Difference between pages "Carver 2.0 Planning Page" and "Fiwalk"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
m
 
Line 1: Line 1:
This page is for planning Carver 2.0.
+
{{Infobox_Software |
 +
  name = fiwalk |
 +
  maintainer = [[Simson Garfinkel]] |
 +
  os = {{Linux}}, {{MacOS}}, {{FreeBSD}} |
 +
  genre = [[Carving]] |
 +
  license = {{Public Domain}} |
 +
  website = http://www.afflib.org/
 +
}}
  
= License =
+
fiwalk is a batch forensics analysis program written in C that uses SleuthKit. The program can output in XML or ARFF formats.
  
BSD
+
==XML Example==
 +
<pre>
 +
<?xml version='1.0' encoding='ISO-8859-1'?>
 +
<fiwalk xmloutputversion='0.2'>
 +
  <metadata
 +
  xmlns='http://example.org/myapp/'
 +
  xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 +
  xmlns:dc='http://purl.org/dc/elements/1.1/'>
 +
    <dc:type>Disk Image</dc:type>
 +
  </metadata>
 +
  <creator>
 +
    <program>fiwalk</program>
 +
    <version>0.5.7</version>
 +
    <os>Darwin</os>
 +
    <library name="tsk" version="3.0.1"></library>
 +
    <library name="afflib" version="3.5.2"></library>
 +
    <command_line>fiwalk -x /dev/disk2</command_line>
 +
  </creator>
 +
  <source>
 +
    <imagefile>/dev/disk2</imagefile>
 +
  </source>
 +
<!-- fs start: 512 -->
 +
  <volume offset='512'>
 +
    <Partition_Offset>512</Partition_Offset>
 +
    <block_size>512</block_size>
 +
    <ftype>2</ftype>
 +
    <ftype_str>fat12</ftype_str>
 +
    <block_count>5062</block_count>
 +
    <first_block>0</first_block>
 +
    <last_block>5061</last_block>
 +
    <fileobject>
 +
      <filename>README.txt</filename>
 +
      <id>2</id>
 +
      <filesize>43</filesize>
 +
      <partition>1</partition>
 +
      <alloc>1</alloc>
 +
      <used>1</used>
 +
      <inode>6</inode>
 +
      <type>1</type>
 +
      <mode>511</mode>
 +
      <nlink>1</nlink>
 +
      <uid>0</uid>
 +
      <gid>0</gid>
 +
      <mtime>1258916904</mtime>
 +
      <atime>1258876800</atime>
 +
      <crtime>1258916900</crtime>
 +
      <byte_runs>
 +
      <run file_offset='0' fs_offset='37376' img_offset='37888' len='43'/>
 +
      </byte_runs>
 +
      <hashdigest type='md5'>2bbe5c3b554b14ff710a0a2e77ce8c4d</hashdigest>
 +
      <hashdigest type='sha1'>b3ccdbe2db1c568e817c25bf516e3bf976a1dea6</hashdigest>
 +
    </fileobject>
 +
  </volume>
 +
<!-- end of volume -->
 +
<!-- clock: 0 -->
 +
  <runstats>
 +
    <user_seconds>0</user_seconds>
 +
    <system_seconds>0</system_seconds>
 +
    <maxrss>1814528</maxrss>
 +
    <reclaims>546</reclaims>
 +
    <faults>1</faults>
 +
    <swaps>0</swaps>
 +
    <inputs>56</inputs>
 +
    <outputs>0</outputs>
 +
    <stop_time>Sun Nov 22 11:08:36 2009</stop_time>
 +
  </runstats>
 +
</fiwalk>
 +
</pre>
  
= OS =
+
==Availability==
 +
fiwalk can be downloaded from http://afflib.org/fiwalk
  
Linux/FreeBSD/MacOS
+
==See Also==
 +
* [[fileobject]]
 +
* [http://domex.nps.edu/deep/Fiwalk.html fiwalk on the DEEP website]
  
= Requirements =
+
[[Category:Digital Forensics XML]]
* AFF and EWF file images supported from scratch.
+
* File system aware layer.
+
** By default, files are not carved.
+
* Plug-in architecture for identification/validation.
+
** Can we exercise libmagic or at least the patterns they identify?
+
* Ship with validators for:
+
** JPEG
+
** PNG
+
** GIF
+
** MSOLE
+
** ZIP
+
** TAR (gz/bz2)
+
* Simple fragment recovery carving using gap carving.
+
* Recovering of individual ZIP sections and JPEG icons that are not sector aligned.
+
* Autonomous operation (what is it? [[User:.FUF|.FUF]] 19:18, 28 October 2008 (UTC)).
+
* Tested on 500GB-sized images. Should be able to carve a 500GB image in roughly 50% longer than it takes to read the image.
+
** Perhaps allocate a percentage budget per-validator (i.e. each validator adds N% to the carving time)
+
* Parallelizable.
+
* Configuration:
+
** Can read Scalpel and Foremost config files.
+
** Disengage internal configuration structure from configuration files, create parsers that present the expected structure
+
**  Either extend Scalpel/Foremost syntaxes for extended features or create a tertiary syntax, at which point a converter would likely be useful.
+
* Can output audit.txt file.
+
* Easy integration into ascription software.
+
 
+
= Ideas =
+
* Use as much TSK if possible. Don't carry your own FS implementation there way photorec does.
+
* Extracting/carving data from [[Thumbs.db]]? I've used [[foremost]] for it with some success. [[Vinetto]] has some critical bugs :( [[User:.FUF|.FUF]] 19:18, 28 October 2008 (UTC)
+
* Carving data structures. For example, extract all TCP headers from image by defining TCP header structure and some fields (e.g. source port > 1024, dest port = 80). This will extract all data matching the pattern and write a file with other fields. Another example is carving INFO2 structures and URL activity records from index.dat [[User:.FUF|.FUF]] 19:18, 28 October 2008 (UTC)
+
 
+
= Supported File Systems =
+
 
+
Build a large list of supported filesystems. File carving programs ignore the filesystem, but this doesn't mean that they support all of them. Do we support Reiser4 with tail packing? Or exFAT? Or NTFS with compression? Document this. [[User:.FUF|.FUF]] 19:18, 28 October 2008 (UTC)
+

Revision as of 12:01, 19 January 2012

fiwalk
Maintainer: Simson Garfinkel
OS: Linux,MacOS,FreeBSD
Genre: Carving
License: Public Domain
Website: http://www.afflib.org/

fiwalk is a batch forensics analysis program written in C that uses SleuthKit. The program can output in XML or ARFF formats.

XML Example

<?xml version='1.0' encoding='ISO-8859-1'?>
<fiwalk xmloutputversion='0.2'>
  <metadata 
  xmlns='http://example.org/myapp/' 
  xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' 
  xmlns:dc='http://purl.org/dc/elements/1.1/'>
    <dc:type>Disk Image</dc:type>
  </metadata>
  <creator>
    <program>fiwalk</program>
    <version>0.5.7</version>
    <os>Darwin</os>
    <library name="tsk" version="3.0.1"></library>
    <library name="afflib" version="3.5.2"></library>
    <command_line>fiwalk -x /dev/disk2</command_line>
  </creator>
  <source>
    <imagefile>/dev/disk2</imagefile>
  </source>
<!-- fs start: 512 -->
  <volume offset='512'>
    <Partition_Offset>512</Partition_Offset>
    <block_size>512</block_size>
    <ftype>2</ftype>
    <ftype_str>fat12</ftype_str>
    <block_count>5062</block_count>
    <first_block>0</first_block>
    <last_block>5061</last_block>
    <fileobject>
      <filename>README.txt</filename>
      <id>2</id>
      <filesize>43</filesize>
      <partition>1</partition>
      <alloc>1</alloc>
      <used>1</used>
      <inode>6</inode>
      <type>1</type>
      <mode>511</mode>
      <nlink>1</nlink>
      <uid>0</uid>
      <gid>0</gid>
      <mtime>1258916904</mtime>
      <atime>1258876800</atime>
      <crtime>1258916900</crtime>
      <byte_runs>
       <run file_offset='0' fs_offset='37376' img_offset='37888' len='43'/>
      </byte_runs>
      <hashdigest type='md5'>2bbe5c3b554b14ff710a0a2e77ce8c4d</hashdigest>
      <hashdigest type='sha1'>b3ccdbe2db1c568e817c25bf516e3bf976a1dea6</hashdigest>
    </fileobject>
  </volume>
<!-- end of volume -->
<!-- clock: 0 -->
  <runstats>
    <user_seconds>0</user_seconds>
    <system_seconds>0</system_seconds>
    <maxrss>1814528</maxrss>
    <reclaims>546</reclaims>
    <faults>1</faults>
    <swaps>0</swaps>
    <inputs>56</inputs>
    <outputs>0</outputs>
    <stop_time>Sun Nov 22 11:08:36 2009</stop_time>
  </runstats>
</fiwalk>

Availability

fiwalk can be downloaded from http://afflib.org/fiwalk

See Also