.

Tag nameElement nameDescriptionMay containMay occur withinAttributesAllowable valuesRepeatable?Mandatory?Example

.

<dfxml>DFXMLRoot element, marks the beginning and end of the DFXML metadata file. The <dfxml> element contains the primary elements reported in fiwalk's xml structure: <metadata>, <creator>, <source>, <volume>, and <runstats>.<metadata>, <creator>, <source>, <volume>, <runstats>, <sectorsize>,<pagesize>,<acquisition_seconds>n/a“version”n/a.noyesSee (22).

.

.

<metadata>MetadataThe <metadata> tag provides header information that defines the metadata in the DFXML document. Includes namespace declaration, namespace schema location, and other information that is used to define the elements used in the XML file.

These declarations provide information on the types of standardization schemes used to convey information in the DFXML document. The <metadata> tag may also contain high level descriptive information about the DFXML document rendered in Dublin Core (dc), in order to increase interoperability.
<dc:type>, <dc:creator>, <dc:title>, <dc:description>; for more information on Dublin Core element set, see (21).<dfxml>“xmlns”n/a.noyes<metadata xmlns='http://forensicswiki.org/app_print/'
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xmlns:dc='http://purl.org/dc/elements/1.1/'>Your Organization Here</dc:creator>
<dc:title>iTunes 9.0.2</dc:title>
<dc:description>Application Print of Apple MacOS iTunes 9.0.2</dc:description>
<dc:date>2009-11-23</dc:date>
<dc:type>Application Print</dc:type>
</metdata> (23)

.

<creator>CreatorThe Creator element provides documentation about the program and computing environment in which the disk analysis (or capture) take place. <Creator> includes tags documenting the program that initiated the capture creating the DFXML file, and other contextual information about the system on which capture is run. (1) <Creator> differentiates the environment in which the analysis is being conducted from <source>, the target of the forensic analysis.<program>,<version>,<build_environment>,<execution_environment>; execution environment contains: <os_sysname>, <os_release>, <os_version>, <host>, <arch>, <command_line>, <start_time><dfxml>“version”n/a.noyes <creator version='1.0'>
<program>fiwalk</program>
<version>0.6.16</version>
<build_environment>
<compiler>GCC 4.2</compiler>
<library name="tsk" version="3.2.3"/>
<library name="afflib" version="3.6.15"/>
<library name="libewf" version="20100226"/>
</build_environment>
<execution_environment>
<os_sysname>Darwin</os_sysname>
<os_release>11.3.0</os_release>
<os_version>Darwin Kernel Version 11.3.0:
Thu Jan 12 18:47:41 PST 2012; root:xnu-1699.24.23~1/RELEASE_X86_64</os_version>
<host>host computer name</host>
<arch>x86_64</arch>
<command_line>fiwalk -X [output file name] [target file path]</command_line>
<start_time>2012-02-10T16:07:00Z</start_time>
</execution_environment>
</creator>

.

<volume>VolumeThe <volume> tag contains information about individual files in a DFXML file. The <volume> tag contains the largest body of information in the DFXML file, and is the primary source of individual file information, found in <fileobject> tags.

A volume is defined generally as a mass storage system, defined at the logical OS level. A volume has a single file system and is contained on a single disk partition as a collection of byte blocks that are all the same size (a hard drive, a partition within a hard drive, or a RAID volume) (1).
<fileobject>, <byte_runs>, <ftype>, <ftype_str>, <block_count>, <first_block>, <last_block>, <block_size>, <partition_offset><dfxml>“offset”n/a.yesyes<volume offset='0'>
<partition_offset>0</partition_offset>
<block_size>2048</block_size>
<ftype>2048</ftype>
<ftype_str>iso9660</ftype_str>
<block_count>281154</block_count>
<first_block>0</first_block>
<last_block>281153</last_block>
<fileobject/>
</volume>

.

<source>SourceThe <source> tag is used to represent the source of forensic data, such as a forensic disk image or removable media drive. (6) The source can contain extensive contextual information about the volume that is the target of forensic analysis, including device and acquisition metadata, and the structure of the data on the target volume (such as number and size of sectors).<image_filename>; acquisition tags that follow source (described later): <imagefile>, <sectorsize>, <device_model>, <device_sn>, <acquisition_commandline>, <acquisition_device>, <device_capabilities>, <devicesectors>, <acquisition_macaddr>, <acquisition_date><dfxml>“type”n/a.noyes<source type='Disk Image'>
<imagefile>/corp/images/nus/1040.aff</imagefile>
<sectorsize>512</sectorsize>
<device_model>SEAGATE ST32550W SUN2.1G 0418</device_model>
<device_sn>01806486</device_sn>
<acquisition_commandline>aimage scsi1 /project2/b28.aff</acquisition_commandline>
<acquisition_device>/dev/sda1</acquisition_device>
<device_capabilities>pass2: >SEAGATE ST32550W SUN2.1G 0418< Fixed Direct Access SCSI-2 device
pass2: Serial Number 01806486
pass2: 20.000MB/s transfers (10.000MHz, offset 15, 16bit), Tagged Queueing Enabled
</device_capabilities>
<sectorsize coding='base10'>512</sectorsize>
<devicesectors coding='base10'>4194995</devicesectors> <acquisition_macaddr>00:0f:b5:42:6a:fe</acquisition_macaddr>
<acquisition_date>2006-07-25T10:56:42</acquisition_date>
</source> (6)

.

<runstats>Runtime StatisticsRuntime statistics document the amount of time taken for the forensic program to analyze the content on the target drive, and other information about memory usage and processor efficiency. This metadata is related to the capture process for creation of the DFXML file, and not the creation of the disk image itself. <clock_seconds>, <user_seconds>, <system_seconds>, <maxrss>, <reclaims>, <faults>, <swaps>, <inputs>, <outputs>, <stop_time><dfxml>n/a.noyes <runstats>
<user_seconds>8</user_seconds>
<system_seconds>0</system_seconds>
<maxrss>1650688</maxrss>
<reclaims>508</reclaims>
<faults>0</faults>
<swaps>0</swaps>
<inputs>9</inputs>
<outputs>5</outputs>
<stop_time>Fri Feb 10 11:07:14 2012</stop_time>
</runstats>

.

.

.

<fileobject>File Object Key file element for standard digital forensic XML. A file is a sequence of bytes with associated metadata.(1) Every file is represented by a <fileobject> tag. (2) Each <fileobject> contains information on the size and type of file, hashtags, and provenance information.<filename>,<id>, <filesize>, <partition>, <alloc>, <used>, <inode>, <type>, <mode>, <nlink>, <uid>, <gid>, <mtime>, <atime>, <crtime>, <libmagic>, <byte_runs>, <seq> <meta_type>, <ctime>, <nametype><volume>n/a.yesyes<fileobject>
<filename>PDFDOCS/JEL/RESEARCH/P195.PDF</filename>
<partition>1</partition>
<id>764</id>
<name_type>r</name_type>
<filesize>178154</filesize>
<alloc>1</alloc>
<used>1</used>
<inode>566</inode>
<meta_type>1</meta_type>
<mode>0</mode>
<nlink>1</nlink>
<uid>0</uid>
<gid>0</gid>
<crtime>1997-04-28T04:32:40Z</crtime>
<byte_runs>
<byte_run file_offset='0' fs_offset='245391360' img_offset='245391360' len='178154'/>
</byte_runs>
<hashdigest type='md5'>fbcb0d2161acdef2648fc31dc857dfb2</hashdigest>
<hashdigest type='sha1'>8ec687db4a08d9eaa1a866f42664be387ad18b5e
</hashdigest>
</fileobject>

.

<partition_offset>Partition OffsetDenotes the starting location of the partition on the disk image, measured in bytes. Usually comes into play on volumes with with multiple partitions, where the first <partition_offset> will be zero, meaning that the first partition begins at the start of the writeable disk space.<volume>Non-negative integers.yesno<partition_offset>0</partition_offset>

.

<block_size>Block SizeThe size (in bytes) of an individual block of data in a volume, as defined by the file system. Block size varies with the size of the disk and the operating system. The block size is the minimum unit used by the operating system to store information on the disk. (24) Knowledge of the block size in the target volume allows you to determine the sector location of the beginning of a file fragment.<volume>64, 128, 256, 512, 1024, 2048, 4096. (non-negative integer)yesyes<block_size>2048</block_size>

.

<ftype>Filesystem Type<ftype> provides a numerical identifier representing the filesystem on the partition or target volume. The number in <ftype> corresponds to a filesystem represented in <ftype_str> by a string of characters that is human readable.<volume><ftype> values are listed with corresponding ASCII representations (from element <ftype_str>. (14)

<ftype> /// <ftype_str>
1 /// NTFS
256 /// EXT
2048 /// ISO9660
4096 /// HFS
yesno<ftype>2048</ftype>

.

<ftype_str>Filesystem Type String<ftype_str> gives the human readable string corresponding to the filesystem represented in <ftype>.<volume>Allowable values in <ftype_str> correspond to filesystem types currently supported. The output value is followed by a description of the filesystem it represents.
NTFS – New Technology File System is the system used by most Microsoft Windows operating systems, since the 1990s, including Windows 2000, Windows XP, Vista, and Windows 7. (11)
EXT – Extended file system, used by Linux-based operating systems. (12)
ISO9660 – also called Compact Disc File System (CDFS), international standard file system for optical disc media. (13)
HFS – Hierarchical File System, used by Apple Computer systems using the Mac OS operating system. (15)
yesno<ftype_str>iso9660</ftype_str>

.

<block_count>Block CountLists the total number of blocks in the target volume.<volume>Non-negative integersyesno<block_count>281154</block_count>

.

<first_block>First BlockLists the number of the first block in the target volume. In the case of a single partition on a drive, the <first_block> tag will return 0, meaning the volume starts at the beginning of the drive.<volume>Non-negative integersyesno<first_block>0</first_block>

.

<last_block>Last BlockLists the number of the last block in the volume. Note that in cases where the first block is “0” the last block will be one less than the total number of blocks in the volume.<volume>Non-negative integersyesno<last_block>281153</last_block>

.

.

<byte_runs>Byte RunsParent element for <byte_run> tags, describing the specific location (by byte offset) of file fragments on a target volume. The <byte_runs> tag maps the logical bytes of the file to a physical location in the disk image. Fragmented files are represented by individual <byte_run> tags, which combine to represent a complete file. (1)<byte_run><fileobject>n/a.yesno<byte_runs>
<byte_run file_offset='0' fs_offset='40960' img_offset='40960' len='2048'/>
</byte_runs>

.

<byte_run>Byte Run<byte_run> is used to describe sequential runs of bytes that make up a file. Within the <byte_runs> tag, there may be multiple <byte_run> tags, corresponding to the number of fragments that make up a file. Each <byte_run> tag contains attributes for the starting location of the run in the file system (fs_offset) and disk image (img_offset) and the length of the run (len) in bytes.<byte_runs>“fs_offset”, “file_offset”, “img_offset”, “len”n/a.yesno <byte_run file_offset='0' fs_offset='40960' img_offset='40960' len='2048'/>

.

<hashdigest>Hash DigestRepresents a cryptographic hash. A cryptographic hash is a way of representing all the bit-level information in a file by running it through an algorithm that returns a specific hexadecimal string.(1) The algorithm is such that changing one bit will alter the entire hash value when recalculated. The result is that hash values can be used to verify the fixity of file content, because they reflect change at such a low level of abstraction (bits). The most common attributes will be “type=”MD5 or “type=SHA1”, containing hexadecimal hash values calculated for individual files. The hash value is represented as UTF-8 encoded hexadecimal string value. (25)<fileobject>“type”character string.yesno<hashdigest type='md5'>6abb066c3e6b1c51086292b829072ff4</hashdigest>
<hashdigest type='sha1'>b48032150f779352828b94389712d8510a6cdb00
</hashdigest>

.

<filename>File NameASCII representation of the file name from the target volume.<fileobject>character stringyesno<filename>ACROREAD/WIN31/ARCHIVE.Z</filename>

.

<name_type>Name Type<name_type> is the ASCII representation of the TSK file type value for an entry in a directory structure. Most <name_type> values will be either “r” for regular file or “d” for directory. (18)<fileobject>The TSK internal value is first, followed by its description. The Reported value is in quotation marks.
TSK_FS_NAME_TYPE_UNDEF= 0 ///< Unknown type = “-”
TSK_FS_NAME_TYPE_FIFO = 1 ///< Named pipe = “p”
TSK_FS_NAME_TYPE_CHR = 2 ///< Character device = “c”
TSK_FS_NAME_TYPE_DIR = 3 ///< Directory = “d”
TSK_FS_NAME_TYPE_BLK = 4 ///< Block device = “b”
TSK_FS_NAME_TYPE_REG = 5 ///< Regular file = “r”
TSK_FS_NAME_TYPE_LNK = 6 ///< Symbolic link = “l”
TSK_FS_NAME_TYPE_SOCK = 7 ///< Socket = “h”
TSK_FS_NAME_TYPE_SHAD = 8 ///< Shadow inode (solaris) = “s”
TSK_FS_NAME_TYPE_WHT = 9 ///< Whiteout (openbsd) = “w”
TSK_FS_NAME_TYPE_VIRT = 10 ///< Special (TSK added "Virtual" files) = “v” (19)
yesno<name_type>r</name_type>

.

.

<id>Identification NumberSequential number identifier assigned by fiwalk/DFXML to individual files.<fileobject>Non-negative integer. Sequential.yesno<id>43</id>

.

<filesize>File SizeSize of the file size in bytes. (3)<fileobject>Non-negative integer.yesno<filesize>2048</filesize>

.

<partition>PartitionPartition number on which the file is located. (3) Will return “1” unless there is more than one partition.<fileobject>Non-negative integer. Will return “1” if it is the only partition.yesno<partition>1</partition>

.

<alloc>AllocatedDetermines whether the file object resides in allocated disk space. A “1” value indicates that the file object is in allocated space; a “0” value indicates unallocated space. Examples of file objects in unallocated space could include deleted files or file fragments.<fileobject>A “1” value indicates that the file object is in allocated space; a “0” value indicates unallocated space.yesno<alloc>1</alloc>

.

<used>UsedThe <used> element indicates whether the metadata structure has been used at least once (referenced in tsk_fs.h in the TSK source code). The entry corresponding to a file referenced by a particular inode (or NTFS entry) could, for example, be currently marked as unused even if it has been used before. Therefore, the TSK flag in the current TSK code indicates that the metadata structure has been used at least once. (19)<fileobject>A “1” value indicates that the metadata structure has been used; a “0” value indicates that it has not. However, see description.yesno<used>1</used>

.

<inode>Inode NumberThe inode is a data structure, holding information about files in a UNIX filesystem (8). The filesystem assigns a uniquely identifiable inode number to each file in the filesystem, contained in the <inode> tag.<fileobject>Non-negative integer.yesno<inode>1</inode>

.

<mode>File ModeThe <mode> element identifies read/write/executable permissions for the file owner, group, and other.<fileobject>The TSK internal value is first, followed by its numeric value in hexadecimal. The reported value is third.
TSK_FS_META_MODE_ISUID = 0004000 ///< set user id on execution
TSK_FS_META_MODE_ISGID = 0002000 ///< set group id on execution
TSK_FS_META_MODE_ISVTX = 0001000 ///< sticky bit
TSK_FS_META_MODE_IRUSR = 0000400 ///< R for owner
TSK_FS_META_MODE_IWUSR = 0000200 ///< W for owner
TSK_FS_META_MODE_IXUSR = 0000100 ///< X for owner
TSK_FS_META_MODE_IRGRP = 0000040 ///< R for group
TSK_FS_META_MODE_IWGRP = 0000020 ///< W for group
TSK_FS_META_MODE_IXGRP = 0000010 ///< X for group
TSK_FS_META_MODE_IROTH = 0000004 ///< R for other
TSK_FS_META_MODE_IWOTH = 0000002 ///< W for other
TSK_FS_META_MODE_IXOTH = 0000001 ///< X for other = undefined?
yesno<mode>0</mode>

.

<nlink>Hard Link<nlink> lists the number of hard links to a particular inode in the filesystem. A hard link refers multiple pathnames to the same inode, providing alternate ways of finding a particular file in the filesystem. (9)<fileobject>Non-negative integer.yesno<nlink>1</nlink>

.

<uid>User ID<uid> tag provides the user ID number, if it is present. If it is not present, <uid> returns “0”. The operating system assigns user ID numbers that are used to represent a particular user in its interactions with the computing environment. (9)<fileobject>, <execution_environment>Non-negative integer.yesno<uid>0</uid>

.

<gid>Group IDThe <gid> tag contains the Group ID number. The group number is assigned at the same time as the user ID number, and is used to represent interactions with shared documents in network computing environments. If it is not present, the <gid> returns “0”.<fileobject>Non-negative integer.yesno<gid>0</gid>

.

<mtime>Modified TimeThe file's last modification time, as an ISO8601 timestamp extracted from the filesystem. (3)<fileobject>Returns timestamp in ISO8601 format:
P[YYYY]-[MM]-[DD]T[hh]:[mm]:[ss]
yesno<mtime>2008-12-29T01:33:32Z</mtime>

.

<atime>Access TimeThe file's access time, as an ISO8601 timestamp. (3) Information extracted from the file system.<fileobject>Returns timestamp in ISO8601 format:
P[YYYY]-[MM]-[DD]T[hh]:[mm]:[ss]
yesno<atime>2008-12-28T05:00:00Z</atime>

.

<ctime>Metadata Change TimeThe file's access time, as an ISO8601 timestamp. (3) Information extracted from the file system.<fileobject>

.

<crtime>Creation TimeThe file inode's creation time, as an ISO8601 timestamp. (3) Information extracted from the file system.<fileobject>Returns timestamp in ISO8601 format:
P[YYYY]-[MM]-[DD]T[hh]:[mm]:[ss]
yesno<crtime>2008-12-29T01:33:32Z</crtime>

.

<libmagic>LibMagicLibmagic is the value (written as human-readable) corresponding to the file type identified by libmagic, the library that reads "magic" byte values from file headers. (19)<fileobject>Character strings representing filetype information provided by libmagic in human-readable form.yesno<libmagic>JPEG image data, EXIF standard 2.2</libmagic>

.

<seq>Sequence NumberIncremental file number for entries in NTFS filesystems.<fileobject>Non-negative integer.yesno

.

<meta_type>Metadata Type<meta_type> provides metadata type information according to TSK specifications. (19) This returns information similar to the <name_type> tag, but returns a numerical value instead of an ASCII character string.<fileobject>The TSK internal value is first, followed by its description and hexadecimal value. The reported value in DFXML is in quotation marks.
TSK_FS_META_TYPE_UNDEF = 0x00 ///< Undefined = “0”
TSK_FS_META_TYPE_REG = 0x01 ///< Regular file = “1”
TSK_FS_META_TYPE_DIR = 0x02 ///< Directory file = “2”
TSK_FS_META_TYPE_FIFO = 0x03 ///< Named pipe (fifo) = “3”
TSK_FS_META_TYPE_CHR = 0x04 ///< Character device = “4”
TSK_FS_META_TYPE_BLK = 0x05 ///< Block device = “5”
TSK_FS_META_TYPE_LNK = 0x06 ///< Symbolic link = “6”
TSK_FS_META_TYPE_SHAD = 0x07 ///< SOLARIS ONLY = “7”
TSK_FS_META_TYPE_SOCK = 0x08 ///< UNIX domain socket = “8”
TSK_FS_META_TYPE_WHT = 0x09 ///< Whiteout = “9”
TSK_FS_META_TYPE_VIRT = 0x0a ///< "Virtual File" created by TSK for file system areas = “10”
yesno<meta_type>1</meta_type>

.

.

.

<program>ProgramThe <program> element contains the name of the program used to conduct the forensic analysis.<creator>returns ASCII character string containing the human-readable name of the program that is capturing information for the DFXML file.noyes<program>fiwalk</program>

.

<version>VersionContains the version number of the program used to conduct the forensic analysis.<creator>noyes<version>0.6.16</version>

.

<build_environment>Build EnvironmentTo build software is to convert source code into an executable file. The <build_environment> tag contains information related to that process. This includes information about the compiler that automates the software build process, the date of compilation, and any software code libraries that are integrated in the build process and used by the program conducting the analysis.<compiler>, <library><creator>n/a.noyes<build_environment>
<compiler>GCC 4.2</compiler>
<library name="tsk" version="3.2.3"/>
<library name="afflib" version="3.6.15"/>
<library name="libewf" version="20100226"/>
</build_environment>

.

<execution_environment>Execution EnvironmentThe <execution_environment> tag contains information about the system on which the capture of forensic data occurs. This provides contextual information about the computing environment in which the analysis is executed, and documents the actions taken by the user to begin the capture.<os_sysname>, <os_release>, <os_version>,<host>, <arch>, <command_line>, <start_time> <uid> (previously contained uername, start date)<creator>n/a.noyes<execution_environment>
<os_sysname>Darwin</os_sysname>
<os_release>11.3.0</os_release>
<os_version>Darwin Kernel Version 11.3.0: Thu Jan 12 18:47:41 PST 2012; root:xnu-1699.24.23~1/RELEASE_X86_64</os_version>
<host>host computer name</host>
<arch>x86_64</arch>
<command_line>fiwalk -X [output file name] [target file path]</command_line>
<start_time>2012-03-18T16:29:50Z</start_time>
</execution_environment>

.

.

<image_filename>Image File NameContains the full filename (including filepath) of the disk image that is the target of the forensic analysis.<source>character stringnono<image_filename>/Users/username/Desktop/DiskImages/
30576.iso</image_filename>

.

<image_size>Size of the target disk image in bytes.<source>Non-negative integer.no<image_size>1000204886016</image_size>

.

<sectorsize>Sector Size<sectorsize> contains the size (in bytes) for the volume that is the target of forensic analysis.<source>“coding”Non-negative integer.nono<sectorsize>512</sectorsize>

.

<device_model>Device ModelProvides information about the device that the target of the forensic analysis (usually a disk image) is pulled from – this is used if you are analyzing a disk image on a thumb drive or other external media, for example.<source>character stringnono<device_model>SEAGATE ST32550W SUN2.1G 0418</device_model>

.

<device_sn>Device Serial NumberThe <device_sn> tag contains the serial number of the device where the target of forensic analysis exists.<source>character stringnono<device_sn>01806486</device_sn>

.

<acquisition_macaddr>Acquisition MAC AddressProvides the Media Access Control Address for the device from which the target disk image is acquired. The MAC Address is a unique identifier used for network technologies and is also called the hardware address or physical address, because it is often associated with a computer's network communication hardware. (26)<source>Returns the MAC Address in standard IEEE 802 format of six groups of 2 hexadecimal digits, separated by hyphens or colons.
(01:23:45:67:89:ab) (26)
nono<acquisition_macaddr>00:0f:b5:42:6a:fe</acquisition_macaddr>

.

<acquisition_date>Acquisition DateDenotes the date of acquisition for the target disk image as an ISO8601 timestamp.<source>ISO8601 Timestamp format.noyes<acquisition_date>2006-07-25T10:56:42</acquisition_date>

.

<acquisition_commandline>Acquisition Command LineThe command entered into the imaging machine in order to create the disk image of the target volume.<source>character stringnoyes<acquisition_commandline>aimage scsi1 /project2/b28.aff</acquisition_commandline>

.

<acquisition_device>Acquistion DeviceThe raw path on the host machine for the acquired device<source>character stringnoyes<acquistion_device>/dev/sda/</acquisition_device>

.

<device_capabilities>Device CapabilitiesMetadata from the source device, including manufacturer, serial number, and data rates. (19)<source>character stringnoyes<device_capabilities>pass2: >SEAGATE ST32550W SUN2.1G 0418< Fixed Direct Access SCSI-2 device pass2: Serial Number 01806486 pass2: 20.000MB/s transfers (10.000MHz, offset 15, 16bit), Tagged Queueing Enabled</device_capabilities>

.

<devicesectors>Device SectorsNumber of sectors on the source device.<source>“coding”Non-negative integer.nono<devicesectors coding='base10'>512 </devicesectors>

.

.

<compiler>CompilerA compiler is used to take source code and make it machine actionable (usable by a computer) (8). The <compiler> tag allows information about the compiler to be represented, including the compiler and version used.<build_environment>“name”, “version”character string representing name of compilation programnoyes<compiler>GCC 4.2</compiler>

.

<compilation_date>Compilation DateCompilation date is used to represent the date on which the program was compiled, listed as a ISO8601 timestamp.<build_environment>ISO8601 Timestamp format.nono<compilation_date>2011-03-17T18:47:41</compilation_date>

.

<library>LibrarySoftware libraries utilized by program that is conducting forensic analysis. Each software library is identified by a name and version.<build_environment>“name”, “version”n/a.yesyes<library name="tsk" version="3.2.3"/>
<library name="afflib" version="3.6.15"/>
<library name="libewf" version="20100226"/>

.

.

<os_sysname>OS System NameName of the operating system (OS) on the computer that executes the capture of forensic data. The <os_sysname> tag does not refer to the operating system itself, but rather the name of the kernel program upon which the operating system is based. For example, the Mac OS is based upon versions of the “Darwin” operating system kernel, so the <os_sysname> output would be “Darwin.”<execution_environment>character stringnoyes<os_sysname>Darwin</os_sysname>

.

<os_release>OS ReleaseRelease of the operating system (OS) kernel used in capturing forensic data.<execution_environment>character stringnoyes<os_release>11.3.0</os_release>

.

<os_version>OS VersionVversion of the operating system (OS) kernel used in capturing forensic data from target disk image file. The full version path contains information about the version release and the CPU architecture detected.<execution_environment>character stringnoyes<os_version>Darwin Kernel Version 11.3.0: Thu Jan 12 18:47:41 PST 2012; root:xnu-1699.24.23~1/RELEASE_X86_64</os_version>

.

<host>Host<host> refers to the capture device; typically this will consist of the hostname used to perform the image capture. (19)<execution_environment>character stringsnoyes<host>demo.example.com</host>

.

<arch>Processor ArchitectureThe <arch> tag specifies the processor architecture used in the capture process for the disk image. (10)<execution_environment>“x86_64” = 64-bit processor architecture
“i386” = 32-bit processor architecture
noyes<arch>x86_64</arch>

.

<command_line>Command LineThe <command_element> tag contains the commands input by the user execute the capture of forensic data from the target disk image file.<execution_environment>character stringnoyes<command_line>fiwalk -x /dev/null</command_line>

.

<start_time>Start TimeProvides the date and time of the capture of forensic data, reported as an ISO8601 timestamp.<execution_environment>ISO8601 Timestamp format.noyes<start_time>2012-02-10T16:07:00Z</start_time>

.

<username>UsernameThe <username> tag contains the username of the computer profile that executed the forensic analysis.<execution_environment>character stringnoyes<username>exampleuser</username>

.

.

<clock_seconds>Clock Seconds<clock_seconds> refers to the time taken to run the program according to the computer's CPU clock rate. The clock rate is the rate (in cycles per second) at which a computer performs basic operations (8).<runstats>Non-negative integer.nono

.

<user_seconds>User Seconds<user_seconds> represents the time spent by the CPU in executing user code. (9)<runstats>Non-negative integer.noyes<user_seconds>8</user_seconds>

.

<system_seconds>System Seconds<system_seconds> represents the time spent by the CPU executing kernel system code. (9)<runstats>Non-negative integer.noyes<system_seconds>0</system_seconds>

.

<maxrss>Max Resident Set Size<maxrss> measures peak memory usage (in kilobytes) by the host system during the capture process.<runstats>Non-negative integer.noyes<maxrss>1650688</maxrss>

.

<reclaims>Reclaims<reclaims> indicates memory pages (in kilobytes) reclaimed during the capture process. Pages are small segments of memory (usually 4KB or 8KB) that are allocated by the CPU's memory management unit (MMU) to differet processes. If a file page in use is identified as free memory but reclaimed by the process that was using them before they could be reallocated to another process, it is a reclaim. (16, 17)<runstats>Non-negative integer.noyes<reclaims>508</reclaims>

.

<faults>Page FaultsKilobytes of page faults for memory pages that are mapped to a virtual address space but not mapped to physical memory. Page faults are not errors.<runstats>Non-negative integer.noyes<faults>0</faults>

.

<swaps>SwapsTransfers of live memory contents to disk as a result of memory being filled. This will usually be zero on modern systems with plenty of memory, as fiwalk is very memory efficient. (19)<runstats>Non-negative integer.noyes<swaps>0</swaps>

.

<inputs>InputsMeasure of pages brought into the filesystem cache during the capture process. A page-in occurs whenever a page is brought back in from the swap device or brought from a file system into the file system cache. (16)<runstats>Non-negative integer.noyes<inputs>9</inputs>

.

<outputs>OutputsPages written and allocated (in kilobytes) to the free list of available memory during the capture process. A page-out will be counted whenever a page is written and freed. (16)<runstats>Non-negative integer.noyes<outputs>5</outputs>

.

<stop_time>Stop TimeIndicates the time that the forensic analysis of the target drive is completed.<runstats>Non-negative integer.noyes<stop_time>Fri Feb 10 11:07:14 2012</stop_time>

.

.

.

.

.

SOURCES

.

(1) Simson Garfinkel, “Digital Forensics XML and the DFXML toolset,” Digital Investigation xxx, 2012: 1-14

.

(2) “fiwalk XML example,” Digital Forensics Wiki at: <http://www.forensicswiki.org/wiki/Fiwalk>.

.

(3) “Fileobject XML example,” Digital Forensics Wiki at: <http://www.forensicswiki.org/wiki/Fileobject>.

.

(4) “Digital Forensics XML Schema: Fileobject schema,” Digital Forensics Wiki at: <http://www.forensicswiki.org/w/images/6/61/Fileobject.xsd>

.

(5) “Digital Forensics XML Schema: Filehashset schema,” Digital Forensics Wiki at: <http://www.forensicswiki.org/w/images/f/f8/Filehashset.xsd>

.

(6) “Source DFXML Example” Digital Forensics Wiki at: <http://www.forensicswiki.org/wiki/Source_DFXML_Example>.

.

(7) Mark Matienzo, “fiwalk With Me: Building Emergent Pre-Ingest Workflows for Digital Archival Records using Open Source Forensic Software,” Code4Lib 2011. Available at: <http://www.slideshare.net/anarchivist/fiwalk-with-me-building-emergent-preingest-workflows-for-digital-archival-records-using-open-source-forensic-software>.

.

(8) FOLDOC: The Free On-Line Dictionary Of Computing. Available: <http://foldoc.org/>.

.

(9) “System Time,” Wikipedia: The free online encyclopedia. Available: <http://en.wikipedia.org/wiki/System_time>.

.

(10) Simson Garfinkel, “Digital media triage with bulk data analysis and bulk_extractor,” preprint submitted to Elsevier, September 3, 2011. Available online: <http://simson.net/ref/2011/bulk_extractor.pdf>.

.

(11) “NTFS,” Wikipedia: The free online encyclopedia. Available: <http://en.wikipedia.org/wiki/NTFS>.

.

(12) “Extended File System,” Wikipedia: The free online encyclopedia. Available: <http://en.wikipedia.org/wiki/Extended_file_system>.

.

(13) “ISO9660,” Wikipedia: The free online encyclopedia. Available: <http://en.wikipedia.org/wiki/ISO9660>.

.

(14) Brian Carrier “tsk_fs.h” SourceArchive.com: The Sourcecode Archive, Sleuthkit Version 3.0.1-5. Available: <http://sleuthkit.sourcearchive.com/documentation/3.0.1-5/tsk__fs_8h-source.html#l00495>.

.

(15) “Hierarchical File System,” Wikipedia: The free online encyclopedia. Available: <http://en.wikipedia.org/wiki/Hierarchical_File_System>.

.

(16) “vmstat/memstat” Solaris Internals. Available: <http://www.solarisinternals.com/si/tools/vmstat/index.php>.

.

(17) Gian-Paolo D. Musumeci and Mike Loukides, “Chapter 4: Memory,” System Performance Tuning, 2nd Edition. Available: <http://oreilly.com/catalog/spt2/chapter/ch04.html#79188>.

.

(18) “Fls – SleuthKitWiki,” SleuthKitWiki. Available: <http://wiki.sleuthkit.org/index.php?title=Fls>.

.

(19) Personal email, Kam Woods,and Cal Lee. April 11, 2012.

.

(20) Simson Garfinkel, “Digital Forensics XML” (Presentation). March 8, 2011. Available online: <http://simson.net/ref/2011/2011-03-08%20DFXML.pdf>.

.

(21) “Guidelines for Implementing Dublin Core in XML,” Dublin Core Metadata Initiative. Available : <http://dublincore.org/documents/dc-xml-guidelines/>.

.

(22) “Category: Digital Forensics XML Schema,” Digital Forensics Wiki at <http://www.forensicswiki.org/wiki/Category:Digital_Forensics_XML>.

.

(23) “Application Footprint XML,” Digital Forensics Wiki at <http://www.forensicswiki.org/wiki/Application_Footprint_XML>.

.

(24) Ron White and Tim Downs, illustrator. How Computers Work. Indianapolis, IN: Que Publishing (2008): 160.

.

(25) Christopher Inacio, "Digital Forensics Extension for IODEF." March 26, 2012. Available online: <http://tools.ietf.org/html/draft-inacio-mile-forensics-00>.

.

(26) "MAC Address," Wikipedia: The free online encyclopedia. Available: <http://en.wikipedia.org/wiki/MAC_address>.

.

(27) Simson Garfinkel, "Bulk extractor python code." Available online: <https://github.com/simsong/bulk_extractor/blob/master/python/dfxml.py>.