Fiwalk

From Forensics Wiki
Revision as of 14:11, 22 November 2009 by Simsong (Talk | contribs)

Jump to: navigation, search

fiwalk is a batch forensics analysis program written in C that uses SleuthKit. The program can output in XML or ARFF formats.

XML Example

<?xml version='1.0' encoding='ISO-8859-1'?>
<fiwalk xmloutputversion='0.2'>
  <metadata 
  xmlns='http://example.org/myapp/' 
  xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' 
  xmlns:dc='http://purl.org/dc/elements/1.1/'>
    <dc:type>Disk Image</dc:type>
  </metadata>
  <creator>
    <program>fiwalk</program>
    <version>0.5.7</version>
    <os>Darwin</os>
    <library name="tsk" version="3.0.1"></library>
    <library name="afflib" version="3.5.2"></library>
    <command_line>fiwalk -x /dev/disk2</command_line>
  </creator>
  <source>
    <imagefile>/dev/disk2</imagefile>
  </source>
<!-- fs start: 512 -->
  <volume offset='512'>
    <Partition_Offset>512</Partition_Offset>
    <block_size>512</block_size>
    <ftype>2</ftype>
    <ftype_str>fat12</ftype_str>
    <block_count>5062</block_count>
    <first_block>0</first_block>
    <last_block>5061</last_block>
    <fileobject>
      <filename>README.txt</filename>
      <id>2</id>
      <filesize>43</filesize>
      <partition>1</partition>
      <alloc>1</alloc>
      <used>1</used>
      <inode>6</inode>
      <type>1</type>
      <mode>511</mode>
      <nlink>1</nlink>
      <uid>0</uid>
      <gid>0</gid>
      <mtime>1258916904</mtime>
      <atime>1258876800</atime>
      <crtime>1258916900</crtime>
      <byte_runs>
       <run file_offset='0' fs_offset='37376' img_offset='37888' len='43'/>
      </byte_runs>
      <md5>2bbe5c3b554b14ff710a0a2e77ce8c4d</md5>
      <sha1>b3ccdbe2db1c568e817c25bf516e3bf976a1dea6</sha1>
    </fileobject>
  </volume>
<!-- end of volume -->
<!-- clock: 0 -->
  <runstats>
    <user_seconds>0</user_seconds>
    <system_seconds>0</system_seconds>
    <maxrss>1814528</maxrss>
    <reclaims>546</reclaims>
    <faults>1</faults>
    <swaps>0</swaps>
    <inputs>56</inputs>
    <outputs>0</outputs>
    <stop_time>Sun Nov 22 11:08:36 2009</stop_time>
  </runstats>
</fiwalk>




==XML Schema==

{|
|XML Tag
|Meaning
|
|-
|<fileobject>
|Every file is inside a <fileobject>
|-
|<orphan>YES</orphan>
|YES means that the file is an ""orphan,"" with no file name.
|-
|<filesize>3210</filesize>
|The file size in bytes.
|-
|<unalloc>1</unalloc>
|A "1" means that the file was not allocated in the file system. This may mean that the file was deleted.
|-
|<used>1</used>
|Not sure what this means.
|-
|<mtime>1114172320</mtime>
|The file's modification time, as a Unix timestamp (number of seconds since January 1, 1970).
|-
|<ctime>1195819392</ctime>
|The file's inode's creation time, as a Unix timestamp.
|-
|<atime>1195794000</atime>
|The file's access time, as a unix timestamp.
|-
|<byte_runs>121130496:3210</byte_runs>
|The file's fragments. Each fragment is represented as the byte offset from the beginning of the disk image (the first byte is byte #0) and a number of bytes.
|-
|<fragments>1</fragments>
|The number of fragments in the file.
|-
|<md5>c27c0730b858bc60c8894300a98bba55</md5>
|The file's MD5, as a hexadecimal hash.
|-
|<sha1>0277680d624e609f23aec9e4265c2d7d24bd3824</sha1>
|The file's SHA1, as a hexadecimal hash.
|-
|<partition>1</partition>
|The partition number in which the file was found.
|-
|<frag1startsector>236583</frag1startsector>
|The sector number of the first fragment. (Can be computed by taking the byte offset of the first byte run and dividing by the disk's sector size.)
|}

[[Category:XML Forensics]]
Retrieved from "http://www.forensicswiki.org/w/index.php?title=Fiwalk&oldid=8987"