Digital forensics image ingest
Main Page > Development > Development documentation > Digital forensics image ingest
Related issues: #5265
Forensics image transfer type
- Archivematica transfer type: forensic image
- One or more images make up a transfer
- Repository makes image in outside imaging software prior to ingest
- Some metadata from ingest process will be included, first from FTK, but later from other tools like Guymager
- Forensic image types accepted: dd (Raw), ISO, AD1, BIN
Forensics image transfer workflow
Forensic image transfer tools
fiwalk
- Characterize and extract metadata micro-service
- Use Mark Matienzo's github version which includes FIDO for format identification since fiwalk's format identification is libmagic (unsatisfactory for our purposes)
Sample fiwalk xml output:
<?xml version='1.0' encoding='ISO-8859-1'?> <fiwalk xmloutputversion='0.2'> <metadata xmlns='http://example.org/myapp/' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xmlns:dc='http://purl.org/dc/elements/1.1/'> <dc:type>Disk Image</dc:type> </metadata> <creator> <program>fiwalk</program> <version>0.5.7</version> <os>Darwin</os> <library name="tsk" version="3.0.1"></library> <library name="afflib" version="3.5.2"></library> <command_line>fiwalk -x /dev/disk2</command_line> </creator> <source> <imagefile>/dev/disk2</imagefile> </source> <!-- fs start: 512 --> <volume offset='512'> <Partition_Offset>512</Partition_Offset> <block_size>512</block_size> <ftype>2</ftype> <ftype_str>fat12</ftype_str> <block_count>5062</block_count> <first_block>0</first_block> <last_block>5061</last_block> <fileobject> <filename>README.txt</filename> <id>2</id> <filesize>43</filesize> <partition>1</partition> <alloc>1</alloc> <used>1</used> <inode>6</inode> <type>1</type> <mode>511</mode> <nlink>1</nlink> <uid>0</uid> <gid>0</gid> <mtime>1258916904</mtime> <atime>1258876800</atime> <crtime>1258916900</crtime> <byte_runs> <run file_offset='0' fs_offset='37376' img_offset='37888' len='43'/> </byte_runs> <hashdigest type='md5'>2bbe5c3b554b14ff710a0a2e77ce8c4d</hashdigest> <hashdigest type='sha1'>b3ccdbe2db1c568e817c25bf516e3bf976a1dea6</hashdigest> </fileobject> </volume> <!-- end of volume --> <!-- clock: 0 --> <runstats> <user_seconds>0</user_seconds> <system_seconds>0</system_seconds> <maxrss>1814528</maxrss> <reclaims>546</reclaims> <faults>1</faults> <swaps>0</swaps> <inputs>56</inputs> <outputs>0</outputs> <stop_time>Sun Nov 22 11:08:36 2009</stop_time> </runstats> </fiwalk>