Difference between pages "Fiwalk" and "Libpff"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
m
 
(Tools)
 
Line 1: Line 1:
fiwalk is a batch forensics analysis program written in C that uses SleuthKit. The program can output in XML or ARFF formats.
+
{{Infobox_Software |
 +
  name = libpff |
 +
  maintainer = [[Joachim Metz]] |
 +
  os = [[Linux]], [[FreeBSD]], [[NetBSD]], [[OpenBSD]], [[Mac OS X]], [[Windows]] |
 +
  genre = {{Analysis}} |
 +
  license = {{LGPL}} |
 +
  website = [http://libpff.sourceforge.net libpff.sourceforge.net] |
 +
}}
  
==XML Example==
+
The '''libpff''' package contains [[Linux]] based library and applications to read the [[Personal Folder File (PAB, PST, OST)]] format.
<pre>
+
<?xml version='1.0' encoding='ISO-8859-1'?>
+
<fiwalk xmloutputversion='0.2'>
+
  <metadata
+
  xmlns='http://example.org/myapp/'
+
  xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
+
  xmlns:dc='http://purl.org/dc/elements/1.1/'>
+
    <dc:type>Disk Image</dc:type>
+
  </metadata>
+
  <creator>
+
    <program>fiwalk</program>
+
    <version>0.5.7</version>
+
    <os>Darwin</os>
+
    <library name="tsk" version="3.0.1"></library>
+
    <library name="afflib" version="3.5.2"></library>
+
    <command_line>fiwalk -x /dev/disk2</command_line>
+
  </creator>
+
  <source>
+
    <imagefile>/dev/disk2</imagefile>
+
  </source>
+
<!-- fs start: 512 -->
+
  <volume offset='512'>
+
    <Partition_Offset>512</Partition_Offset>
+
    <block_size>512</block_size>
+
    <ftype>2</ftype>
+
    <ftype_str>fat12</ftype_str>
+
    <block_count>5062</block_count>
+
    <first_block>0</first_block>
+
    <last_block>5061</last_block>
+
    <fileobject>
+
      <filename>README.txt</filename>
+
      <id>2</id>
+
      <filesize>43</filesize>
+
      <partition>1</partition>
+
      <alloc>1</alloc>
+
      <used>1</used>
+
      <inode>6</inode>
+
      <type>1</type>
+
      <mode>511</mode>
+
      <nlink>1</nlink>
+
      <uid>0</uid>
+
      <gid>0</gid>
+
      <mtime>1258916904</mtime>
+
      <atime>1258876800</atime>
+
      <crtime>1258916900</crtime>
+
      <byte_runs>
+
      <run file_offset='0' fs_offset='37376' img_offset='37888' len='43'/>
+
      </byte_runs>
+
      <md5>2bbe5c3b554b14ff710a0a2e77ce8c4d</md5>
+
      <sha1>b3ccdbe2db1c568e817c25bf516e3bf976a1dea6</sha1>
+
    </fileobject>
+
  </volume>
+
<!-- end of volume -->
+
<!-- clock: 0 -->
+
  <runstats>
+
    <user_seconds>0</user_seconds>
+
    <system_seconds>0</system_seconds>
+
    <maxrss>1814528</maxrss>
+
    <reclaims>546</reclaims>
+
    <faults>1</faults>
+
    <swaps>0</swaps>
+
    <inputs>56</inputs>
+
    <outputs>0</outputs>
+
    <stop_time>Sun Nov 22 11:08:36 2009</stop_time>
+
  </runstats>
+
</fiwalk>
+
  
 +
It has been ported to other platforms like [[FreeBSD]] [[NetBSD]] [[OpenBSD]] [[Mac OS X]] and [[Windows]] as well.
  
 +
== History ==
  
 +
Libpff was created by [[Joachim Metz]] in 2008, while working for [http://en.hoffmannbv.nl/ Hoffmann Investigations].
  
==XML Schema==
+
Libpff is a rewrite of earlier work on the PST file format by the [http://www.five-ten-sg.com/libpst/ libpst project]. Libpff was updated to be a shared library and support the OST and PAB files.
  
{|
+
Currently libpff partially supports the data in PAB files.
|XML Tag
+
|Meaning
+
|
+
|-
+
|<fileobject>
+
|Every file is inside a <fileobject>
+
|-
+
|<orphan>YES</orphan>
+
|YES means that the file is an ""orphan,"" with no file name.
+
|-
+
|<filesize>3210</filesize>
+
|The file size in bytes.
+
|-
+
|<unalloc>1</unalloc>
+
|A "1" means that the file was not allocated in the file system. This may mean that the file was deleted.
+
|-
+
|<used>1</used>
+
|Not sure what this means.
+
|-
+
|<mtime>1114172320</mtime>
+
|The file's modification time, as a Unix timestamp (number of seconds since January 1, 1970).
+
|-
+
|<ctime>1195819392</ctime>
+
|The file's inode's creation time, as a Unix timestamp.
+
|-
+
|<atime>1195794000</atime>
+
|The file's access time, as a unix timestamp.
+
|-
+
|<byte_runs>121130496:3210</byte_runs>
+
|The file's fragments. Each fragment is represented as the byte offset from the beginning of the disk image (the first byte is byte #0) and a number of bytes.
+
|-
+
|<fragments>1</fragments>
+
|The number of fragments in the file.
+
|-
+
|<md5>c27c0730b858bc60c8894300a98bba55</md5>
+
|The file's MD5, as a hexadecimal hash.
+
|-
+
|<sha1>0277680d624e609f23aec9e4265c2d7d24bd3824</sha1>
+
|The file's SHA1, as a hexadecimal hash.
+
|-
+
|<partition>1</partition>
+
|The partition number in which the file was found.
+
|-
+
|<frag1startsector>236583</frag1startsector>
+
|The sector number of the first fragment. (Can be computed by taking the byte offset of the first byte run and dividing by the disk's sector size.)
+
|}
+
  
[[Category:XML Forensics]]
+
== Tools ==
 +
The '''libpff''' package contains the following tools:
 +
* '''pffexport''', which exports the items stored in PAB, PST and OST (PFF) files
 +
* '''pffinfo''', which shows information about PFF files.
 +
 
 +
'''pffrecover''', has been replaced by '''pffexport -m recovered'''
 +
 
 +
== External Links ==
 +
 
 +
* [http://libpff.sourceforge.net libpff project site]

Revision as of 08:26, 11 December 2010

libpff
Maintainer: Joachim Metz
OS: Linux, FreeBSD, NetBSD, OpenBSD, Mac OS X, Windows
Genre: Analysis
License: LGPL
Website: libpff.sourceforge.net

The libpff package contains Linux based library and applications to read the Personal Folder File (PAB, PST, OST) format.

It has been ported to other platforms like FreeBSD NetBSD OpenBSD Mac OS X and Windows as well.

History

Libpff was created by Joachim Metz in 2008, while working for Hoffmann Investigations.

Libpff is a rewrite of earlier work on the PST file format by the libpst project. Libpff was updated to be a shared library and support the OST and PAB files.

Currently libpff partially supports the data in PAB files.

Tools

The libpff package contains the following tools:

  • pffexport, which exports the items stored in PAB, PST and OST (PFF) files
  • pffinfo, which shows information about PFF files.

pffrecover, has been replaced by pffexport -m recovered

External Links