Digital forensics image ingest

From Archivematica
Revision as of 17:47, 19 June 2013 by Courtney (talk | contribs)
Jump to navigation Jump to search

Main Page > Development > Development documentation > Digital forensics image ingest

Sample fiwalk xml output: (pre) <?xml version='1.0' encoding='ISO-8859-1'?> <fiwalk xmloutputversion='0.2'>

 <metadata 
 xmlns='http://example.org/myapp/' 
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' 
 xmlns:dc='http://purl.org/dc/elements/1.1/'>
   <dc:type>Disk Image</dc:type>
 </metadata>
 <creator>
   <program>fiwalk</program>
   <version>0.5.7</version>
   <os>Darwin</os>
   <library name="tsk" version="3.0.1"></library>
   <library name="afflib" version="3.5.2"></library>
   <command_line>fiwalk -x /dev/disk2</command_line>
 </creator>
    <imagefile>/dev/disk2</imagefile>
 <volume offset='512'>
   <Partition_Offset>512</Partition_Offset>
   <block_size>512</block_size>
   <ftype>2</ftype>
   <ftype_str>fat12</ftype_str>
   <block_count>5062</block_count>
   <first_block>0</first_block>
   <last_block>5061</last_block>
   <fileobject>
     <filename>README.txt</filename>
     <id>2</id>
     <filesize>43</filesize>
     <partition>1</partition>
     <alloc>1</alloc>
     <used>1</used>
     <inode>6</inode>
     <type>1</type>
     <mode>511</mode>
     <nlink>1</nlink>
     <uid>0</uid>
     <gid>0</gid>
     <mtime>1258916904</mtime>
     <atime>1258876800</atime>
     <crtime>1258916900</crtime>
     <byte_runs>
      <run file_offset='0' fs_offset='37376' img_offset='37888' len='43'/>
     </byte_runs>
     <hashdigest type='md5'>2bbe5c3b554b14ff710a0a2e77ce8c4d</hashdigest>
     <hashdigest type='sha1'>b3ccdbe2db1c568e817c25bf516e3bf976a1dea6</hashdigest>
   </fileobject>
 </volume>
 <runstats>
   <user_seconds>0</user_seconds>
   <system_seconds>0</system_seconds>
   <maxrss>1814528</maxrss>
   <reclaims>546</reclaims>
   <faults>1</faults>
   <swaps>0</swaps>
   <inputs>56</inputs>
   <outputs>0</outputs>
   <stop_time>Sun Nov 22 11:08:36 2009</stop_time>
 </runstats>

</fiwalk> (pre/)