dfxml 0.2.1

data/20100408-36301.0001.dd.xml

@@ -0,0 +1,564 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<dfxml version='1.0'>
+  <metadata 
+  xmlns='http://www.forensicswiki.org/wiki/Category:Digital_Forensics_XML'
+  xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' 
+  xmlns:dc='http://purl.org/dc/elements/1.1/'>
+    <dc:type>Disk Image</dc:type>
+  </metadata>
+  <creator version='1.0'>
+    <program>fiwalk</program>
+    <version>4.1.0</version>
+    <build_environment>
+      <compiler>GCC 4.6</compiler>
+      <library name="afflib" version="3.7.1"/>
+      <library name="libewf" version="20130128"/>
+    </build_environment>
+    <execution_environment>
+      <command_line>fiwalk -fxc /opt/fiwalk-dgi/ficonfig.txt 20100408-36301.0001.dd.001 20100408-36301.0001.dd.001.csv 20100408-36301.0001.dd.001.txt 20100408-36301.0001.dd.002 20100408-36301.0001.dd.003 20100408-36301.0001.dd.xml</command_line>
+      <start_time>2013-07-11T16:15:57Z</start_time>
+    </execution_environment>
+  </creator>
+<!-- Reading configuration file /opt/fiwalk-dgi/ficonfig.txt -->
+<!-- pattern: *  method: dgi  path: python /opt/fiwalk-dgi/python/accession.py -->
+  <source>
+    <image_filename>20100408-36301.0001.dd.001</image_filename>
+  </source>
+<!-- fs start: 0 -->
+  <volume offset='0'>
+    <partition_offset>0</partition_offset>
+    <sector_size>512</sector_size>
+    <block_size>4096</block_size>
+    <ftype>8</ftype>
+    <ftype_str>fat32</ftype_str>
+    <block_count>7826049</block_count>
+    <first_block>0</first_block>
+    <last_block>7826048</last_block>
+    <fileobject>
+      <parent_object>
+        <inode>2</inode>
+      </parent_object>
+      <filename>HP v125w    (Volume Label Entry)</filename>
+      <partition>1</partition>
+      <id>1</id>
+      <name_type>r</name_type>
+      <filesize>0</filesize>
+      <alloc>1</alloc>
+      <used>1</used>
+      <inode>3</inode>
+      <meta_type>1</meta_type>
+      <mode>511</mode>
+      <nlink>1</nlink>
+      <uid>0</uid>
+      <gid>0</gid>
+      <mtime prec="2">2009-10-22T12:55:52</mtime>
+      <libmagic>empty </libmagic>
+    </fileobject>
+    <fileobject>
+      <parent_object>
+        <inode>2</inode>
+      </parent_object>
+      <filename>janephillips</filename>
+      <partition>1</partition>
+      <id>2</id>
+      <name_type>d</name_type>
+      <filesize>4096</filesize>
+      <alloc>1</alloc>
+      <used>1</used>
+      <inode>5</inode>
+      <meta_type>2</meta_type>
+      <mode>511</mode>
+      <nlink>1</nlink>
+      <uid>0</uid>
+      <gid>0</gid>
+      <mtime prec="2">2010-03-31T01:21:42</mtime>
+      <atime prec="86400">2010-03-30T04:00:00</atime>
+      <crtime prec="2">2010-03-31T01:21:40</crtime>
+      <libmagic>data </libmagic>
+      <byte_runs>
+       <byte_run file_offset='0' fs_offset='7831552' img_offset='7831552' len='4096'/>
+      </byte_runs>
+      <hashdigest type='md5'>ecec71518c56a41340f069f12166e2ab</hashdigest>
+      <hashdigest type='sha1'>ec9130749ff5f4c1ec104c041773d96706942165</hashdigest>
+    </fileobject>
+    <fileobject>
+      <parent_object>
+        <inode>5</inode>
+      </parent_object>
+      <filename>janephillips/.</filename>
+      <partition>1</partition>
+      <id>3</id>
+      <name_type>d</name_type>
+      <filesize>4096</filesize>
+      <alloc>1</alloc>
+      <used>1</used>
+      <inode>5</inode>
+      <meta_type>2</meta_type>
+      <mode>511</mode>
+      <nlink>1</nlink>
+      <uid>0</uid>
+      <gid>0</gid>
+      <mtime prec="2">2010-03-31T01:21:42</mtime>
+      <atime prec="86400">2010-03-30T04:00:00</atime>
+      <crtime prec="2">2010-03-31T01:21:40</crtime>
+      <libmagic>data </libmagic>
+      <byte_runs>
+       <byte_run file_offset='0' fs_offset='7831552' img_offset='7831552' len='4096'/>
+      </byte_runs>
+      <hashdigest type='md5'>ecec71518c56a41340f069f12166e2ab</hashdigest>
+      <hashdigest type='sha1'>ec9130749ff5f4c1ec104c041773d96706942165</hashdigest>
+    </fileobject>
+    <fileobject>
+      <parent_object>
+        <inode>5</inode>
+      </parent_object>
+      <filename>janephillips/..</filename>
+      <partition>1</partition>
+      <id>4</id>
+      <name_type>d</name_type>
+      <filesize>4096</filesize>
+      <alloc>1</alloc>
+      <used>1</used>
+      <inode>2</inode>
+      <meta_type>2</meta_type>
+      <mode>0</mode>
+      <nlink>1</nlink>
+      <uid>0</uid>
+      <gid>0</gid>
+      <libmagic>data </libmagic>
+      <byte_runs>
+       <byte_run file_offset='0' fs_offset='7827456' img_offset='7827456' len='4096'/>
+      </byte_runs>
+      <hashdigest type='md5'>ae28e6cc4fde66b67b72bd8dcf21ba8e</hashdigest>
+      <hashdigest type='sha1'>7003336d0f5d0bbea228294eafb8eee4327321f4</hashdigest>
+    </fileobject>
+    <fileobject>
+      <parent_object>
+        <inode>5</inode>
+      </parent_object>
+      <filename>janephillips/text</filename>
+      <partition>1</partition>
+      <id>5</id>
+      <name_type>d</name_type>
+      <filesize>4096</filesize>
+      <alloc>1</alloc>
+      <used>1</used>
+      <inode>133</inode>
+      <meta_type>2</meta_type>
+      <mode>511</mode>
+      <nlink>1</nlink>
+      <uid>0</uid>
+      <gid>0</gid>
+      <mtime prec="2">2010-03-31T01:21:42</mtime>
+      <atime prec="86400">2010-03-30T04:00:00</atime>
+      <crtime prec="2">2010-03-31T01:21:40</crtime>
+      <libmagic>data </libmagic>
+      <byte_runs>
+       <byte_run file_offset='0' fs_offset='7835648' img_offset='7835648' len='4096'/>
+      </byte_runs>
+      <hashdigest type='md5'>d51db64da0b34bf3d83dc53bd2c21f73</hashdigest>
+      <hashdigest type='sha1'>df04cd316a689cefe8e3b354dc4fd9849dcb5426</hashdigest>
+    </fileobject>
+    <fileobject>
+      <parent_object>
+        <inode>133</inode>
+      </parent_object>
+      <filename>janephillips/text/.</filename>
+      <partition>1</partition>
+      <id>6</id>
+      <name_type>d</name_type>
+      <filesize>4096</filesize>
+      <alloc>1</alloc>
+      <used>1</used>
+      <inode>133</inode>
+      <meta_type>2</meta_type>
+      <mode>511</mode>
+      <nlink>1</nlink>
+      <uid>0</uid>
+      <gid>0</gid>
+      <mtime prec="2">2010-03-31T01:21:42</mtime>
+      <atime prec="86400">2010-03-30T04:00:00</atime>
+      <crtime prec="2">2010-03-31T01:21:40</crtime>
+      <libmagic>data </libmagic>
+      <byte_runs>
+       <byte_run file_offset='0' fs_offset='7835648' img_offset='7835648' len='4096'/>
+      </byte_runs>
+      <hashdigest type='md5'>d51db64da0b34bf3d83dc53bd2c21f73</hashdigest>
+      <hashdigest type='sha1'>df04cd316a689cefe8e3b354dc4fd9849dcb5426</hashdigest>
+    </fileobject>
+    <fileobject>
+      <parent_object>
+        <inode>133</inode>
+      </parent_object>
+      <filename>janephillips/text/..</filename>
+      <partition>1</partition>
+      <id>7</id>
+      <name_type>d</name_type>
+      <filesize>4096</filesize>
+      <alloc>1</alloc>
+      <used>1</used>
+      <inode>5</inode>
+      <meta_type>2</meta_type>
+      <mode>511</mode>
+      <nlink>1</nlink>
+      <uid>0</uid>
+      <gid>0</gid>
+      <mtime prec="2">2010-03-31T01:21:42</mtime>
+      <atime prec="86400">2010-03-30T04:00:00</atime>
+      <crtime prec="2">2010-03-31T01:21:40</crtime>
+      <libmagic>data </libmagic>
+      <byte_runs>
+       <byte_run file_offset='0' fs_offset='7831552' img_offset='7831552' len='4096'/>
+      </byte_runs>
+      <hashdigest type='md5'>ecec71518c56a41340f069f12166e2ab</hashdigest>
+      <hashdigest type='sha1'>ec9130749ff5f4c1ec104c041773d96706942165</hashdigest>
+    </fileobject>
+    <fileobject>
+      <parent_object>
+        <inode>133</inode>
+      </parent_object>
+      <filename>janephillips/text/Allison Kennedy.txt</filename>
+      <partition>1</partition>
+      <id>8</id>
+      <name_type>r</name_type>
+      <filesize>194163</filesize>
+      <alloc>1</alloc>
+      <used>1</used>
+      <inode>263</inode>
+      <meta_type>1</meta_type>
+      <mode>511</mode>
+      <nlink>1</nlink>
+      <uid>0</uid>
+      <gid>0</gid>
+      <mtime prec="2">2010-03-31T01:02:06</mtime>
+      <atime prec="86400">2010-03-30T04:00:00</atime>
+      <crtime prec="2">2010-03-31T01:21:40</crtime>
+      <libmagic>HTML document, Non-ISO extended-ASCII text, with very long lines, with CRLF, NEL line terminators </libmagic>
+      <byte_runs>
+       <byte_run file_offset='0' fs_offset='7839744' img_offset='7839744' len='194163'/>
+      </byte_runs>
+      <hashdigest type='md5'>09281847eca043af4ececcaa1f586c94</hashdigest>
+      <hashdigest type='sha1'>5b9b5108655a63b446bd97b09db102637a719930</hashdigest>
+<!-- plugin_process -->
+      <virusScannerSignatureDate>2013-07-11T10:13:45</virusScannerSignatureDate>
+      <pronomSignatureName>HTML pre-2.0</pronomSignatureName>
+      <pronomFormatAlias>HTML</pronomFormatAlias>
+      <pronomTotalMatches>1</pronomTotalMatches>
+      <pronomMatchType>signature</pronomMatchType>
+      <pronomSoftware>fido 1.0.0</pronomSoftware>
+      <pronomFormatName>Hypertext Markup Language</pronomFormatName>
+      <pronomPuid>fmt/96</pronomPuid>
+      <virusScannerSignatureVersion>17490</virusScannerSignatureVersion>
+      <pronomFormatMimeType>text/html</pronomFormatMimeType>
+      <virusScannerVersion>ClamAV 0.97.8</virusScannerVersion>
+      <virusFound>false</virusFound>
+    </fileobject>
+    <fileobject>
+      <parent_object>
+        <inode>5</inode>
+      </parent_object>
+      <filename>janephillips/eudora7</filename>
+      <partition>1</partition>
+      <id>9</id>
+      <name_type>d</name_type>
+      <filesize>4096</filesize>
+      <alloc>1</alloc>
+      <used>1</used>
+      <inode>134</inode>
+      <meta_type>2</meta_type>
+      <mode>511</mode>
+      <nlink>1</nlink>
+      <uid>0</uid>
+      <gid>0</gid>
+      <mtime prec="2">2010-03-31T01:21:42</mtime>
+      <atime prec="86400">2010-03-30T04:00:00</atime>
+      <crtime prec="2">2010-03-31T01:21:41</crtime>
+      <libmagic>data </libmagic>
+      <byte_runs>
+       <byte_run file_offset='0' fs_offset='8036352' img_offset='8036352' len='4096'/>
+      </byte_runs>
+      <hashdigest type='md5'>50b28ede533b56bb3230662e52a5c413</hashdigest>
+      <hashdigest type='sha1'>2ab56f7b3ff95b5678b0aeac6092525d65a933bf</hashdigest>
+    </fileobject>
+    <fileobject>
+      <parent_object>
+        <inode>134</inode>
+      </parent_object>
+      <filename>janephillips/eudora7/.</filename>
+      <partition>1</partition>
+      <id>10</id>
+      <name_type>d</name_type>
+      <filesize>4096</filesize>
+      <alloc>1</alloc>
+      <used>1</used>
+      <inode>134</inode>
+      <meta_type>2</meta_type>
+      <mode>511</mode>
+      <nlink>1</nlink>
+      <uid>0</uid>
+      <gid>0</gid>
+      <mtime prec="2">2010-03-31T01:21:42</mtime>
+      <atime prec="86400">2010-03-30T04:00:00</atime>
+      <crtime prec="2">2010-03-31T01:21:41</crtime>
+      <libmagic>data </libmagic>
+      <byte_runs>
+       <byte_run file_offset='0' fs_offset='8036352' img_offset='8036352' len='4096'/>
+      </byte_runs>
+      <hashdigest type='md5'>50b28ede533b56bb3230662e52a5c413</hashdigest>
+      <hashdigest type='sha1'>2ab56f7b3ff95b5678b0aeac6092525d65a933bf</hashdigest>
+    </fileobject>
+    <fileobject>
+      <parent_object>
+        <inode>134</inode>
+      </parent_object>
+      <filename>janephillips/eudora7/..</filename>
+      <partition>1</partition>
+      <id>11</id>
+      <name_type>d</name_type>
+      <filesize>4096</filesize>
+      <alloc>1</alloc>
+      <used>1</used>
+      <inode>5</inode>
+      <meta_type>2</meta_type>
+      <mode>511</mode>
+      <nlink>1</nlink>
+      <uid>0</uid>
+      <gid>0</gid>
+      <mtime prec="2">2010-03-31T01:21:42</mtime>
+      <atime prec="86400">2010-03-30T04:00:00</atime>
+      <crtime prec="2">2010-03-31T01:21:40</crtime>
+      <libmagic>data </libmagic>
+      <byte_runs>
+       <byte_run file_offset='0' fs_offset='7831552' img_offset='7831552' len='4096'/>
+      </byte_runs>
+      <hashdigest type='md5'>ecec71518c56a41340f069f12166e2ab</hashdigest>
+      <hashdigest type='sha1'>ec9130749ff5f4c1ec104c041773d96706942165</hashdigest>
+    </fileobject>
+    <fileobject>
+      <parent_object>
+        <inode>134</inode>
+      </parent_object>
+      <filename>janephillips/eudora7/Jane Phillips.mbx</filename>
+      <partition>1</partition>
+      <id>12</id>
+      <name_type>r</name_type>
+      <filesize>278371</filesize>
+      <alloc>1</alloc>
+      <used>1</used>
+      <inode>6535</inode>
+      <meta_type>1</meta_type>
+      <mode>511</mode>
+      <nlink>1</nlink>
+      <uid>0</uid>
+      <gid>0</gid>
+      <mtime prec="2">2008-11-05T19:56:32</mtime>
+      <atime prec="86400">2010-03-30T04:00:00</atime>
+      <crtime prec="2">2010-03-31T01:21:41</crtime>
+      <libmagic>HTML document, Non-ISO extended-ASCII text, with very long lines, with CRLF, NEL line terminators </libmagic>
+      <byte_runs>
+       <byte_run file_offset='0' fs_offset='8040448' img_offset='8040448' len='278371'/>
+      </byte_runs>
+      <hashdigest type='md5'>f0cb92f709c47f09e543615257531d08</hashdigest>
+      <hashdigest type='sha1'>8afe5717febcb06138e70ca0a764904142db3025</hashdigest>
+<!-- plugin_process -->
+      <virusScannerSignatureDate>2013-07-11T10:13:45</virusScannerSignatureDate>
+      <pronomTotalMatches>0</pronomTotalMatches>
+      <pronomMatchType>fail</pronomMatchType>
+      <pronomSoftware>fido 1.0.0</pronomSoftware>
+      <virusScannerSignatureVersion>17490</virusScannerSignatureVersion>
+      <virusScannerVersion>ClamAV 0.97.8</virusScannerVersion>
+      <virusFound>false</virusFound>
+    </fileobject>
+    <fileobject>
+      <parent_object>
+        <inode>134</inode>
+      </parent_object>
+      <filename>janephillips/eudora7/Jane Phillips.toc</filename>
+      <partition>1</partition>
+      <id>13</id>
+      <name_type>r</name_type>
+      <filesize>15800</filesize>
+      <alloc>1</alloc>
+      <used>1</used>
+      <inode>6538</inode>
+      <meta_type>1</meta_type>
+      <mode>511</mode>
+      <nlink>1</nlink>
+      <uid>0</uid>
+      <gid>0</gid>
+      <mtime prec="2">2010-03-30T23:36:14</mtime>
+      <atime prec="86400">2010-03-30T04:00:00</atime>
+      <crtime prec="2">2010-03-31T01:21:41</crtime>
+      <libmagic>data </libmagic>
+      <byte_runs>
+       <byte_run file_offset='0' fs_offset='8318976' img_offset='8318976' len='15800'/>
+      </byte_runs>
+      <hashdigest type='md5'>44892b0903732b3a9450108bd6a922dc</hashdigest>
+      <hashdigest type='sha1'>0ed9d2a4a47af381b82ce7c7c280ab7b356712fa</hashdigest>
+<!-- plugin_process -->
+      <virusScannerSignatureDate>2013-07-11T10:13:45</virusScannerSignatureDate>
+      <pronomTotalMatches>0</pronomTotalMatches>
+      <pronomMatchType>fail</pronomMatchType>
+      <pronomSoftware>fido 1.0.0</pronomSoftware>
+      <virusScannerSignatureVersion>17490</virusScannerSignatureVersion>
+      <virusScannerVersion>ClamAV 0.97.8</virusScannerVersion>
+      <virusFound>false</virusFound>
+    </fileobject>
+    <fileobject>
+      <parent_object>
+        <inode>5</inode>
+      </parent_object>
+      <filename>janephillips/janephillips.rtf</filename>
+      <partition>1</partition>
+      <id>14</id>
+      <name_type>r</name_type>
+      <filesize>0</filesize>
+      <unalloc>1</unalloc>
+      <used>1</used>
+      <inode>137</inode>
+      <meta_type>1</meta_type>
+      <mode>511</mode>
+      <nlink>0</nlink>
+      <uid>0</uid>
+      <gid>0</gid>
+      <mtime prec="2">2010-03-31T01:24:44</mtime>
+      <atime prec="86400">2010-03-30T04:00:00</atime>
+      <crtime prec="2">2010-03-31T01:24:43</crtime>
+      <libmagic>empty </libmagic>
+    </fileobject>
+    <fileobject>
+      <parent_object>
+        <inode>5</inode>
+      </parent_object>
+      <filename>janephillips/janephillips.rtf</filename>
+      <partition>1</partition>
+      <id>15</id>
+      <name_type>r</name_type>
+      <filesize>322</filesize>
+      <alloc>1</alloc>
+      <used>1</used>
+      <inode>140</inode>
+      <meta_type>1</meta_type>
+      <mode>511</mode>
+      <nlink>1</nlink>
+      <uid>0</uid>
+      <gid>0</gid>
+      <mtime prec="2">2010-03-31T01:24:44</mtime>
+      <atime prec="86400">2010-03-30T04:00:00</atime>
+      <crtime prec="2">2010-03-31T01:24:43</crtime>
+      <libmagic>Rich Text Format data, version 1, ANSI </libmagic>
+      <byte_runs>
+       <byte_run file_offset='0' fs_offset='8335360' img_offset='8335360' len='322'/>
+      </byte_runs>
+      <hashdigest type='md5'>7afc8eca6110dc8af40ae1d8e12fb91b</hashdigest>
+      <hashdigest type='sha1'>8b659e428e361f5f0f31c3669bbb4049710b55f8</hashdigest>
+<!-- plugin_process -->
+      <virusScannerSignatureDate>2013-07-11T10:13:45</virusScannerSignatureDate>
+      <pronomSignatureName>RTF 1.5 - 1.6 (generic)</pronomSignatureName>
+      <pronomFormatAlias>RTF (1.6), RTF (2000)</pronomFormatAlias>
+      <pronomTotalMatches>2</pronomTotalMatches>
+      <pronomFormatVersion>1.6</pronomFormatVersion>
+      <pronomMatchType>signature</pronomMatchType>
+      <pronomSoftware>fido 1.0.0</pronomSoftware>
+      <pronomFormatName>Rich Text Format</pronomFormatName>
+      <pronomPuid>fmt/51</pronomPuid>
+      <virusScannerSignatureVersion>17490</virusScannerSignatureVersion>
+      <pronomFormatMimeType>application/rtf</pronomFormatMimeType>
+      <virusScannerVersion>ClamAV 0.97.8</virusScannerVersion>
+      <virusFound>false</virusFound>
+    </fileobject>
+    <fileobject>
+      <parent_object>
+        <inode>2</inode>
+      </parent_object>
+      <filename>$MBR</filename>
+      <partition>1</partition>
+      <id>16</id>
+      <name_type>v</name_type>
+      <filesize>512</filesize>
+      <alloc>1</alloc>
+      <used>1</used>
+      <inode>124972179</inode>
+      <meta_type>10</meta_type>
+      <mode>0</mode>
+      <nlink>1</nlink>
+      <uid>0</uid>
+      <gid>0</gid>
+      <libmagic>x86 boot sector, code offset 0x58, OEM-ID &quot;MSDOS5.0&quot;, sectors/cluster 8, Media descriptor 0xf8, heads 255, hidden sectors 63, sectors 7826049 (volumes &gt; 32 MB) , FAT (32 bit), sectors/FAT 7628, serial number 0x6cf84d4c, unlabeled </libmagic>
+      <byte_runs>
+       <byte_run file_offset='0' fs_offset='0' img_offset='0' len='512'/>
+      </byte_runs>
+      <hashdigest type='md5'>b7358e9e2f23bdb86eb55940b8ae1150</hashdigest>
+      <hashdigest type='sha1'>9330ee4551746769d9309750e82a869b0a3ff245</hashdigest>
+    </fileobject>
+    <fileobject>
+      <parent_object>
+        <inode>2</inode>
+      </parent_object>
+      <filename>$FAT1</filename>
+      <partition>1</partition>
+      <id>17</id>
+      <name_type>v</name_type>
+      <filesize>3905536</filesize>
+      <alloc>1</alloc>
+      <used>1</used>
+      <inode>124972180</inode>
+      <meta_type>10</meta_type>
+      <mode>0</mode>
+      <nlink>1</nlink>
+      <uid>0</uid>
+      <gid>0</gid>
+      <libmagic>data </libmagic>
+      <byte_runs>
+       <byte_run file_offset='0' fs_offset='16384' img_offset='16384' len='3905536'/>
+      </byte_runs>
+      <hashdigest type='md5'>e758c65bb431fc903a6bc97a52058aec</hashdigest>
+      <hashdigest type='sha1'>6495a4aaf9e087446e3199835706c7cde693e499</hashdigest>
+    </fileobject>
+    <fileobject>
+      <parent_object>
+        <inode>2</inode>
+      </parent_object>
+      <filename>$FAT2</filename>
+      <partition>1</partition>
+      <id>18</id>
+      <name_type>v</name_type>
+      <filesize>3905536</filesize>
+      <alloc>1</alloc>
+      <used>1</used>
+      <inode>124972181</inode>
+      <meta_type>10</meta_type>
+      <mode>0</mode>
+      <nlink>1</nlink>
+      <uid>0</uid>
+      <gid>0</gid>
+      <libmagic>data </libmagic>
+      <byte_runs>
+       <byte_run file_offset='0' fs_offset='3921920' img_offset='3921920' len='3905536'/>
+      </byte_runs>
+      <hashdigest type='md5'>e758c65bb431fc903a6bc97a52058aec</hashdigest>
+      <hashdigest type='sha1'>6495a4aaf9e087446e3199835706c7cde693e499</hashdigest>
+    </fileobject>
+    <fileobject>
+      <parent_object>
+        <inode>2</inode>
+      </parent_object>
+      <filename>$OrphanFiles</filename>
+      <partition>1</partition>
+      <id>19</id>
+      <name_type>d</name_type>
+      <filesize>0</filesize>
+      <alloc>1</alloc>
+      <used>1</used>
+      <inode>124972182</inode>
+      <meta_type>2</meta_type>
+      <mode>0</mode>
+      <nlink>1</nlink>
+      <uid>0</uid>
+      <gid>0</gid>
+      <libmagic>empty </libmagic>
+    </fileobject>
+  </volume>
+<!-- end of volume -->
+<!-- clock: 137 -->
+</dfxml>

data/Gemfile

@@ -0,0 +1,16 @@
+source "http://rubygems.org"
+# Add dependencies required to use your gem here.
+# Example:
+#   gem "activesupport", ">= 2.3.5"
+
+gem "nokogiri"
+gem "sax-machine", :git => 'git://github.com/pauldix/sax-machine'
+
+# Add dependencies to develop your gem here.
+# Include everything needed to run rake, tests, features, etc.
+group :development do
+  gem "shoulda", ">= 0"
+  gem "rdoc"
+  gem "bundler"
+  gem "jeweler"
+end

data/Gemfile.lock

@@ -0,0 +1,53 @@
+GIT
+  remote: git://github.com/pauldix/sax-machine
+  revision: 4027000775ae17eb7ecb8b1a4660044d7041559c
+  specs:
+    sax-machine (0.2.0.rc1)
+      nokogiri (>= 1.5.6)
+
+GEM
+  remote: http://rubygems.org/
+  specs:
+    activesupport (4.0.0)
+      i18n (~> 0.6, >= 0.6.4)
+      minitest (~> 4.2)
+      multi_json (~> 1.3)
+      thread_safe (~> 0.1)
+      tzinfo (~> 0.3.37)
+    atomic (1.1.10)
+    git (1.2.5)
+    i18n (0.6.4)
+    jeweler (1.8.4)
+      bundler (~> 1.0)
+      git (>= 1.2.5)
+      rake
+      rdoc
+    json (1.8.0)
+    mini_portile (0.5.1)
+    minitest (4.7.5)
+    multi_json (1.7.7)
+    nokogiri (1.6.0)
+      mini_portile (~> 0.5.0)
+    rake (10.1.0)
+    rdoc (4.0.1)
+      json (~> 1.4)
+    shoulda (3.5.0)
+      shoulda-context (~> 1.0, >= 1.0.1)
+      shoulda-matchers (>= 1.4.1, < 3.0)
+    shoulda-context (1.1.4)
+    shoulda-matchers (2.2.0)
+      activesupport (>= 3.0.0)
+    thread_safe (0.1.2)
+      atomic
+    tzinfo (0.3.37)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler
+  jeweler
+  nokogiri
+  rdoc
+  sax-machine!
+  shoulda

data/LICENSE.txt

@@ -0,0 +1,20 @@
+Copyright (c) 2012-2013 Mark A. Matienzo
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,21 @@
+= dfxml
+
+A Ruby module for parsing and writing Digital Forensics XML metadata.
+
+Until this line is removed from the README it should be considered as under extremely active development and hence unstable.
+
+== Contributing to dfxml
+ 
+* Check out the latest master to make sure the feature hasn't been implemented or the bug hasn't been fixed yet.
+* Check out the issue tracker to make sure someone already hasn't requested it and/or contributed it.
+* Fork the project.
+* Start a feature/bugfix branch.
+* Commit and push until you are happy with your contribution.
+* Make sure to add tests for it. This is important so I don't break it in a future version unintentionally.
+* Please try not to mess with the Rakefile, version, or history. If you want to have your own version, or is otherwise necessary, that is fine, but please isolate to its own commit so I can cherry-pick around it.
+
+== Copyright
+
+Copyright (c) 2012-2013 Mark A. Matienzo. See LICENSE.txt for
+further details.
+

data/Rakefile

@@ -0,0 +1,45 @@
+# encoding: utf-8
+
+require 'rubygems'
+require 'bundler'
+begin
+  Bundler.setup(:default, :development)
+rescue Bundler::BundlerError => e
+  $stderr.puts e.message
+  $stderr.puts "Run `bundle install` to install missing gems"
+  exit e.status_code
+end
+require 'rake'
+
+require 'jeweler'
+Jeweler::Tasks.new do |gem|
+  # gem is a Gem::Specification... see http://docs.rubygems.org/read/chapter/20 for more options
+  gem.name = "dfxml"
+  gem.homepage = "http://github.com/anarchivist/dfxml"
+  gem.license = "MIT"
+  gem.summary = %Q{Parse and write Digital Forensics XML (DFXML) data}
+  gem.description = %Q{dfxml allows you to parse Digital Forensics XML data as created by tools such as fiwalk.}
+  gem.email = "mark@matienzo.org"
+  gem.authors = ["Mark A. Matienzo"]
+  # dependencies defined in Gemfile
+end
+Jeweler::RubygemsDotOrgTasks.new
+
+require 'rake/testtask'
+Rake::TestTask.new(:test) do |test|
+  test.libs << 'lib' << 'test'
+  test.pattern = 'test/**/test_*.rb'
+  test.verbose = true
+end
+
+task :default => :test
+
+require 'rdoc/task'
+Rake::RDocTask.new do |rdoc|
+  version = File.exist?('VERSION') ? File.read('VERSION') : ""
+
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title = "dfxml #{version}"
+  rdoc.rdoc_files.include('README*')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end

data/VERSION

@@ -0,0 +1 @@
+0.2.1

data/dfxml.gemspec

@@ -0,0 +1,67 @@
+# Generated by jeweler
+# DO NOT EDIT THIS FILE DIRECTLY
+# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = "dfxml"
+  s.version = "0.2.1"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["Mark A. Matienzo"]
+  s.date = "2013-07-31"
+  s.description = "dfxml allows you to parse Digital Forensics XML data as created by tools such as fiwalk."
+  s.email = "mark@matienzo.org"
+  s.extra_rdoc_files = [
+    "LICENSE.txt",
+    "README.rdoc"
+  ]
+  s.files = [
+    "20100408-36301.0001.dd.xml",
+    "Gemfile",
+    "Gemfile.lock",
+    "LICENSE.txt",
+    "README.rdoc",
+    "Rakefile",
+    "VERSION",
+    "dfxml.gemspec",
+    "examples/totals.rb",
+    "lib/dfxml.rb",
+    "lib/dfxml/parser.rb",
+    "test/helper.rb",
+    "test/test_dfxml.rb"
+  ]
+  s.homepage = "http://github.com/anarchivist/dfxml"
+  s.licenses = ["MIT"]
+  s.require_paths = ["lib"]
+  s.rubygems_version = "1.8.23"
+  s.summary = "Parse and write Digital Forensics XML (DFXML) data"
+
+  if s.respond_to? :specification_version then
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
+      s.add_runtime_dependency(%q<nokogiri>, [">= 0"])
+      s.add_runtime_dependency(%q<sax-machine>, [">= 0"])
+      s.add_development_dependency(%q<shoulda>, [">= 0"])
+      s.add_development_dependency(%q<rdoc>, [">= 0"])
+      s.add_development_dependency(%q<bundler>, [">= 0"])
+      s.add_development_dependency(%q<jeweler>, [">= 0"])
+    else
+      s.add_dependency(%q<nokogiri>, [">= 0"])
+      s.add_dependency(%q<sax-machine>, [">= 0"])
+      s.add_dependency(%q<shoulda>, [">= 0"])
+      s.add_dependency(%q<rdoc>, [">= 0"])
+      s.add_dependency(%q<bundler>, [">= 0"])
+      s.add_dependency(%q<jeweler>, [">= 0"])
+    end
+  else
+    s.add_dependency(%q<nokogiri>, [">= 0"])
+    s.add_dependency(%q<sax-machine>, [">= 0"])
+    s.add_dependency(%q<shoulda>, [">= 0"])
+    s.add_dependency(%q<rdoc>, [">= 0"])
+    s.add_dependency(%q<bundler>, [">= 0"])
+    s.add_dependency(%q<jeweler>, [">= 0"])
+  end
+end
+

data/examples/totals.rb

@@ -0,0 +1,20 @@
+require 'nokogiri'
+require 'dfxml'
+
+# Based on http://stackoverflow.com/questions/9199859#9223767
+
+file = ARGV[0]
+reader = Nokogiri::XML::Reader(file)
+extent = 0
+count = 0
+while reader.read
+  if reader.node_type == Nokogiri::XML::Reader::TYPE_ELEMENT and reader.name == 'fileobject'
+    f = Dfxml::SAXReader::FileObject.parse(reader.outer_xml)
+    if f.type == :file
+      puts "#{f.filename}: #{f.filesize} bytes"
+      extent += f.filesize.to_i
+      count += 1
+    end
+  end
+end
+puts "#{count} files; #{extent} bytes total"

data/lib/dfxml.rb

@@ -0,0 +1,61 @@
+require 'rubygems'
+require 'nokogiri'
+
+module Dfxml
+  
+  NumericFileTypes = {
+    # numeric values are in tsk3/fs/tsk_fs.h - TSK_FS_NAME_TYPE_ENUM
+    # returned within fiwalk's fileobjects as meta_type
+    0 => :unknown,
+    1 => :file,
+    2 => :directory,          
+    3 => :named_pipe,
+    4 => :character_device,
+    5 => :block_device,
+    6 => :symlink,
+    7 => :shadow,
+    8 => :socket,
+    9 => :whiteout,
+    10 => :tsk_virtual_file,
+  }
+  
+  CharacterFileTypes = {
+    # character values are what are returned from tsk's cli utils
+    # returned within fiwalk's fileobjects as name_type
+    '-' => :unknown,
+    'r' => :file,
+    'd' => :directory,          
+    'c' => :character_device,
+    'b' => :block_device,
+    'l' => :symlink,
+    'p' => :named_pipe,
+    's' => :shadow,
+    'h' => :socket,
+    'w' => :whiteout,
+    'v' => :tsk_virtual_file
+  }
+  
+  NumericFileSystemTypes = {
+    # numeric values are in tsk3/fs/tsk_fs.h - TSK_FS_TYPE_ENUM
+    # symbol names based on fs_type_table in tsk3/fs/fs_types.c
+    0 => :unknown,
+    1 => :ntfs, # autodetected
+    2 => :fat12,
+    4 => :fat16,
+    8 => :fat32,
+    14 => :fat, # autodetected
+    16 => :ufs1,
+    # 32 => :ufs1b, # not expressed in fs_type_table; legacy value
+    64 => :ufs2,
+    112 => :ufs, # autodetected
+    128 => :ext2,
+    256 => :ext3,
+    # 384 => :ext, # autodetected - not expressed in fs_type_table
+    512 => :swap,
+    1024 => :raw,
+    2048 => :iso9660,
+    4096 => :hfs, # actually HFS+; using :hfs based on TSK convention
+    # 4294967295 => :unsupported
+  }
+  
+end

data/lib/dfxml/parser.rb

@@ -0,0 +1,239 @@
+require 'sax-machine'
+require 'time'
+
+def isone?(val)
+  # Return true if something is one (number or string).
+  # Based on Python isone function packaged in fiwalk's dfxml.py
+  # Unlike Python, we probably don't need to catch a TypeError exception.
+  true ? val.to_i == 1 : false
+end
+
+module Dfxml
+  
+  module Parser
+
+    class ByteRun
+      include SAXMachine
+      attribute :file_offset, :class => Integer
+      attribute :fs_offset, :class => Integer
+      attribute :img_offset, :class => Integer
+      attribute :len, :as => :length, :class => Integer
+    end
+    
+    class ByteRunGroup
+      include SAXMachine
+      elements :byte_run, :as => :runs, :class => ByteRun
+    end
+
+    class ParentObject
+      include SAXMachine
+      element :inode, :class => Integer
+    end
+
+    class FileObject
+      include SAXMachine
+      element :alloc # TSK_FS_META.flags
+      element :atime # file content access time
+      element :atime, :value => :prec, :as => :atime_prec
+      element :compressed # TSK_FS_META.flags
+      element :bkup_time # HFS+ only
+      element :crtime # created time
+      element :crtime, :value => :prec, :as => :crtime_prec
+      element :ctime # file/metadata status change time
+      element :ctime, :value => :prec, :as => :ctime_prec
+      element :dtime # deletion time (ext only)
+      element :dtime, :value => :prec, :as => :dtime_prec
+      element :encrypted
+      element :filename
+      element :filesize, :class => Integer
+      element :fragments, :class => Integer
+      element :gid, :class => Integer
+      element :id_, :class => Integer
+      element :inode, :class => Integer
+      element :libmagic
+      element :link_target
+      element :meta_type, :class => Integer
+      element :mode
+      element :mtime # content modification time
+      element :mtime, :value => :prec, :as => :mtime_prec
+      element :name_type
+      element :nlink, :class => Integer # number of links to this file 
+      element :orphan # TSK_FS_META.flags
+      element :parent_object, :class => ParentObject
+      element :partition
+      element :seq, :class => Integer # sequence number (ntfs only)
+      element :uid, :class => Integer
+      element :unalloc # TSK_FS_META.flags
+      element :unused # TSK_FS_META.flags
+      element :used # TSK_FS_META.flags
+      element :byte_runs, :class => ByteRunGroup
+      element :hashdigest, :as => :md5, :with => {:type => "md5"}
+      element :hashdigest, :as => :sha1, :with => {:type => "sha1"}
+      element :hashdigest, :as => :sha256, :with => {:type => "sha256"}
+      # elements from fido extractor plugin
+      # element "PUID", :as => :pronom_puid
+      # element "PronomFormat", :as => :pronom_format
+      
+      # Begin timestamp methods
+      #
+      # It would be preferable to have a way to call these matching on
+      # element name.
+      
+      def atime=(val)
+        @atime = Time.parse(val)
+      end
+      
+      def bkup_time=(val)
+        @bkup_time = Time.parse(val)
+      end
+      
+      def crtime=(val)
+        @crtime = Time.parse(val)
+      end
+      
+      def dtime=(val)
+        @dtime = Time.parse(val)
+      end
+      
+      def mtime=(val)
+        @mtime = Time.parse(val)
+      end
+      
+      # End timestamp methods
+      
+      # Begin boolean methods
+      #
+      # Convenience methods for flags expressed in the metadata layer of
+      # file systems. However, they're not terribly robust and are considered
+      # workarounds for the way fiwalk expresses metadata-layer flags in
+      # its output. In fiwalk-generated dfxml, when an element should be
+      # considered true, the element contains the value "1". However, the
+      # expression in output doesn't necessarily fit with what humans expect.
+      # For example, the allocated/unallocated flags are expressed in
+      # fiwalk's output as follows:
+      #
+      # - when allocated: <alloc>1</alloc>
+      # - when unallocated: <unalloc>1</unalloc>
+      # 
+      # For more clarification, see fiwalk_tsk.cpp's handling for
+      # fs_file->meta in process_tsk_file.
+            
+      def allocated?
+        isone?(@alloc) && !isone?(@unalloc)
+      end
+      
+      def compressed?
+        isone?(@compressed)
+      end
+      
+      def encrypted?
+        # encrypted is not a flag, but we'll treat it like one.
+        isone?(@encrypted)
+      end
+      
+      def orphan?
+        isone?(@orphan)
+      end
+      
+      def used?
+        isone?(@used) && !isone?(@unused)
+      end
+      
+      # End boolean methods      
+      
+      def type
+        Dfxml::CharacterFileTypes[@name_type] ||= Dfxml::NumericFileTypes[@meta_type.to_i]
+      end
+      
+    end
+
+    class Volume
+      include SAXMachine
+      attribute :offset
+      element :partition_offset, :class => Integer
+      element :sector_size, :class => Integer
+      element :block_size, :class => Integer
+      element :ftype, :class => Integer
+      element :ftype_str  
+      element :block_count, :class => Integer
+      element :first_block, :class => Integer
+      element :last_block, :class => Integer
+      element :allocated_only
+      elements :fileobject, :as => :fileobjects, :class => FileObject
+      
+      def ftype=(val)
+        @ftype ||= Dfxml::NumericFileSystemTypes[val.to_i]
+      end
+      
+      def ftype_str=(val)
+        @ftype ||= val.to_sym
+      end
+      
+    end
+    
+    class ExecutionEnvironment
+      include SAXMachine
+      element :os_sysname
+      element :os_release
+      element :os_version
+      element :host
+      element :arch
+      element :command_line
+      element :start_time
+    end
+    
+    class BuildLibrary
+      include SAXMachine
+      attribute :name
+      attribute :version
+    end
+    
+    class BuildEnvironment
+      include SAXMachine
+      element :compiler
+      elements :library, :as => :libraries, :class => BuildLibrary
+    end
+    
+    class Creator
+      include SAXMachine
+      element :program
+      element :version
+      element :build_environment, :class => BuildEnvironment
+      element :execution_environment, :class => ExecutionEnvironment
+    end
+    
+    class Source
+      include SAXMachine
+      element :image_filename
+    end
+    
+    class Metadata
+      include SAXMachine
+      element "dc:type", :as => :type
+    end
+    
+    class RuntimeStatistics
+      include SAXMachine
+      element :user_seconds
+      element :system_seconds
+      element :maxrss
+      element :reclaims
+      element :faults
+      element :swaps
+      element :inputs
+      element :outputs
+      element :stop_time
+    end
+    
+    class DFXML
+      include SAXMachine
+      attribute :version
+      element :metadata, :class => Metadata
+      element :creator, :class => Creator
+      element :source, :class => Source
+      elements :volume, :as => :volumes, :class => Volume
+      element :runstats, :class => RuntimeStatistics
+    end  
+  end
+  
+end

data/test/helper.rb

@@ -0,0 +1,18 @@
+require 'rubygems'
+require 'bundler'
+begin
+  Bundler.setup(:default, :development)
+rescue Bundler::BundlerError => e
+  $stderr.puts e.message
+  $stderr.puts "Run `bundle install` to install missing gems"
+  exit e.status_code
+end
+require 'test/unit'
+require 'shoulda'
+
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+require 'dfxml'
+
+class Test::Unit::TestCase
+end

data/test/test_dfxml.rb

@@ -0,0 +1,7 @@
+require 'helper'
+
+class TestDfxml < Test::Unit::TestCase
+  should "probably rename this file and start testing for real" do
+    flunk "hey buddy, you should probably rename this file and start testing for real"
+  end
+end

metadata

@@ -0,0 +1,160 @@
+--- !ruby/object:Gem::Specification
+name: dfxml
+version: !ruby/object:Gem::Version
+  version: 0.2.1
+  prerelease: 
+platform: ruby
+authors:
+- Mark A. Matienzo
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-07-31 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: nokogiri
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: sax-machine
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: shoulda
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rdoc
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: jeweler
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: dfxml allows you to parse Digital Forensics XML data as created by tools
+  such as fiwalk.
+email: mark@matienzo.org
+executables: []
+extensions: []
+extra_rdoc_files:
+- LICENSE.txt
+- README.rdoc
+files:
+- 20100408-36301.0001.dd.xml
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- README.rdoc
+- Rakefile
+- VERSION
+- dfxml.gemspec
+- examples/totals.rb
+- lib/dfxml.rb
+- lib/dfxml/parser.rb
+- test/helper.rb
+- test/test_dfxml.rb
+homepage: http://github.com/anarchivist/dfxml
+licenses:
+- MIT
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+      segments:
+      - 0
+      hash: -2615441025238209260
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.23
+signing_key: 
+specification_version: 3
+summary: Parse and write Digital Forensics XML (DFXML) data
+test_files: []