|
|
| Line 1: |
Line 1: |
| − | fiwalk is a batch forensics analysis program written in C that uses SleuthKit. The program can output in XML or ARFF formats.
| |
| | | | |
| − | ==XML Example==
| |
| − | <pre>
| |
| − | <?xml version='1.0' encoding='ISO-8859-1'?>
| |
| − | <fiwalk xmloutputversion='0.2'>
| |
| − | <metadata
| |
| − | xmlns='http://example.org/myapp/'
| |
| − | xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
| |
| − | xmlns:dc='http://purl.org/dc/elements/1.1/'>
| |
| − | <dc:type>Disk Image</dc:type>
| |
| − | </metadata>
| |
| − | <creator>
| |
| − | <program>fiwalk</program>
| |
| − | <version>0.5.7</version>
| |
| − | <os>Darwin</os>
| |
| − | <library name="tsk" version="3.0.1"></library>
| |
| − | <library name="afflib" version="3.5.2"></library>
| |
| − | <command_line>fiwalk -x /dev/disk2</command_line>
| |
| − | </creator>
| |
| − | <source>
| |
| − | <imagefile>/dev/disk2</imagefile>
| |
| − | </source>
| |
| − | <!-- fs start: 512 -->
| |
| − | <volume offset='512'>
| |
| − | <Partition_Offset>512</Partition_Offset>
| |
| − | <block_size>512</block_size>
| |
| − | <ftype>2</ftype>
| |
| − | <ftype_str>fat12</ftype_str>
| |
| − | <block_count>5062</block_count>
| |
| − | <first_block>0</first_block>
| |
| − | <last_block>5061</last_block>
| |
| − | <fileobject>
| |
| − | <filename>README.txt</filename>
| |
| − | <id>2</id>
| |
| − | <filesize>43</filesize>
| |
| − | <partition>1</partition>
| |
| − | <alloc>1</alloc>
| |
| − | <used>1</used>
| |
| − | <inode>6</inode>
| |
| − | <type>1</type>
| |
| − | <mode>511</mode>
| |
| − | <nlink>1</nlink>
| |
| − | <uid>0</uid>
| |
| − | <gid>0</gid>
| |
| − | <mtime>1258916904</mtime>
| |
| − | <atime>1258876800</atime>
| |
| − | <crtime>1258916900</crtime>
| |
| − | <byte_runs>
| |
| − | <run file_offset='0' fs_offset='37376' img_offset='37888' len='43'/>
| |
| − | </byte_runs>
| |
| − | <hashdigest type='md5'>2bbe5c3b554b14ff710a0a2e77ce8c4d</hashdigest>
| |
| − | <hashdigest type='sha1'>b3ccdbe2db1c568e817c25bf516e3bf976a1dea6</hashdigest>
| |
| − | </fileobject>
| |
| − | </volume>
| |
| − | <!-- end of volume -->
| |
| − | <!-- clock: 0 -->
| |
| − | <runstats>
| |
| − | <user_seconds>0</user_seconds>
| |
| − | <system_seconds>0</system_seconds>
| |
| − | <maxrss>1814528</maxrss>
| |
| − | <reclaims>546</reclaims>
| |
| − | <faults>1</faults>
| |
| − | <swaps>0</swaps>
| |
| − | <inputs>56</inputs>
| |
| − | <outputs>0</outputs>
| |
| − | <stop_time>Sun Nov 22 11:08:36 2009</stop_time>
| |
| − | </runstats>
| |
| − | </fiwalk>
| |
| − | </pre>
| |
| − |
| |
| − |
| |
| − |
| |
| − | ==XML Schema==
| |
| − |
| |
| − | {|
| |
| − | |XML Tag
| |
| − | |Meaning
| |
| − | |
| |
| − | |-
| |
| − | |<fileobject>
| |
| − | |Every file is inside a <fileobject>
| |
| − | |-
| |
| − | |<orphan>YES</orphan>
| |
| − | |YES means that the file is an ""orphan,"" with no file name.
| |
| − | |-
| |
| − | |<filesize>3210</filesize>
| |
| − | |The file size in bytes.
| |
| − | |-
| |
| − | |<unalloc>1</unalloc>
| |
| − | |A "1" means that the file was not allocated in the file system. This may mean that the file was deleted.
| |
| − | |-
| |
| − | |<used>1</used>
| |
| − | |Not sure what this means.
| |
| − | |-
| |
| − | |<mtime>1114172320</mtime>
| |
| − | |The file's modification time, as a Unix timestamp (number of seconds since January 1, 1970).
| |
| − | |-
| |
| − | |<ctime>1195819392</ctime>
| |
| − | |The file's inode's creation time, as a Unix timestamp.
| |
| − | |-
| |
| − | |<atime>1195794000</atime>
| |
| − | |The file's access time, as a unix timestamp.
| |
| − | |-
| |
| − | |<byte_runs>121130496:3210</byte_runs>
| |
| − | |The file's fragments. Each fragment is represented as the byte offset from the beginning of the disk image (the first byte is byte #0) and a number of bytes.
| |
| − | |-
| |
| − | |<fragments>1</fragments>
| |
| − | |The number of fragments in the file.
| |
| − | |-
| |
| − | |<md5>c27c0730b858bc60c8894300a98bba55</md5>
| |
| − | |The file's MD5, as a hexadecimal hash.
| |
| − | |-
| |
| − | |<sha1>0277680d624e609f23aec9e4265c2d7d24bd3824</sha1>
| |
| − | |The file's SHA1, as a hexadecimal hash.
| |
| − | |-
| |
| − | |<partition>1</partition>
| |
| − | |The partition number in which the file was found.
| |
| − | |-
| |
| − | |<frag1startsector>236583</frag1startsector>
| |
| − | |The sector number of the first fragment. (Can be computed by taking the byte offset of the first byte run and dividing by the disk's sector size.)
| |
| − | |}
| |
| − |
| |
| − | ==See Also==
| |
| − | * [http://domex.nps.edu/deep/Fiwalk.html fiwalk on the DEEP website]
| |
| − |
| |
| − | [[Category:Digital Forensics XML]]
| |
