Fiwalk
From Forensics Wiki
fiwalk is a batch forensics analysis program written in C that uses SleuthKit. The program can output in XML or ARFF formats.
XML Example
<?xml version='1.0' encoding='ISO-8859-1'?>
<fiwalk xmloutputversion='0.2'>
<metadata
xmlns='http://example.org/myapp/'
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xmlns:dc='http://purl.org/dc/elements/1.1/'>
<dc:type>Disk Image</dc:type>
</metadata>
<creator>
<program>fiwalk</program>
<version>0.5.7</version>
<os>Darwin</os>
<library name="tsk" version="3.0.1"></library>
<library name="afflib" version="3.5.2"></library>
<command_line>fiwalk -x /dev/disk2</command_line>
</creator>
<source>
<imagefile>/dev/disk2</imagefile>
</source>
<!-- fs start: 512 -->
<volume offset='512'>
<Partition_Offset>512</Partition_Offset>
<block_size>512</block_size>
<ftype>2</ftype>
<ftype_str>fat12</ftype_str>
<block_count>5062</block_count>
<first_block>0</first_block>
<last_block>5061</last_block>
<fileobject>
<filename>README.txt</filename>
<id>2</id>
<filesize>43</filesize>
<partition>1</partition>
<alloc>1</alloc>
<used>1</used>
<inode>6</inode>
<type>1</type>
<mode>511</mode>
<nlink>1</nlink>
<uid>0</uid>
<gid>0</gid>
<mtime>1258916904</mtime>
<atime>1258876800</atime>
<crtime>1258916900</crtime>
<byte_runs>
<run file_offset='0' fs_offset='37376' img_offset='37888' len='43'/>
</byte_runs>
<hashdigest type='md5'>2bbe5c3b554b14ff710a0a2e77ce8c4d</hashdigest>
<hashdigest type='sha1'>b3ccdbe2db1c568e817c25bf516e3bf976a1dea6</hashdigest>
</fileobject>
</volume>
<!-- end of volume -->
<!-- clock: 0 -->
<runstats>
<user_seconds>0</user_seconds>
<system_seconds>0</system_seconds>
<maxrss>1814528</maxrss>
<reclaims>546</reclaims>
<faults>1</faults>
<swaps>0</swaps>
<inputs>56</inputs>
<outputs>0</outputs>
<stop_time>Sun Nov 22 11:08:36 2009</stop_time>
</runstats>
</fiwalk>
XML Schema
| XML Tag | Meaning | |
| <fileobject> | Every file is inside a <fileobject> | |
| <orphan>YES</orphan> | YES means that the file is an ""orphan,"" with no file name. | |
| <filesize>3210</filesize> | The file size in bytes. | |
| <unalloc>1</unalloc> | A "1" means that the file was not allocated in the file system. This may mean that the file was deleted. | |
| <used>1</used> | Not sure what this means. | |
| <mtime>1114172320</mtime> | The file's modification time, as a Unix timestamp (number of seconds since January 1, 1970). | |
| <ctime>1195819392</ctime> | The file's inode's creation time, as a Unix timestamp. | |
| <atime>1195794000</atime> | The file's access time, as a unix timestamp. | |
| <byte_runs>121130496:3210</byte_runs> | The file's fragments. Each fragment is represented as the byte offset from the beginning of the disk image (the first byte is byte #0) and a number of bytes. | |
| <fragments>1</fragments> | The number of fragments in the file. | |
| <md5>c27c0730b858bc60c8894300a98bba55</md5> | The file's MD5, as a hexadecimal hash. | |
| <sha1>0277680d624e609f23aec9e4265c2d7d24bd3824</sha1> | The file's SHA1, as a hexadecimal hash. | |
| <partition>1</partition> | The partition number in which the file was found. | |
| <frag1startsector>236583</frag1startsector> | The sector number of the first fragment. (Can be computed by taking the byte offset of the first byte run and dividing by the disk's sector size.) |
