ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between pages "Timeline Analysis" and "Fiwalk"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (Papers)
 
m
 
Line 1: Line 1:
==Papers==
+
fiwalk is a batch forensics analysis program written in C that uses SleuthKit. The program can output in XML or ARFF formats.
* S. Willassen, [http://www.igi-global.com/articles/details.asp?ID=33298 "A Model Based Approach to Timestamp Evidence Interpretation"], International Journal of Digital Crime and Forensics, 1:2, 2009
+
  
* Olsson, Jens [http://www.bth.se/fou/cuppsats.nsf/bbb56322b274389dc1256608004f052b/2e5256fe7d0e57d5c12574bd0072d894!OpenDocument Digital Evidence with an Emphasis on Time],  Master's Thesis, Blekinge Institute of Technology, September 2008.
+
==XML Example==
* R. Koen, M. Olivier, [http://icsa.cs.up.ac.za/issa/2008/Proceedings/Full/43.pdf "The Use of File Timestamps in Digital Forensics"], ISSA 2008, Johannesburg, South Africa, July 2008
+
<pre>
* S. Willassen, [http://www.diva-portal.org/ntnu/abstract.xsql?dbid=2145 "Methods for Enhancement of Timestamp Evidence in Digital Investigations"], PhD Dissertation, Norwegian University of Science and Technology, 2008
+
<?xml version='1.0' encoding='ISO-8859-1'?>
* S. Willassen, [http://www.willassen.no/svein/pub/ares08.pdf "Finding Evidence of Antedating in Digital Investigations"], ARES 2008, Barcelona, Spain, March 2008
+
<fiwalk xmloutputversion='0.2'>
* S. Willassen, [http://www.willassen.no/svein/pub/ifip08.pdf "Hypothesis Based Investigation of Digital Timestamp"], 4th IFIP WG 11.9 Workskop on Digital Evidence, Kyoto, Japan, January 2008
+
  <metadata
* S. Willassen, [http://www.willassen.no/svein/pub/efor08.pdf "Timestamp Evidence Correlation by model based clock hypothesis testing"], E-Forensics 2008, Adelaide, Australia, January 2008
+
  xmlns='http://example.org/myapp/'
* F. Buchholz, [http://www.infosec.jmu.edu/reports/jmu-infosec-tr-2007-001.pdf "An Improved Clock Model for Translating Timestamps"], JMU-INFOSEC-TR-2007-001, James Madison University
+
  xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
* F. Buchholz, B. Tjaden, [http://www.dfrws.org/2007/proceedings/p31-buchholz.pdf "A brief study of time"], Digital Investigation 2007:4S
+
  xmlns:dc='http://purl.org/dc/elements/1.1/'>
* K. Chow, F. Law, M. Kwan, P. Lai, [http://i.cs.hku.hk/~cisc/forensics/papers/RuleOfTime.pdf "The Rules of Time on NTFS File System"], 2nd International Workshop on Systematic Approaches to Digital Forensic Engineering, Seattle, Washington, April 2007
+
    <dc:type>Disk Image</dc:type>
* B. Schatz, G. Mohay, A. Clark, [http://www.dfrws.org/2006/proceedings/13-%20Schatz.pdf "A correlation method for establishing provenance of timestamps in digital evidence"], Digital Investigation 2006:3S
+
  </metadata>
* P. Gladyshev, A. Patel, [http://www.utica.edu/academic/institutes/ecii/publications/articles/B4A90270-B5A9-6380-68863F61C2F7603D.pdf "Formalizing Event Time Bouding in Digital Investigation"], International Journal of Digital Evidence, vol 4:2, 2005
+
  <creator>
* C. Boyd, P. Forster, "Time and Date issues in forensic computing - a case study", Digital Investigation 2004:1
+
    <program>fiwalk</program>
* M.W. Stevens, "Unification of relative time frames for digital forensics", Digital Investigation 2004:1
+
    <version>0.5.7</version>
* [http://www.utica.edu/academic/institutes/ecii/publications/articles/A048B1E4-B921-1DA3-EB227EE7F61F2053.pdf "Dynamic Time & Date Stamp Analysis"], M .C. Weil, International Journal of Digital Evidence, vol 1:2, 2002
+
    <os>Darwin</os>
 +
    <library name="tsk" version="3.0.1"></library>
 +
    <library name="afflib" version="3.5.2"></library>
 +
    <command_line>fiwalk -x /dev/disk2</command_line>
 +
  </creator>
 +
  <source>
 +
    <imagefile>/dev/disk2</imagefile>
 +
  </source>
 +
<!-- fs start: 512 -->
 +
  <volume offset='512'>
 +
    <Partition_Offset>512</Partition_Offset>
 +
    <block_size>512</block_size>
 +
    <ftype>2</ftype>
 +
    <ftype_str>fat12</ftype_str>
 +
    <block_count>5062</block_count>
 +
    <first_block>0</first_block>
 +
    <last_block>5061</last_block>
 +
    <fileobject>
 +
      <filename>README.txt</filename>
 +
      <id>2</id>
 +
      <filesize>43</filesize>
 +
      <partition>1</partition>
 +
      <alloc>1</alloc>
 +
      <used>1</used>
 +
      <inode>6</inode>
 +
      <type>1</type>
 +
      <mode>511</mode>
 +
      <nlink>1</nlink>
 +
      <uid>0</uid>
 +
      <gid>0</gid>
 +
      <mtime>1258916904</mtime>
 +
      <atime>1258876800</atime>
 +
      <crtime>1258916900</crtime>
 +
      <byte_runs>
 +
      <run file_offset='0' fs_offset='37376' img_offset='37888' len='43'/>
 +
      </byte_runs>
 +
      <hashdigest type='md5'>2bbe5c3b554b14ff710a0a2e77ce8c4d</hashdigest>
 +
      <hashdigest type='sha1'>b3ccdbe2db1c568e817c25bf516e3bf976a1dea6</hashdigest>
 +
    </fileobject>
 +
  </volume>
 +
<!-- end of volume -->
 +
<!-- clock: 0 -->
 +
  <runstats>
 +
    <user_seconds>0</user_seconds>
 +
    <system_seconds>0</system_seconds>
 +
    <maxrss>1814528</maxrss>
 +
    <reclaims>546</reclaims>
 +
    <faults>1</faults>
 +
    <swaps>0</swaps>
 +
    <inputs>56</inputs>
 +
    <outputs>0</outputs>
 +
    <stop_time>Sun Nov 22 11:08:36 2009</stop_time>
 +
  </runstats>
 +
</fiwalk>
 +
</pre>
  
* [http://infoviz.pnl.gov/pdf/themeriver99.pdf ThemeRiver: In Search of Trends, Patterns, and Relationships], Susan Havre, Beth Hetzler, and Lucy Nowell, Battelle Pacific Northwest Division, Richland, Washington, 1999
 
* [http://www.conceptsymbols.com/web/publications/2003_timelines.pdf Timeline Visualization of Research Fronts], Steven A. Morris2, G. Yen, Zheng Wu, Benyam Asnake , School of Electrical and Computer Engineering, Oklahoma State University, Stillwater, Oklahoma. 2003
 
* [http://well-formed-data.net/archives/26/visualizing-gaps-in-time-based-lists Visualizing gaps in time-based lists], Moritz Stefaner, November 6, 2000
 
  
==Programs==
 
; [[Zeitline]] — Forensic timeline editor
 
: http://projects.cerias.purdue.edu/forensics/timeline.php
 
: http://sourceforge.net/projects/zeitline/
 
  
; [[sorter]] — [[Sleuthkit]]'s [[MAC times]] sorting program.
+
==XML Schema==
  
; [http://code.google.com/p/simile-widgets/ Simile Timeline and Timeplot]
+
{|
 +
|XML Tag
 +
|Meaning
 +
|
 +
|-
 +
|<fileobject>
 +
|Every file is inside a <fileobject>
 +
|-
 +
|<orphan>YES</orphan>
 +
|YES means that the file is an ""orphan,"" with no file name.
 +
|-
 +
|<filesize>3210</filesize>
 +
|The file size in bytes.
 +
|-
 +
|<unalloc>1</unalloc>
 +
|A "1" means that the file was not allocated in the file system. This may mean that the file was deleted.
 +
|-
 +
|<used>1</used>
 +
|Not sure what this means.
 +
|-
 +
|<mtime>1114172320</mtime>
 +
|The file's modification time, as a Unix timestamp (number of seconds since January 1, 1970).
 +
|-
 +
|<ctime>1195819392</ctime>
 +
|The file's inode's creation time, as a Unix timestamp.
 +
|-
 +
|<atime>1195794000</atime>
 +
|The file's access time, as a unix timestamp.
 +
|-
 +
|<byte_runs>121130496:3210</byte_runs>
 +
|The file's fragments. Each fragment is represented as the byte offset from the beginning of the disk image (the first byte is byte #0) and a number of bytes.
 +
|-
 +
|<fragments>1</fragments>
 +
|The number of fragments in the file.
 +
|-
 +
|<md5>c27c0730b858bc60c8894300a98bba55</md5>
 +
|The file's MD5, as a hexadecimal hash.
 +
|-
 +
|<sha1>0277680d624e609f23aec9e4265c2d7d24bd3824</sha1>
 +
|The file's SHA1, as a hexadecimal hash.
 +
|-
 +
|<partition>1</partition>
 +
|The partition number in which the file was found.
 +
|-
 +
|<frag1startsector>236583</frag1startsector>
 +
|The sector number of the first fragment. (Can be computed by taking the byte offset of the first byte run and dividing by the disk's sector size.)
 +
|}
  
 
==See Also==
 
==See Also==
* http://www.timeforensics.com/  
+
* [http://domex.nps.edu/deep/Fiwalk.html fiwalk on the DEEP website]
  
 
+
[[Category:Digital Forensics XML]]
 
+
 
+
 
+
[[Category:Tools]]
+
[[Category:Bibliographies]]
+
[[Category:Timeline Analysis]]
+

Revision as of 06:43, 25 November 2009

fiwalk is a batch forensics analysis program written in C that uses SleuthKit. The program can output in XML or ARFF formats.

XML Example

<?xml version='1.0' encoding='ISO-8859-1'?>
<fiwalk xmloutputversion='0.2'>
  <metadata 
  xmlns='http://example.org/myapp/' 
  xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' 
  xmlns:dc='http://purl.org/dc/elements/1.1/'>
    <dc:type>Disk Image</dc:type>
  </metadata>
  <creator>
    <program>fiwalk</program>
    <version>0.5.7</version>
    <os>Darwin</os>
    <library name="tsk" version="3.0.1"></library>
    <library name="afflib" version="3.5.2"></library>
    <command_line>fiwalk -x /dev/disk2</command_line>
  </creator>
  <source>
    <imagefile>/dev/disk2</imagefile>
  </source>
<!-- fs start: 512 -->
  <volume offset='512'>
    <Partition_Offset>512</Partition_Offset>
    <block_size>512</block_size>
    <ftype>2</ftype>
    <ftype_str>fat12</ftype_str>
    <block_count>5062</block_count>
    <first_block>0</first_block>
    <last_block>5061</last_block>
    <fileobject>
      <filename>README.txt</filename>
      <id>2</id>
      <filesize>43</filesize>
      <partition>1</partition>
      <alloc>1</alloc>
      <used>1</used>
      <inode>6</inode>
      <type>1</type>
      <mode>511</mode>
      <nlink>1</nlink>
      <uid>0</uid>
      <gid>0</gid>
      <mtime>1258916904</mtime>
      <atime>1258876800</atime>
      <crtime>1258916900</crtime>
      <byte_runs>
       <run file_offset='0' fs_offset='37376' img_offset='37888' len='43'/>
      </byte_runs>
      <hashdigest type='md5'>2bbe5c3b554b14ff710a0a2e77ce8c4d</hashdigest>
      <hashdigest type='sha1'>b3ccdbe2db1c568e817c25bf516e3bf976a1dea6</hashdigest>
    </fileobject>
  </volume>
<!-- end of volume -->
<!-- clock: 0 -->
  <runstats>
    <user_seconds>0</user_seconds>
    <system_seconds>0</system_seconds>
    <maxrss>1814528</maxrss>
    <reclaims>546</reclaims>
    <faults>1</faults>
    <swaps>0</swaps>
    <inputs>56</inputs>
    <outputs>0</outputs>
    <stop_time>Sun Nov 22 11:08:36 2009</stop_time>
  </runstats>
</fiwalk>


XML Schema

XML Tag Meaning
<fileobject> Every file is inside a <fileobject>
<orphan>YES</orphan> YES means that the file is an ""orphan,"" with no file name.
<filesize>3210</filesize> The file size in bytes.
<unalloc>1</unalloc> A "1" means that the file was not allocated in the file system. This may mean that the file was deleted.
<used>1</used> Not sure what this means.
<mtime>1114172320</mtime> The file's modification time, as a Unix timestamp (number of seconds since January 1, 1970).
<ctime>1195819392</ctime> The file's inode's creation time, as a Unix timestamp.
<atime>1195794000</atime> The file's access time, as a unix timestamp.
<byte_runs>121130496:3210</byte_runs> The file's fragments. Each fragment is represented as the byte offset from the beginning of the disk image (the first byte is byte #0) and a number of bytes.
<fragments>1</fragments> The number of fragments in the file.
<md5>c27c0730b858bc60c8894300a98bba55</md5> The file's MD5, as a hexadecimal hash.
<sha1>0277680d624e609f23aec9e4265c2d7d24bd3824</sha1> The file's SHA1, as a hexadecimal hash.
<partition>1</partition> The partition number in which the file was found.
<frag1startsector>236583</frag1startsector> The sector number of the first fragment. (Can be computed by taking the byte offset of the first byte run and dividing by the disk's sector size.)

See Also