
+
 
+
[[Category:File Formats]]
+

Revision as of 12:00, 19 January 2012

fiwalk is a batch forensics analysis program written in C that uses SleuthKit. The program can output in XML or ARFF formats.

fiwalk can be downloaded from http://afflib.org/fiwalk

XML Example

<?xml version='1.0' encoding='ISO-8859-1'?>
<fiwalk xmloutputversion='0.2'>
  <metadata 
  xmlns='http://example.org/myapp/' 
  xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' 
  xmlns:dc='http://purl.org/dc/elements/1.1/'>
    <dc:type>Disk Image</dc:type>
  </metadata>
  <creator>
    <program>fiwalk</program>
    <version>0.5.7</version>
    <os>Darwin</os>
    <library name="tsk" version="3.0.1"></library>
    <library name="afflib" version="3.5.2"></library>
    <command_line>fiwalk -x /dev/disk2</command_line>
  </creator>
  <source>
    <imagefile>/dev/disk2</imagefile>
  </source>
<!-- fs start: 512 -->
  <volume offset='512'>
    <Partition_Offset>512</Partition_Offset>
    <block_size>512</block_size>
    <ftype>2</ftype>
    <ftype_str>fat12</ftype_str>
    <block_count>5062</block_count>
    <first_block>0</first_block>
    <last_block>5061</last_block>
    <fileobject>
      <filename>README.txt</filename>
      <id>2</id>
      <filesize>43</filesize>
      <partition>1</partition>
      <alloc>1</alloc>
      <used>1</used>
      <inode>6</inode>
      <type>1</type>
      <mode>511</mode>
      <nlink>1</nlink>
      <uid>0</uid>
      <gid>0</gid>
      <mtime>1258916904</mtime>
      <atime>1258876800</atime>
      <crtime>1258916900</crtime>
      <byte_runs>
       <run file_offset='0' fs_offset='37376' img_offset='37888' len='43'/>
      </byte_runs>
      <hashdigest type='md5'>2bbe5c3b554b14ff710a0a2e77ce8c4d</hashdigest>
      <hashdigest type='sha1'>b3ccdbe2db1c568e817c25bf516e3bf976a1dea6</hashdigest>
    </fileobject>
  </volume>
<!-- end of volume -->
<!-- clock: 0 -->
  <runstats>
    <user_seconds>0</user_seconds>
    <system_seconds>0</system_seconds>
    <maxrss>1814528</maxrss>
    <reclaims>546</reclaims>
    <faults>1</faults>
    <swaps>0</swaps>
    <inputs>56</inputs>
    <outputs>0</outputs>
    <stop_time>Sun Nov 22 11:08:36 2009</stop_time>
  </runstats>
</fiwalk>


See Also