Difference between pages "Timeline Analysis Bibliography" and "Fiwalk"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
m (Papers)
 
m
 
Line 1: Line 1:
==Papers==
+
fiwalk is a batch forensics analysis program written in C that uses SleuthKit. The program can output in XML or ARFF formats.
* S. Willassen, [http://www.igi-global.com/articles/details.asp?ID=33298 "A Model Based Approach to Timestamp Evidence Interpretation"], International Journal of Digital Crime and Forensics, 1:2, 2009
+
  
* Olsson, Jens [http://www.bth.se/fou/cuppsats.nsf/bbb56322b274389dc1256608004f052b/2e5256fe7d0e57d5c12574bd0072d894!OpenDocument Digital Evidence with an Emphasis on Time],  Master's Thesis, Blekinge Institute of Technology, September 2008.
+
==XML Example==
* R. Koen, M. Olivier, [http://icsa.cs.up.ac.za/issa/2008/Proceedings/Full/43.pdf "The Use of File Timestamps in Digital Forensics"], ISSA 2008, Johannesburg, South Africa, July 2008
+
<pre>
* S. Willassen, [http://www.diva-portal.org/ntnu/abstract.xsql?dbid=2145 "Methods for Enhancement of Timestamp Evidence in Digital Investigations"], PhD Dissertation, Norwegian University of Science and Technology, 2008
+
<?xml version='1.0' encoding='ISO-8859-1'?>
* S. Willassen, [http://www.willassen.no/svein/pub/ares08.pdf "Finding Evidence of Antedating in Digital Investigations"], ARES 2008, Barcelona, Spain, March 2008
+
<fiwalk xmloutputversion='0.2'>
* S. Willassen, [http://www.willassen.no/svein/pub/ifip08.pdf "Hypothesis Based Investigation of Digital Timestamp"], 4th IFIP WG 11.9 Workskop on Digital Evidence, Kyoto, Japan, January 2008
+
  <metadata
* S. Willassen, [http://www.willassen.no/svein/pub/efor08.pdf "Timestamp Evidence Correlation by model based clock hypothesis testing"], E-Forensics 2008, Adelaide, Australia, January 2008
+
  xmlns='http://example.org/myapp/'
* F. Buchholz, [http://www.infosec.jmu.edu/reports/jmu-infosec-tr-2007-001.pdf "An Improved Clock Model for Translating Timestamps"], JMU-INFOSEC-TR-2007-001, James Madison University
+
  xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
* F. Buchholz, B. Tjaden, [http://www.dfrws.org/2007/proceedings/p31-buchholz.pdf "A brief study of time"], Digital Investigation 2007:4S
+
  xmlns:dc='http://purl.org/dc/elements/1.1/'>
* K. Chow, F. Law, M. Kwan, P. Lai, [http://i.cs.hku.hk/~cisc/forensics/papers/RuleOfTime.pdf "The Rules of Time on NTFS File System"], 2nd International Workshop on Systematic Approaches to Digital Forensic Engineering, Seattle, Washington, April 2007
+
    <dc:type>Disk Image</dc:type>
* B. Schatz, G. Mohay, A. Clark, [http://www.dfrws.org/2006/proceedings/13-%20Schatz.pdf "A correlation method for establishing provenance of timestamps in digital evidence"], Digital Investigation 2006:3S
+
  </metadata>
* P. Gladyshev, A. Patel, [http://www.utica.edu/academic/institutes/ecii/publications/articles/B4A90270-B5A9-6380-68863F61C2F7603D.pdf "Formalizing Event Time Bouding in Digital Investigation"], International Journal of Digital Evidence, vol 4:2, 2005
+
  <creator>
* C. Boyd, P. Forster, "Time and Date issues in forensic computing - a case study", Digital Investigation 2004:1
+
    <program>fiwalk</program>
* M.W. Stevens, "Unification of relative time frames for digital forensics", Digital Investigation 2004:1
+
    <version>0.5.7</version>
* [http://www.utica.edu/academic/institutes/ecii/publications/articles/A048B1E4-B921-1DA3-EB227EE7F61F2053.pdf "Dynamic Time & Date Stamp Analysis"], M .C. Weil, International Journal of Digital Evidence, vol 1:2, 2002
+
    <os>Darwin</os>
 +
    <library name="tsk" version="3.0.1"></library>
 +
    <library name="afflib" version="3.5.2"></library>
 +
    <command_line>fiwalk -x /dev/disk2</command_line>
 +
  </creator>
 +
  <source>
 +
    <imagefile>/dev/disk2</imagefile>
 +
  </source>
 +
<!-- fs start: 512 -->
 +
  <volume offset='512'>
 +
    <Partition_Offset>512</Partition_Offset>
 +
    <block_size>512</block_size>
 +
    <ftype>2</ftype>
 +
    <ftype_str>fat12</ftype_str>
 +
    <block_count>5062</block_count>
 +
    <first_block>0</first_block>
 +
    <last_block>5061</last_block>
 +
    <fileobject>
 +
      <filename>README.txt</filename>
 +
      <id>2</id>
 +
      <filesize>43</filesize>
 +
      <partition>1</partition>
 +
      <alloc>1</alloc>
 +
      <used>1</used>
 +
      <inode>6</inode>
 +
      <type>1</type>
 +
      <mode>511</mode>
 +
      <nlink>1</nlink>
 +
      <uid>0</uid>
 +
      <gid>0</gid>
 +
      <mtime>1258916904</mtime>
 +
      <atime>1258876800</atime>
 +
      <crtime>1258916900</crtime>
 +
      <byte_runs>
 +
      <run file_offset='0' fs_offset='37376' img_offset='37888' len='43'/>
 +
      </byte_runs>
 +
      <hashdigest type='md5'>2bbe5c3b554b14ff710a0a2e77ce8c4d</hashdigest>
 +
      <hashdigest type='sha1'>b3ccdbe2db1c568e817c25bf516e3bf976a1dea6</hashdigest>
 +
    </fileobject>
 +
  </volume>
 +
<!-- end of volume -->
 +
<!-- clock: 0 -->
 +
  <runstats>
 +
    <user_seconds>0</user_seconds>
 +
    <system_seconds>0</system_seconds>
 +
    <maxrss>1814528</maxrss>
 +
    <reclaims>546</reclaims>
 +
    <faults>1</faults>
 +
    <swaps>0</swaps>
 +
    <inputs>56</inputs>
 +
    <outputs>0</outputs>
 +
    <stop_time>Sun Nov 22 11:08:36 2009</stop_time>
 +
  </runstats>
 +
</fiwalk>
 +
</pre>
  
* [http://infoviz.pnl.gov/pdf/themeriver99.pdf ThemeRiver: In Search of Trends, Patterns, and Relationships], Susan Havre, Beth Hetzler, and Lucy Nowell, Battelle Pacific Northwest Division, Richland, Washington, 1999
 
* [http://www.conceptsymbols.com/web/publications/2003_timelines.pdf Timeline Visualization of Research Fronts], Steven A. Morris2, G. Yen, Zheng Wu, Benyam Asnake , School of Electrical and Computer Engineering, Oklahoma State University, Stillwater, Oklahoma. 2003
 
* [http://well-formed-data.net/archives/26/visualizing-gaps-in-time-based-lists Visualizing gaps in time-based lists], Moritz Stefaner, November 6, 2000
 
  
==Programs==
 
; [[Zeitline]] — Forensic timeline editor
 
: http://projects.cerias.purdue.edu/forensics/timeline.php
 
: http://sourceforge.net/projects/zeitline/
 
  
; [[sorter]] — [[Sleuthkit]]'s [[MAC times]] sorting program.
+
==XML Schema==
  
; [http://code.google.com/p/simile-widgets/ Simile Timeline and Timeplot]
+
{|
 +
|XML Tag
 +
|Meaning
 +
|
 +
|-
 +
|<fileobject>
 +
|Every file is inside a <fileobject>
 +
|-
 +
|<orphan>YES</orphan>
 +
|YES means that the file is an ""orphan,"" with no file name.
 +
|-
 +
|<filesize>3210</filesize>
 +
|The file size in bytes.
 +
|-
 +
|<unalloc>1</unalloc>
 +
|A "1" means that the file was not allocated in the file system. This may mean that the file was deleted.
 +
|-
 +
|<used>1</used>
 +
|Not sure what this means.
 +
|-
 +
|<mtime>1114172320</mtime>
 +
|The file's modification time, as a Unix timestamp (number of seconds since January 1, 1970).
 +
|-
 +
|<ctime>1195819392</ctime>
 +
|The file's inode's creation time, as a Unix timestamp.
 +
|-
 +
|<atime>1195794000</atime>
 +
|The file's access time, as a unix timestamp.
 +
|-
 +
|<byte_runs>121130496:3210</byte_runs>
 +
|The file's fragments. Each fragment is represented as the byte offset from the beginning of the disk image (the first byte is byte #0) and a number of bytes.
 +
|-
 +
|<fragments>1</fragments>
 +
|The number of fragments in the file.
 +
|-
 +
|<md5>c27c0730b858bc60c8894300a98bba55</md5>
 +
|The file's MD5, as a hexadecimal hash.
 +
|-
 +
|<sha1>0277680d624e609f23aec9e4265c2d7d24bd3824</sha1>
 +
|The file's SHA1, as a hexadecimal hash.
 +
|-
 +
|<partition>1</partition>
 +
|The partition number in which the file was found.
 +
|-
 +
|<frag1startsector>236583</frag1startsector>
 +
|The sector number of the first fragment. (Can be computed by taking the byte offset of the first byte run and dividing by the disk's sector size.)
 +
|}
  
 
==See Also==
 
==See Also==
* http://www.timeforensics.com/  
+
* [http://domex.nps.edu/deep/Fiwalk.html fiwalk on the DEEP website]
  
 
+
[[Category:Digital Forensics XML]]
 
+
 
+
 
+
[[Category:Tools]]
+
[[Category:Bibliographies]]
+
[[Category:Timeline Analysis]]
+

Revision as of 01:43, 25 November 2009

fiwalk is a batch forensics analysis program written in C that uses SleuthKit. The program can output in XML or ARFF formats.

XML Example

<?xml version='1.0' encoding='ISO-8859-1'?>
<fiwalk xmloutputversion='0.2'>
  <metadata 
  xmlns='http://example.org/myapp/' 
  xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' 
  xmlns:dc='http://purl.org/dc/elements/1.1/'>
    <dc:type>Disk Image</dc:type>
  </metadata>
  <creator>
    <program>fiwalk</program>
    <version>0.5.7</version>
    <os>Darwin</os>
    <library name="tsk" version="3.0.1"></library>
    <library name="afflib" version="3.5.2"></library>
    <command_line>fiwalk -x /dev/disk2</command_line>
  </creator>
  <source>
    <imagefile>/dev/disk2</imagefile>
  </source>
<!-- fs start: 512 -->
  <volume offset='512'>
    <Partition_Offset>512</Partition_Offset>
    <block_size>512</block_size>
    <ftype>2</ftype>
    <ftype_str>fat12</ftype_str>
    <block_count>5062</block_count>
    <first_block>0</first_block>
    <last_block>5061</last_block>
    <fileobject>
      <filename>README.txt</filename>
      <id>2</id>
      <filesize>43</filesize>
      <partition>1</partition>
      <alloc>1</alloc>
      <used>1</used>
      <inode>6</inode>
      <type>1</type>
      <mode>511</mode>
      <nlink>1</nlink>
      <uid>0</uid>
      <gid>0</gid>
      <mtime>1258916904</mtime>
      <atime>1258876800</atime>
      <crtime>1258916900</crtime>
      <byte_runs>
       <run file_offset='0' fs_offset='37376' img_offset='37888' len='43'/>
      </byte_runs>
      <hashdigest type='md5'>2bbe5c3b554b14ff710a0a2e77ce8c4d</hashdigest>
      <hashdigest type='sha1'>b3ccdbe2db1c568e817c25bf516e3bf976a1dea6</hashdigest>
    </fileobject>
  </volume>
<!-- end of volume -->
<!-- clock: 0 -->
  <runstats>
    <user_seconds>0</user_seconds>
    <system_seconds>0</system_seconds>
    <maxrss>1814528</maxrss>
    <reclaims>546</reclaims>
    <faults>1</faults>
    <swaps>0</swaps>
    <inputs>56</inputs>
    <outputs>0</outputs>
    <stop_time>Sun Nov 22 11:08:36 2009</stop_time>
  </runstats>
</fiwalk>


XML Schema

XML Tag Meaning
<fileobject> Every file is inside a <fileobject>
<orphan>YES</orphan> YES means that the file is an ""orphan,"" with no file name.
<filesize>3210</filesize> The file size in bytes.
<unalloc>1</unalloc> A "1" means that the file was not allocated in the file system. This may mean that the file was deleted.
<used>1</used> Not sure what this means.
<mtime>1114172320</mtime> The file's modification time, as a Unix timestamp (number of seconds since January 1, 1970).
<ctime>1195819392</ctime> The file's inode's creation time, as a Unix timestamp.
<atime>1195794000</atime> The file's access time, as a unix timestamp.
<byte_runs>121130496:3210</byte_runs> The file's fragments. Each fragment is represented as the byte offset from the beginning of the disk image (the first byte is byte #0) and a number of bytes.
<fragments>1</fragments> The number of fragments in the file.
<md5>c27c0730b858bc60c8894300a98bba55</md5> The file's MD5, as a hexadecimal hash.
<sha1>0277680d624e609f23aec9e4265c2d7d24bd3824</sha1> The file's SHA1, as a hexadecimal hash.
<partition>1</partition> The partition number in which the file was found.
<frag1startsector>236583</frag1startsector> The sector number of the first fragment. (Can be computed by taking the byte offset of the first byte run and dividing by the disk's sector size.)

See Also