dfxml 0.2.1

Sign up to get free protection for your applications and to get access to all the features.
@@ -0,0 +1,564 @@
1
+ <?xml version='1.0' encoding='UTF-8'?>
2
+ <dfxml version='1.0'>
3
+ <metadata
4
+ xmlns='http://www.forensicswiki.org/wiki/Category:Digital_Forensics_XML'
5
+ xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
6
+ xmlns:dc='http://purl.org/dc/elements/1.1/'>
7
+ <dc:type>Disk Image</dc:type>
8
+ </metadata>
9
+ <creator version='1.0'>
10
+ <program>fiwalk</program>
11
+ <version>4.1.0</version>
12
+ <build_environment>
13
+ <compiler>GCC 4.6</compiler>
14
+ <library name="afflib" version="3.7.1"/>
15
+ <library name="libewf" version="20130128"/>
16
+ </build_environment>
17
+ <execution_environment>
18
+ <command_line>fiwalk -fxc /opt/fiwalk-dgi/ficonfig.txt 20100408-36301.0001.dd.001 20100408-36301.0001.dd.001.csv 20100408-36301.0001.dd.001.txt 20100408-36301.0001.dd.002 20100408-36301.0001.dd.003 20100408-36301.0001.dd.xml</command_line>
19
+ <start_time>2013-07-11T16:15:57Z</start_time>
20
+ </execution_environment>
21
+ </creator>
22
+ <!-- Reading configuration file /opt/fiwalk-dgi/ficonfig.txt -->
23
+ <!-- pattern: * method: dgi path: python /opt/fiwalk-dgi/python/accession.py -->
24
+ <source>
25
+ <image_filename>20100408-36301.0001.dd.001</image_filename>
26
+ </source>
27
+ <!-- fs start: 0 -->
28
+ <volume offset='0'>
29
+ <partition_offset>0</partition_offset>
30
+ <sector_size>512</sector_size>
31
+ <block_size>4096</block_size>
32
+ <ftype>8</ftype>
33
+ <ftype_str>fat32</ftype_str>
34
+ <block_count>7826049</block_count>
35
+ <first_block>0</first_block>
36
+ <last_block>7826048</last_block>
37
+ <fileobject>
38
+ <parent_object>
39
+ <inode>2</inode>
40
+ </parent_object>
41
+ <filename>HP v125w (Volume Label Entry)</filename>
42
+ <partition>1</partition>
43
+ <id>1</id>
44
+ <name_type>r</name_type>
45
+ <filesize>0</filesize>
46
+ <alloc>1</alloc>
47
+ <used>1</used>
48
+ <inode>3</inode>
49
+ <meta_type>1</meta_type>
50
+ <mode>511</mode>
51
+ <nlink>1</nlink>
52
+ <uid>0</uid>
53
+ <gid>0</gid>
54
+ <mtime prec="2">2009-10-22T12:55:52</mtime>
55
+ <libmagic>empty </libmagic>
56
+ </fileobject>
57
+ <fileobject>
58
+ <parent_object>
59
+ <inode>2</inode>
60
+ </parent_object>
61
+ <filename>janephillips</filename>
62
+ <partition>1</partition>
63
+ <id>2</id>
64
+ <name_type>d</name_type>
65
+ <filesize>4096</filesize>
66
+ <alloc>1</alloc>
67
+ <used>1</used>
68
+ <inode>5</inode>
69
+ <meta_type>2</meta_type>
70
+ <mode>511</mode>
71
+ <nlink>1</nlink>
72
+ <uid>0</uid>
73
+ <gid>0</gid>
74
+ <mtime prec="2">2010-03-31T01:21:42</mtime>
75
+ <atime prec="86400">2010-03-30T04:00:00</atime>
76
+ <crtime prec="2">2010-03-31T01:21:40</crtime>
77
+ <libmagic>data </libmagic>
78
+ <byte_runs>
79
+ <byte_run file_offset='0' fs_offset='7831552' img_offset='7831552' len='4096'/>
80
+ </byte_runs>
81
+ <hashdigest type='md5'>ecec71518c56a41340f069f12166e2ab</hashdigest>
82
+ <hashdigest type='sha1'>ec9130749ff5f4c1ec104c041773d96706942165</hashdigest>
83
+ </fileobject>
84
+ <fileobject>
85
+ <parent_object>
86
+ <inode>5</inode>
87
+ </parent_object>
88
+ <filename>janephillips/.</filename>
89
+ <partition>1</partition>
90
+ <id>3</id>
91
+ <name_type>d</name_type>
92
+ <filesize>4096</filesize>
93
+ <alloc>1</alloc>
94
+ <used>1</used>
95
+ <inode>5</inode>
96
+ <meta_type>2</meta_type>
97
+ <mode>511</mode>
98
+ <nlink>1</nlink>
99
+ <uid>0</uid>
100
+ <gid>0</gid>
101
+ <mtime prec="2">2010-03-31T01:21:42</mtime>
102
+ <atime prec="86400">2010-03-30T04:00:00</atime>
103
+ <crtime prec="2">2010-03-31T01:21:40</crtime>
104
+ <libmagic>data </libmagic>
105
+ <byte_runs>
106
+ <byte_run file_offset='0' fs_offset='7831552' img_offset='7831552' len='4096'/>
107
+ </byte_runs>
108
+ <hashdigest type='md5'>ecec71518c56a41340f069f12166e2ab</hashdigest>
109
+ <hashdigest type='sha1'>ec9130749ff5f4c1ec104c041773d96706942165</hashdigest>
110
+ </fileobject>
111
+ <fileobject>
112
+ <parent_object>
113
+ <inode>5</inode>
114
+ </parent_object>
115
+ <filename>janephillips/..</filename>
116
+ <partition>1</partition>
117
+ <id>4</id>
118
+ <name_type>d</name_type>
119
+ <filesize>4096</filesize>
120
+ <alloc>1</alloc>
121
+ <used>1</used>
122
+ <inode>2</inode>
123
+ <meta_type>2</meta_type>
124
+ <mode>0</mode>
125
+ <nlink>1</nlink>
126
+ <uid>0</uid>
127
+ <gid>0</gid>
128
+ <libmagic>data </libmagic>
129
+ <byte_runs>
130
+ <byte_run file_offset='0' fs_offset='7827456' img_offset='7827456' len='4096'/>
131
+ </byte_runs>
132
+ <hashdigest type='md5'>ae28e6cc4fde66b67b72bd8dcf21ba8e</hashdigest>
133
+ <hashdigest type='sha1'>7003336d0f5d0bbea228294eafb8eee4327321f4</hashdigest>
134
+ </fileobject>
135
+ <fileobject>
136
+ <parent_object>
137
+ <inode>5</inode>
138
+ </parent_object>
139
+ <filename>janephillips/text</filename>
140
+ <partition>1</partition>
141
+ <id>5</id>
142
+ <name_type>d</name_type>
143
+ <filesize>4096</filesize>
144
+ <alloc>1</alloc>
145
+ <used>1</used>
146
+ <inode>133</inode>
147
+ <meta_type>2</meta_type>
148
+ <mode>511</mode>
149
+ <nlink>1</nlink>
150
+ <uid>0</uid>
151
+ <gid>0</gid>
152
+ <mtime prec="2">2010-03-31T01:21:42</mtime>
153
+ <atime prec="86400">2010-03-30T04:00:00</atime>
154
+ <crtime prec="2">2010-03-31T01:21:40</crtime>
155
+ <libmagic>data </libmagic>
156
+ <byte_runs>
157
+ <byte_run file_offset='0' fs_offset='7835648' img_offset='7835648' len='4096'/>
158
+ </byte_runs>
159
+ <hashdigest type='md5'>d51db64da0b34bf3d83dc53bd2c21f73</hashdigest>
160
+ <hashdigest type='sha1'>df04cd316a689cefe8e3b354dc4fd9849dcb5426</hashdigest>
161
+ </fileobject>
162
+ <fileobject>
163
+ <parent_object>
164
+ <inode>133</inode>
165
+ </parent_object>
166
+ <filename>janephillips/text/.</filename>
167
+ <partition>1</partition>
168
+ <id>6</id>
169
+ <name_type>d</name_type>
170
+ <filesize>4096</filesize>
171
+ <alloc>1</alloc>
172
+ <used>1</used>
173
+ <inode>133</inode>
174
+ <meta_type>2</meta_type>
175
+ <mode>511</mode>
176
+ <nlink>1</nlink>
177
+ <uid>0</uid>
178
+ <gid>0</gid>
179
+ <mtime prec="2">2010-03-31T01:21:42</mtime>
180
+ <atime prec="86400">2010-03-30T04:00:00</atime>
181
+ <crtime prec="2">2010-03-31T01:21:40</crtime>
182
+ <libmagic>data </libmagic>
183
+ <byte_runs>
184
+ <byte_run file_offset='0' fs_offset='7835648' img_offset='7835648' len='4096'/>
185
+ </byte_runs>
186
+ <hashdigest type='md5'>d51db64da0b34bf3d83dc53bd2c21f73</hashdigest>
187
+ <hashdigest type='sha1'>df04cd316a689cefe8e3b354dc4fd9849dcb5426</hashdigest>
188
+ </fileobject>
189
+ <fileobject>
190
+ <parent_object>
191
+ <inode>133</inode>
192
+ </parent_object>
193
+ <filename>janephillips/text/..</filename>
194
+ <partition>1</partition>
195
+ <id>7</id>
196
+ <name_type>d</name_type>
197
+ <filesize>4096</filesize>
198
+ <alloc>1</alloc>
199
+ <used>1</used>
200
+ <inode>5</inode>
201
+ <meta_type>2</meta_type>
202
+ <mode>511</mode>
203
+ <nlink>1</nlink>
204
+ <uid>0</uid>
205
+ <gid>0</gid>
206
+ <mtime prec="2">2010-03-31T01:21:42</mtime>
207
+ <atime prec="86400">2010-03-30T04:00:00</atime>
208
+ <crtime prec="2">2010-03-31T01:21:40</crtime>
209
+ <libmagic>data </libmagic>
210
+ <byte_runs>
211
+ <byte_run file_offset='0' fs_offset='7831552' img_offset='7831552' len='4096'/>
212
+ </byte_runs>
213
+ <hashdigest type='md5'>ecec71518c56a41340f069f12166e2ab</hashdigest>
214
+ <hashdigest type='sha1'>ec9130749ff5f4c1ec104c041773d96706942165</hashdigest>
215
+ </fileobject>
216
+ <fileobject>
217
+ <parent_object>
218
+ <inode>133</inode>
219
+ </parent_object>
220
+ <filename>janephillips/text/Allison Kennedy.txt</filename>
221
+ <partition>1</partition>
222
+ <id>8</id>
223
+ <name_type>r</name_type>
224
+ <filesize>194163</filesize>
225
+ <alloc>1</alloc>
226
+ <used>1</used>
227
+ <inode>263</inode>
228
+ <meta_type>1</meta_type>
229
+ <mode>511</mode>
230
+ <nlink>1</nlink>
231
+ <uid>0</uid>
232
+ <gid>0</gid>
233
+ <mtime prec="2">2010-03-31T01:02:06</mtime>
234
+ <atime prec="86400">2010-03-30T04:00:00</atime>
235
+ <crtime prec="2">2010-03-31T01:21:40</crtime>
236
+ <libmagic>HTML document, Non-ISO extended-ASCII text, with very long lines, with CRLF, NEL line terminators </libmagic>
237
+ <byte_runs>
238
+ <byte_run file_offset='0' fs_offset='7839744' img_offset='7839744' len='194163'/>
239
+ </byte_runs>
240
+ <hashdigest type='md5'>09281847eca043af4ececcaa1f586c94</hashdigest>
241
+ <hashdigest type='sha1'>5b9b5108655a63b446bd97b09db102637a719930</hashdigest>
242
+ <!-- plugin_process -->
243
+ <virusScannerSignatureDate>2013-07-11T10:13:45</virusScannerSignatureDate>
244
+ <pronomSignatureName>HTML pre-2.0</pronomSignatureName>
245
+ <pronomFormatAlias>HTML</pronomFormatAlias>
246
+ <pronomTotalMatches>1</pronomTotalMatches>
247
+ <pronomMatchType>signature</pronomMatchType>
248
+ <pronomSoftware>fido 1.0.0</pronomSoftware>
249
+ <pronomFormatName>Hypertext Markup Language</pronomFormatName>
250
+ <pronomPuid>fmt/96</pronomPuid>
251
+ <virusScannerSignatureVersion>17490</virusScannerSignatureVersion>
252
+ <pronomFormatMimeType>text/html</pronomFormatMimeType>
253
+ <virusScannerVersion>ClamAV 0.97.8</virusScannerVersion>
254
+ <virusFound>false</virusFound>
255
+ </fileobject>
256
+ <fileobject>
257
+ <parent_object>
258
+ <inode>5</inode>
259
+ </parent_object>
260
+ <filename>janephillips/eudora7</filename>
261
+ <partition>1</partition>
262
+ <id>9</id>
263
+ <name_type>d</name_type>
264
+ <filesize>4096</filesize>
265
+ <alloc>1</alloc>
266
+ <used>1</used>
267
+ <inode>134</inode>
268
+ <meta_type>2</meta_type>
269
+ <mode>511</mode>
270
+ <nlink>1</nlink>
271
+ <uid>0</uid>
272
+ <gid>0</gid>
273
+ <mtime prec="2">2010-03-31T01:21:42</mtime>
274
+ <atime prec="86400">2010-03-30T04:00:00</atime>
275
+ <crtime prec="2">2010-03-31T01:21:41</crtime>
276
+ <libmagic>data </libmagic>
277
+ <byte_runs>
278
+ <byte_run file_offset='0' fs_offset='8036352' img_offset='8036352' len='4096'/>
279
+ </byte_runs>
280
+ <hashdigest type='md5'>50b28ede533b56bb3230662e52a5c413</hashdigest>
281
+ <hashdigest type='sha1'>2ab56f7b3ff95b5678b0aeac6092525d65a933bf</hashdigest>
282
+ </fileobject>
283
+ <fileobject>
284
+ <parent_object>
285
+ <inode>134</inode>
286
+ </parent_object>
287
+ <filename>janephillips/eudora7/.</filename>
288
+ <partition>1</partition>
289
+ <id>10</id>
290
+ <name_type>d</name_type>
291
+ <filesize>4096</filesize>
292
+ <alloc>1</alloc>
293
+ <used>1</used>
294
+ <inode>134</inode>
295
+ <meta_type>2</meta_type>
296
+ <mode>511</mode>
297
+ <nlink>1</nlink>
298
+ <uid>0</uid>
299
+ <gid>0</gid>
300
+ <mtime prec="2">2010-03-31T01:21:42</mtime>
301
+ <atime prec="86400">2010-03-30T04:00:00</atime>
302
+ <crtime prec="2">2010-03-31T01:21:41</crtime>
303
+ <libmagic>data </libmagic>
304
+ <byte_runs>
305
+ <byte_run file_offset='0' fs_offset='8036352' img_offset='8036352' len='4096'/>
306
+ </byte_runs>
307
+ <hashdigest type='md5'>50b28ede533b56bb3230662e52a5c413</hashdigest>
308
+ <hashdigest type='sha1'>2ab56f7b3ff95b5678b0aeac6092525d65a933bf</hashdigest>
309
+ </fileobject>
310
+ <fileobject>
311
+ <parent_object>
312
+ <inode>134</inode>
313
+ </parent_object>
314
+ <filename>janephillips/eudora7/..</filename>
315
+ <partition>1</partition>
316
+ <id>11</id>
317
+ <name_type>d</name_type>
318
+ <filesize>4096</filesize>
319
+ <alloc>1</alloc>
320
+ <used>1</used>
321
+ <inode>5</inode>
322
+ <meta_type>2</meta_type>
323
+ <mode>511</mode>
324
+ <nlink>1</nlink>
325
+ <uid>0</uid>
326
+ <gid>0</gid>
327
+ <mtime prec="2">2010-03-31T01:21:42</mtime>
328
+ <atime prec="86400">2010-03-30T04:00:00</atime>
329
+ <crtime prec="2">2010-03-31T01:21:40</crtime>
330
+ <libmagic>data </libmagic>
331
+ <byte_runs>
332
+ <byte_run file_offset='0' fs_offset='7831552' img_offset='7831552' len='4096'/>
333
+ </byte_runs>
334
+ <hashdigest type='md5'>ecec71518c56a41340f069f12166e2ab</hashdigest>
335
+ <hashdigest type='sha1'>ec9130749ff5f4c1ec104c041773d96706942165</hashdigest>
336
+ </fileobject>
337
+ <fileobject>
338
+ <parent_object>
339
+ <inode>134</inode>
340
+ </parent_object>
341
+ <filename>janephillips/eudora7/Jane Phillips.mbx</filename>
342
+ <partition>1</partition>
343
+ <id>12</id>
344
+ <name_type>r</name_type>
345
+ <filesize>278371</filesize>
346
+ <alloc>1</alloc>
347
+ <used>1</used>
348
+ <inode>6535</inode>
349
+ <meta_type>1</meta_type>
350
+ <mode>511</mode>
351
+ <nlink>1</nlink>
352
+ <uid>0</uid>
353
+ <gid>0</gid>
354
+ <mtime prec="2">2008-11-05T19:56:32</mtime>
355
+ <atime prec="86400">2010-03-30T04:00:00</atime>
356
+ <crtime prec="2">2010-03-31T01:21:41</crtime>
357
+ <libmagic>HTML document, Non-ISO extended-ASCII text, with very long lines, with CRLF, NEL line terminators </libmagic>
358
+ <byte_runs>
359
+ <byte_run file_offset='0' fs_offset='8040448' img_offset='8040448' len='278371'/>
360
+ </byte_runs>
361
+ <hashdigest type='md5'>f0cb92f709c47f09e543615257531d08</hashdigest>
362
+ <hashdigest type='sha1'>8afe5717febcb06138e70ca0a764904142db3025</hashdigest>
363
+ <!-- plugin_process -->
364
+ <virusScannerSignatureDate>2013-07-11T10:13:45</virusScannerSignatureDate>
365
+ <pronomTotalMatches>0</pronomTotalMatches>
366
+ <pronomMatchType>fail</pronomMatchType>
367
+ <pronomSoftware>fido 1.0.0</pronomSoftware>
368
+ <virusScannerSignatureVersion>17490</virusScannerSignatureVersion>
369
+ <virusScannerVersion>ClamAV 0.97.8</virusScannerVersion>
370
+ <virusFound>false</virusFound>
371
+ </fileobject>
372
+ <fileobject>
373
+ <parent_object>
374
+ <inode>134</inode>
375
+ </parent_object>
376
+ <filename>janephillips/eudora7/Jane Phillips.toc</filename>
377
+ <partition>1</partition>
378
+ <id>13</id>
379
+ <name_type>r</name_type>
380
+ <filesize>15800</filesize>
381
+ <alloc>1</alloc>
382
+ <used>1</used>
383
+ <inode>6538</inode>
384
+ <meta_type>1</meta_type>
385
+ <mode>511</mode>
386
+ <nlink>1</nlink>
387
+ <uid>0</uid>
388
+ <gid>0</gid>
389
+ <mtime prec="2">2010-03-30T23:36:14</mtime>
390
+ <atime prec="86400">2010-03-30T04:00:00</atime>
391
+ <crtime prec="2">2010-03-31T01:21:41</crtime>
392
+ <libmagic>data </libmagic>
393
+ <byte_runs>
394
+ <byte_run file_offset='0' fs_offset='8318976' img_offset='8318976' len='15800'/>
395
+ </byte_runs>
396
+ <hashdigest type='md5'>44892b0903732b3a9450108bd6a922dc</hashdigest>
397
+ <hashdigest type='sha1'>0ed9d2a4a47af381b82ce7c7c280ab7b356712fa</hashdigest>
398
+ <!-- plugin_process -->
399
+ <virusScannerSignatureDate>2013-07-11T10:13:45</virusScannerSignatureDate>
400
+ <pronomTotalMatches>0</pronomTotalMatches>
401
+ <pronomMatchType>fail</pronomMatchType>
402
+ <pronomSoftware>fido 1.0.0</pronomSoftware>
403
+ <virusScannerSignatureVersion>17490</virusScannerSignatureVersion>
404
+ <virusScannerVersion>ClamAV 0.97.8</virusScannerVersion>
405
+ <virusFound>false</virusFound>
406
+ </fileobject>
407
+ <fileobject>
408
+ <parent_object>
409
+ <inode>5</inode>
410
+ </parent_object>
411
+ <filename>janephillips/janephillips.rtf</filename>
412
+ <partition>1</partition>
413
+ <id>14</id>
414
+ <name_type>r</name_type>
415
+ <filesize>0</filesize>
416
+ <unalloc>1</unalloc>
417
+ <used>1</used>
418
+ <inode>137</inode>
419
+ <meta_type>1</meta_type>
420
+ <mode>511</mode>
421
+ <nlink>0</nlink>
422
+ <uid>0</uid>
423
+ <gid>0</gid>
424
+ <mtime prec="2">2010-03-31T01:24:44</mtime>
425
+ <atime prec="86400">2010-03-30T04:00:00</atime>
426
+ <crtime prec="2">2010-03-31T01:24:43</crtime>
427
+ <libmagic>empty </libmagic>
428
+ </fileobject>
429
+ <fileobject>
430
+ <parent_object>
431
+ <inode>5</inode>
432
+ </parent_object>
433
+ <filename>janephillips/janephillips.rtf</filename>
434
+ <partition>1</partition>
435
+ <id>15</id>
436
+ <name_type>r</name_type>
437
+ <filesize>322</filesize>
438
+ <alloc>1</alloc>
439
+ <used>1</used>
440
+ <inode>140</inode>
441
+ <meta_type>1</meta_type>
442
+ <mode>511</mode>
443
+ <nlink>1</nlink>
444
+ <uid>0</uid>
445
+ <gid>0</gid>
446
+ <mtime prec="2">2010-03-31T01:24:44</mtime>
447
+ <atime prec="86400">2010-03-30T04:00:00</atime>
448
+ <crtime prec="2">2010-03-31T01:24:43</crtime>
449
+ <libmagic>Rich Text Format data, version 1, ANSI </libmagic>
450
+ <byte_runs>
451
+ <byte_run file_offset='0' fs_offset='8335360' img_offset='8335360' len='322'/>
452
+ </byte_runs>
453
+ <hashdigest type='md5'>7afc8eca6110dc8af40ae1d8e12fb91b</hashdigest>
454
+ <hashdigest type='sha1'>8b659e428e361f5f0f31c3669bbb4049710b55f8</hashdigest>
455
+ <!-- plugin_process -->
456
+ <virusScannerSignatureDate>2013-07-11T10:13:45</virusScannerSignatureDate>
457
+ <pronomSignatureName>RTF 1.5 - 1.6 (generic)</pronomSignatureName>
458
+ <pronomFormatAlias>RTF (1.6), RTF (2000)</pronomFormatAlias>
459
+ <pronomTotalMatches>2</pronomTotalMatches>
460
+ <pronomFormatVersion>1.6</pronomFormatVersion>
461
+ <pronomMatchType>signature</pronomMatchType>
462
+ <pronomSoftware>fido 1.0.0</pronomSoftware>
463
+ <pronomFormatName>Rich Text Format</pronomFormatName>
464
+ <pronomPuid>fmt/51</pronomPuid>
465
+ <virusScannerSignatureVersion>17490</virusScannerSignatureVersion>
466
+ <pronomFormatMimeType>application/rtf</pronomFormatMimeType>
467
+ <virusScannerVersion>ClamAV 0.97.8</virusScannerVersion>
468
+ <virusFound>false</virusFound>
469
+ </fileobject>
470
+ <fileobject>
471
+ <parent_object>
472
+ <inode>2</inode>
473
+ </parent_object>
474
+ <filename>$MBR</filename>
475
+ <partition>1</partition>
476
+ <id>16</id>
477
+ <name_type>v</name_type>
478
+ <filesize>512</filesize>
479
+ <alloc>1</alloc>
480
+ <used>1</used>
481
+ <inode>124972179</inode>
482
+ <meta_type>10</meta_type>
483
+ <mode>0</mode>
484
+ <nlink>1</nlink>
485
+ <uid>0</uid>
486
+ <gid>0</gid>
487
+ <libmagic>x86 boot sector, code offset 0x58, OEM-ID &quot;MSDOS5.0&quot;, sectors/cluster 8, Media descriptor 0xf8, heads 255, hidden sectors 63, sectors 7826049 (volumes &gt; 32 MB) , FAT (32 bit), sectors/FAT 7628, serial number 0x6cf84d4c, unlabeled </libmagic>
488
+ <byte_runs>
489
+ <byte_run file_offset='0' fs_offset='0' img_offset='0' len='512'/>
490
+ </byte_runs>
491
+ <hashdigest type='md5'>b7358e9e2f23bdb86eb55940b8ae1150</hashdigest>
492
+ <hashdigest type='sha1'>9330ee4551746769d9309750e82a869b0a3ff245</hashdigest>
493
+ </fileobject>
494
+ <fileobject>
495
+ <parent_object>
496
+ <inode>2</inode>
497
+ </parent_object>
498
+ <filename>$FAT1</filename>
499
+ <partition>1</partition>
500
+ <id>17</id>
501
+ <name_type>v</name_type>
502
+ <filesize>3905536</filesize>
503
+ <alloc>1</alloc>
504
+ <used>1</used>
505
+ <inode>124972180</inode>
506
+ <meta_type>10</meta_type>
507
+ <mode>0</mode>
508
+ <nlink>1</nlink>
509
+ <uid>0</uid>
510
+ <gid>0</gid>
511
+ <libmagic>data </libmagic>
512
+ <byte_runs>
513
+ <byte_run file_offset='0' fs_offset='16384' img_offset='16384' len='3905536'/>
514
+ </byte_runs>
515
+ <hashdigest type='md5'>e758c65bb431fc903a6bc97a52058aec</hashdigest>
516
+ <hashdigest type='sha1'>6495a4aaf9e087446e3199835706c7cde693e499</hashdigest>
517
+ </fileobject>
518
+ <fileobject>
519
+ <parent_object>
520
+ <inode>2</inode>
521
+ </parent_object>
522
+ <filename>$FAT2</filename>
523
+ <partition>1</partition>
524
+ <id>18</id>
525
+ <name_type>v</name_type>
526
+ <filesize>3905536</filesize>
527
+ <alloc>1</alloc>
528
+ <used>1</used>
529
+ <inode>124972181</inode>
530
+ <meta_type>10</meta_type>
531
+ <mode>0</mode>
532
+ <nlink>1</nlink>
533
+ <uid>0</uid>
534
+ <gid>0</gid>
535
+ <libmagic>data </libmagic>
536
+ <byte_runs>
537
+ <byte_run file_offset='0' fs_offset='3921920' img_offset='3921920' len='3905536'/>
538
+ </byte_runs>
539
+ <hashdigest type='md5'>e758c65bb431fc903a6bc97a52058aec</hashdigest>
540
+ <hashdigest type='sha1'>6495a4aaf9e087446e3199835706c7cde693e499</hashdigest>
541
+ </fileobject>
542
+ <fileobject>
543
+ <parent_object>
544
+ <inode>2</inode>
545
+ </parent_object>
546
+ <filename>$OrphanFiles</filename>
547
+ <partition>1</partition>
548
+ <id>19</id>
549
+ <name_type>d</name_type>
550
+ <filesize>0</filesize>
551
+ <alloc>1</alloc>
552
+ <used>1</used>
553
+ <inode>124972182</inode>
554
+ <meta_type>2</meta_type>
555
+ <mode>0</mode>
556
+ <nlink>1</nlink>
557
+ <uid>0</uid>
558
+ <gid>0</gid>
559
+ <libmagic>empty </libmagic>
560
+ </fileobject>
561
+ </volume>
562
+ <!-- end of volume -->
563
+ <!-- clock: 137 -->
564
+ </dfxml>
data/Gemfile ADDED
@@ -0,0 +1,16 @@
1
+ source "http://rubygems.org"
2
+ # Add dependencies required to use your gem here.
3
+ # Example:
4
+ # gem "activesupport", ">= 2.3.5"
5
+
6
+ gem "nokogiri"
7
+ gem "sax-machine", :git => 'git://github.com/pauldix/sax-machine'
8
+
9
+ # Add dependencies to develop your gem here.
10
+ # Include everything needed to run rake, tests, features, etc.
11
+ group :development do
12
+ gem "shoulda", ">= 0"
13
+ gem "rdoc"
14
+ gem "bundler"
15
+ gem "jeweler"
16
+ end
@@ -0,0 +1,53 @@
1
+ GIT
2
+ remote: git://github.com/pauldix/sax-machine
3
+ revision: 4027000775ae17eb7ecb8b1a4660044d7041559c
4
+ specs:
5
+ sax-machine (0.2.0.rc1)
6
+ nokogiri (>= 1.5.6)
7
+
8
+ GEM
9
+ remote: http://rubygems.org/
10
+ specs:
11
+ activesupport (4.0.0)
12
+ i18n (~> 0.6, >= 0.6.4)
13
+ minitest (~> 4.2)
14
+ multi_json (~> 1.3)
15
+ thread_safe (~> 0.1)
16
+ tzinfo (~> 0.3.37)
17
+ atomic (1.1.10)
18
+ git (1.2.5)
19
+ i18n (0.6.4)
20
+ jeweler (1.8.4)
21
+ bundler (~> 1.0)
22
+ git (>= 1.2.5)
23
+ rake
24
+ rdoc
25
+ json (1.8.0)
26
+ mini_portile (0.5.1)
27
+ minitest (4.7.5)
28
+ multi_json (1.7.7)
29
+ nokogiri (1.6.0)
30
+ mini_portile (~> 0.5.0)
31
+ rake (10.1.0)
32
+ rdoc (4.0.1)
33
+ json (~> 1.4)
34
+ shoulda (3.5.0)
35
+ shoulda-context (~> 1.0, >= 1.0.1)
36
+ shoulda-matchers (>= 1.4.1, < 3.0)
37
+ shoulda-context (1.1.4)
38
+ shoulda-matchers (2.2.0)
39
+ activesupport (>= 3.0.0)
40
+ thread_safe (0.1.2)
41
+ atomic
42
+ tzinfo (0.3.37)
43
+
44
+ PLATFORMS
45
+ ruby
46
+
47
+ DEPENDENCIES
48
+ bundler
49
+ jeweler
50
+ nokogiri
51
+ rdoc
52
+ sax-machine!
53
+ shoulda
@@ -0,0 +1,20 @@
1
+ Copyright (c) 2012-2013 Mark A. Matienzo
2
+
3
+ Permission is hereby granted, free of charge, to any person obtaining
4
+ a copy of this software and associated documentation files (the
5
+ "Software"), to deal in the Software without restriction, including
6
+ without limitation the rights to use, copy, modify, merge, publish,
7
+ distribute, sublicense, and/or sell copies of the Software, and to
8
+ permit persons to whom the Software is furnished to do so, subject to
9
+ the following conditions:
10
+
11
+ The above copyright notice and this permission notice shall be
12
+ included in all copies or substantial portions of the Software.
13
+
14
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
15
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
16
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
17
+ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
18
+ LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
19
+ OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
20
+ WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
@@ -0,0 +1,21 @@
1
+ = dfxml
2
+
3
+ A Ruby module for parsing and writing Digital Forensics XML metadata.
4
+
5
+ Until this line is removed from the README it should be considered as under extremely active development and hence unstable.
6
+
7
+ == Contributing to dfxml
8
+
9
+ * Check out the latest master to make sure the feature hasn't been implemented or the bug hasn't been fixed yet.
10
+ * Check out the issue tracker to make sure someone already hasn't requested it and/or contributed it.
11
+ * Fork the project.
12
+ * Start a feature/bugfix branch.
13
+ * Commit and push until you are happy with your contribution.
14
+ * Make sure to add tests for it. This is important so I don't break it in a future version unintentionally.
15
+ * Please try not to mess with the Rakefile, version, or history. If you want to have your own version, or is otherwise necessary, that is fine, but please isolate to its own commit so I can cherry-pick around it.
16
+
17
+ == Copyright
18
+
19
+ Copyright (c) 2012-2013 Mark A. Matienzo. See LICENSE.txt for
20
+ further details.
21
+
@@ -0,0 +1,45 @@
1
+ # encoding: utf-8
2
+
3
+ require 'rubygems'
4
+ require 'bundler'
5
+ begin
6
+ Bundler.setup(:default, :development)
7
+ rescue Bundler::BundlerError => e
8
+ $stderr.puts e.message
9
+ $stderr.puts "Run `bundle install` to install missing gems"
10
+ exit e.status_code
11
+ end
12
+ require 'rake'
13
+
14
+ require 'jeweler'
15
+ Jeweler::Tasks.new do |gem|
16
+ # gem is a Gem::Specification... see http://docs.rubygems.org/read/chapter/20 for more options
17
+ gem.name = "dfxml"
18
+ gem.homepage = "http://github.com/anarchivist/dfxml"
19
+ gem.license = "MIT"
20
+ gem.summary = %Q{Parse and write Digital Forensics XML (DFXML) data}
21
+ gem.description = %Q{dfxml allows you to parse Digital Forensics XML data as created by tools such as fiwalk.}
22
+ gem.email = "mark@matienzo.org"
23
+ gem.authors = ["Mark A. Matienzo"]
24
+ # dependencies defined in Gemfile
25
+ end
26
+ Jeweler::RubygemsDotOrgTasks.new
27
+
28
+ require 'rake/testtask'
29
+ Rake::TestTask.new(:test) do |test|
30
+ test.libs << 'lib' << 'test'
31
+ test.pattern = 'test/**/test_*.rb'
32
+ test.verbose = true
33
+ end
34
+
35
+ task :default => :test
36
+
37
+ require 'rdoc/task'
38
+ Rake::RDocTask.new do |rdoc|
39
+ version = File.exist?('VERSION') ? File.read('VERSION') : ""
40
+
41
+ rdoc.rdoc_dir = 'rdoc'
42
+ rdoc.title = "dfxml #{version}"
43
+ rdoc.rdoc_files.include('README*')
44
+ rdoc.rdoc_files.include('lib/**/*.rb')
45
+ end
data/VERSION ADDED
@@ -0,0 +1 @@
1
+ 0.2.1
@@ -0,0 +1,67 @@
1
+ # Generated by jeweler
2
+ # DO NOT EDIT THIS FILE DIRECTLY
3
+ # Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
4
+ # -*- encoding: utf-8 -*-
5
+
6
+ Gem::Specification.new do |s|
7
+ s.name = "dfxml"
8
+ s.version = "0.2.1"
9
+
10
+ s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
11
+ s.authors = ["Mark A. Matienzo"]
12
+ s.date = "2013-07-31"
13
+ s.description = "dfxml allows you to parse Digital Forensics XML data as created by tools such as fiwalk."
14
+ s.email = "mark@matienzo.org"
15
+ s.extra_rdoc_files = [
16
+ "LICENSE.txt",
17
+ "README.rdoc"
18
+ ]
19
+ s.files = [
20
+ "20100408-36301.0001.dd.xml",
21
+ "Gemfile",
22
+ "Gemfile.lock",
23
+ "LICENSE.txt",
24
+ "README.rdoc",
25
+ "Rakefile",
26
+ "VERSION",
27
+ "dfxml.gemspec",
28
+ "examples/totals.rb",
29
+ "lib/dfxml.rb",
30
+ "lib/dfxml/parser.rb",
31
+ "test/helper.rb",
32
+ "test/test_dfxml.rb"
33
+ ]
34
+ s.homepage = "http://github.com/anarchivist/dfxml"
35
+ s.licenses = ["MIT"]
36
+ s.require_paths = ["lib"]
37
+ s.rubygems_version = "1.8.23"
38
+ s.summary = "Parse and write Digital Forensics XML (DFXML) data"
39
+
40
+ if s.respond_to? :specification_version then
41
+ s.specification_version = 3
42
+
43
+ if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
44
+ s.add_runtime_dependency(%q<nokogiri>, [">= 0"])
45
+ s.add_runtime_dependency(%q<sax-machine>, [">= 0"])
46
+ s.add_development_dependency(%q<shoulda>, [">= 0"])
47
+ s.add_development_dependency(%q<rdoc>, [">= 0"])
48
+ s.add_development_dependency(%q<bundler>, [">= 0"])
49
+ s.add_development_dependency(%q<jeweler>, [">= 0"])
50
+ else
51
+ s.add_dependency(%q<nokogiri>, [">= 0"])
52
+ s.add_dependency(%q<sax-machine>, [">= 0"])
53
+ s.add_dependency(%q<shoulda>, [">= 0"])
54
+ s.add_dependency(%q<rdoc>, [">= 0"])
55
+ s.add_dependency(%q<bundler>, [">= 0"])
56
+ s.add_dependency(%q<jeweler>, [">= 0"])
57
+ end
58
+ else
59
+ s.add_dependency(%q<nokogiri>, [">= 0"])
60
+ s.add_dependency(%q<sax-machine>, [">= 0"])
61
+ s.add_dependency(%q<shoulda>, [">= 0"])
62
+ s.add_dependency(%q<rdoc>, [">= 0"])
63
+ s.add_dependency(%q<bundler>, [">= 0"])
64
+ s.add_dependency(%q<jeweler>, [">= 0"])
65
+ end
66
+ end
67
+
@@ -0,0 +1,20 @@
1
+ require 'nokogiri'
2
+ require 'dfxml'
3
+
4
+ # Based on http://stackoverflow.com/questions/9199859#9223767
5
+
6
+ file = ARGV[0]
7
+ reader = Nokogiri::XML::Reader(file)
8
+ extent = 0
9
+ count = 0
10
+ while reader.read
11
+ if reader.node_type == Nokogiri::XML::Reader::TYPE_ELEMENT and reader.name == 'fileobject'
12
+ f = Dfxml::SAXReader::FileObject.parse(reader.outer_xml)
13
+ if f.type == :file
14
+ puts "#{f.filename}: #{f.filesize} bytes"
15
+ extent += f.filesize.to_i
16
+ count += 1
17
+ end
18
+ end
19
+ end
20
+ puts "#{count} files; #{extent} bytes total"
@@ -0,0 +1,61 @@
1
+ require 'rubygems'
2
+ require 'nokogiri'
3
+
4
+ module Dfxml
5
+
6
+ NumericFileTypes = {
7
+ # numeric values are in tsk3/fs/tsk_fs.h - TSK_FS_NAME_TYPE_ENUM
8
+ # returned within fiwalk's fileobjects as meta_type
9
+ 0 => :unknown,
10
+ 1 => :file,
11
+ 2 => :directory,
12
+ 3 => :named_pipe,
13
+ 4 => :character_device,
14
+ 5 => :block_device,
15
+ 6 => :symlink,
16
+ 7 => :shadow,
17
+ 8 => :socket,
18
+ 9 => :whiteout,
19
+ 10 => :tsk_virtual_file,
20
+ }
21
+
22
+ CharacterFileTypes = {
23
+ # character values are what are returned from tsk's cli utils
24
+ # returned within fiwalk's fileobjects as name_type
25
+ '-' => :unknown,
26
+ 'r' => :file,
27
+ 'd' => :directory,
28
+ 'c' => :character_device,
29
+ 'b' => :block_device,
30
+ 'l' => :symlink,
31
+ 'p' => :named_pipe,
32
+ 's' => :shadow,
33
+ 'h' => :socket,
34
+ 'w' => :whiteout,
35
+ 'v' => :tsk_virtual_file
36
+ }
37
+
38
+ NumericFileSystemTypes = {
39
+ # numeric values are in tsk3/fs/tsk_fs.h - TSK_FS_TYPE_ENUM
40
+ # symbol names based on fs_type_table in tsk3/fs/fs_types.c
41
+ 0 => :unknown,
42
+ 1 => :ntfs, # autodetected
43
+ 2 => :fat12,
44
+ 4 => :fat16,
45
+ 8 => :fat32,
46
+ 14 => :fat, # autodetected
47
+ 16 => :ufs1,
48
+ # 32 => :ufs1b, # not expressed in fs_type_table; legacy value
49
+ 64 => :ufs2,
50
+ 112 => :ufs, # autodetected
51
+ 128 => :ext2,
52
+ 256 => :ext3,
53
+ # 384 => :ext, # autodetected - not expressed in fs_type_table
54
+ 512 => :swap,
55
+ 1024 => :raw,
56
+ 2048 => :iso9660,
57
+ 4096 => :hfs, # actually HFS+; using :hfs based on TSK convention
58
+ # 4294967295 => :unsupported
59
+ }
60
+
61
+ end
@@ -0,0 +1,239 @@
1
+ require 'sax-machine'
2
+ require 'time'
3
+
4
+ def isone?(val)
5
+ # Return true if something is one (number or string).
6
+ # Based on Python isone function packaged in fiwalk's dfxml.py
7
+ # Unlike Python, we probably don't need to catch a TypeError exception.
8
+ true ? val.to_i == 1 : false
9
+ end
10
+
11
+ module Dfxml
12
+
13
+ module Parser
14
+
15
+ class ByteRun
16
+ include SAXMachine
17
+ attribute :file_offset, :class => Integer
18
+ attribute :fs_offset, :class => Integer
19
+ attribute :img_offset, :class => Integer
20
+ attribute :len, :as => :length, :class => Integer
21
+ end
22
+
23
+ class ByteRunGroup
24
+ include SAXMachine
25
+ elements :byte_run, :as => :runs, :class => ByteRun
26
+ end
27
+
28
+ class ParentObject
29
+ include SAXMachine
30
+ element :inode, :class => Integer
31
+ end
32
+
33
+ class FileObject
34
+ include SAXMachine
35
+ element :alloc # TSK_FS_META.flags
36
+ element :atime # file content access time
37
+ element :atime, :value => :prec, :as => :atime_prec
38
+ element :compressed # TSK_FS_META.flags
39
+ element :bkup_time # HFS+ only
40
+ element :crtime # created time
41
+ element :crtime, :value => :prec, :as => :crtime_prec
42
+ element :ctime # file/metadata status change time
43
+ element :ctime, :value => :prec, :as => :ctime_prec
44
+ element :dtime # deletion time (ext only)
45
+ element :dtime, :value => :prec, :as => :dtime_prec
46
+ element :encrypted
47
+ element :filename
48
+ element :filesize, :class => Integer
49
+ element :fragments, :class => Integer
50
+ element :gid, :class => Integer
51
+ element :id_, :class => Integer
52
+ element :inode, :class => Integer
53
+ element :libmagic
54
+ element :link_target
55
+ element :meta_type, :class => Integer
56
+ element :mode
57
+ element :mtime # content modification time
58
+ element :mtime, :value => :prec, :as => :mtime_prec
59
+ element :name_type
60
+ element :nlink, :class => Integer # number of links to this file
61
+ element :orphan # TSK_FS_META.flags
62
+ element :parent_object, :class => ParentObject
63
+ element :partition
64
+ element :seq, :class => Integer # sequence number (ntfs only)
65
+ element :uid, :class => Integer
66
+ element :unalloc # TSK_FS_META.flags
67
+ element :unused # TSK_FS_META.flags
68
+ element :used # TSK_FS_META.flags
69
+ element :byte_runs, :class => ByteRunGroup
70
+ element :hashdigest, :as => :md5, :with => {:type => "md5"}
71
+ element :hashdigest, :as => :sha1, :with => {:type => "sha1"}
72
+ element :hashdigest, :as => :sha256, :with => {:type => "sha256"}
73
+ # elements from fido extractor plugin
74
+ # element "PUID", :as => :pronom_puid
75
+ # element "PronomFormat", :as => :pronom_format
76
+
77
+ # Begin timestamp methods
78
+ #
79
+ # It would be preferable to have a way to call these matching on
80
+ # element name.
81
+
82
+ def atime=(val)
83
+ @atime = Time.parse(val)
84
+ end
85
+
86
+ def bkup_time=(val)
87
+ @bkup_time = Time.parse(val)
88
+ end
89
+
90
+ def crtime=(val)
91
+ @crtime = Time.parse(val)
92
+ end
93
+
94
+ def dtime=(val)
95
+ @dtime = Time.parse(val)
96
+ end
97
+
98
+ def mtime=(val)
99
+ @mtime = Time.parse(val)
100
+ end
101
+
102
+ # End timestamp methods
103
+
104
+ # Begin boolean methods
105
+ #
106
+ # Convenience methods for flags expressed in the metadata layer of
107
+ # file systems. However, they're not terribly robust and are considered
108
+ # workarounds for the way fiwalk expresses metadata-layer flags in
109
+ # its output. In fiwalk-generated dfxml, when an element should be
110
+ # considered true, the element contains the value "1". However, the
111
+ # expression in output doesn't necessarily fit with what humans expect.
112
+ # For example, the allocated/unallocated flags are expressed in
113
+ # fiwalk's output as follows:
114
+ #
115
+ # - when allocated: <alloc>1</alloc>
116
+ # - when unallocated: <unalloc>1</unalloc>
117
+ #
118
+ # For more clarification, see fiwalk_tsk.cpp's handling for
119
+ # fs_file->meta in process_tsk_file.
120
+
121
+ def allocated?
122
+ isone?(@alloc) && !isone?(@unalloc)
123
+ end
124
+
125
+ def compressed?
126
+ isone?(@compressed)
127
+ end
128
+
129
+ def encrypted?
130
+ # encrypted is not a flag, but we'll treat it like one.
131
+ isone?(@encrypted)
132
+ end
133
+
134
+ def orphan?
135
+ isone?(@orphan)
136
+ end
137
+
138
+ def used?
139
+ isone?(@used) && !isone?(@unused)
140
+ end
141
+
142
+ # End boolean methods
143
+
144
+ def type
145
+ Dfxml::CharacterFileTypes[@name_type] ||= Dfxml::NumericFileTypes[@meta_type.to_i]
146
+ end
147
+
148
+ end
149
+
150
+ class Volume
151
+ include SAXMachine
152
+ attribute :offset
153
+ element :partition_offset, :class => Integer
154
+ element :sector_size, :class => Integer
155
+ element :block_size, :class => Integer
156
+ element :ftype, :class => Integer
157
+ element :ftype_str
158
+ element :block_count, :class => Integer
159
+ element :first_block, :class => Integer
160
+ element :last_block, :class => Integer
161
+ element :allocated_only
162
+ elements :fileobject, :as => :fileobjects, :class => FileObject
163
+
164
+ def ftype=(val)
165
+ @ftype ||= Dfxml::NumericFileSystemTypes[val.to_i]
166
+ end
167
+
168
+ def ftype_str=(val)
169
+ @ftype ||= val.to_sym
170
+ end
171
+
172
+ end
173
+
174
+ class ExecutionEnvironment
175
+ include SAXMachine
176
+ element :os_sysname
177
+ element :os_release
178
+ element :os_version
179
+ element :host
180
+ element :arch
181
+ element :command_line
182
+ element :start_time
183
+ end
184
+
185
+ class BuildLibrary
186
+ include SAXMachine
187
+ attribute :name
188
+ attribute :version
189
+ end
190
+
191
+ class BuildEnvironment
192
+ include SAXMachine
193
+ element :compiler
194
+ elements :library, :as => :libraries, :class => BuildLibrary
195
+ end
196
+
197
+ class Creator
198
+ include SAXMachine
199
+ element :program
200
+ element :version
201
+ element :build_environment, :class => BuildEnvironment
202
+ element :execution_environment, :class => ExecutionEnvironment
203
+ end
204
+
205
+ class Source
206
+ include SAXMachine
207
+ element :image_filename
208
+ end
209
+
210
+ class Metadata
211
+ include SAXMachine
212
+ element "dc:type", :as => :type
213
+ end
214
+
215
+ class RuntimeStatistics
216
+ include SAXMachine
217
+ element :user_seconds
218
+ element :system_seconds
219
+ element :maxrss
220
+ element :reclaims
221
+ element :faults
222
+ element :swaps
223
+ element :inputs
224
+ element :outputs
225
+ element :stop_time
226
+ end
227
+
228
+ class DFXML
229
+ include SAXMachine
230
+ attribute :version
231
+ element :metadata, :class => Metadata
232
+ element :creator, :class => Creator
233
+ element :source, :class => Source
234
+ elements :volume, :as => :volumes, :class => Volume
235
+ element :runstats, :class => RuntimeStatistics
236
+ end
237
+ end
238
+
239
+ end
@@ -0,0 +1,18 @@
1
+ require 'rubygems'
2
+ require 'bundler'
3
+ begin
4
+ Bundler.setup(:default, :development)
5
+ rescue Bundler::BundlerError => e
6
+ $stderr.puts e.message
7
+ $stderr.puts "Run `bundle install` to install missing gems"
8
+ exit e.status_code
9
+ end
10
+ require 'test/unit'
11
+ require 'shoulda'
12
+
13
+ $LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
14
+ $LOAD_PATH.unshift(File.dirname(__FILE__))
15
+ require 'dfxml'
16
+
17
+ class Test::Unit::TestCase
18
+ end
@@ -0,0 +1,7 @@
1
+ require 'helper'
2
+
3
+ class TestDfxml < Test::Unit::TestCase
4
+ should "probably rename this file and start testing for real" do
5
+ flunk "hey buddy, you should probably rename this file and start testing for real"
6
+ end
7
+ end
metadata ADDED
@@ -0,0 +1,160 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: dfxml
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.2.1
5
+ prerelease:
6
+ platform: ruby
7
+ authors:
8
+ - Mark A. Matienzo
9
+ autorequire:
10
+ bindir: bin
11
+ cert_chain: []
12
+ date: 2013-07-31 00:00:00.000000000 Z
13
+ dependencies:
14
+ - !ruby/object:Gem::Dependency
15
+ name: nokogiri
16
+ requirement: !ruby/object:Gem::Requirement
17
+ none: false
18
+ requirements:
19
+ - - ! '>='
20
+ - !ruby/object:Gem::Version
21
+ version: '0'
22
+ type: :runtime
23
+ prerelease: false
24
+ version_requirements: !ruby/object:Gem::Requirement
25
+ none: false
26
+ requirements:
27
+ - - ! '>='
28
+ - !ruby/object:Gem::Version
29
+ version: '0'
30
+ - !ruby/object:Gem::Dependency
31
+ name: sax-machine
32
+ requirement: !ruby/object:Gem::Requirement
33
+ none: false
34
+ requirements:
35
+ - - ! '>='
36
+ - !ruby/object:Gem::Version
37
+ version: '0'
38
+ type: :runtime
39
+ prerelease: false
40
+ version_requirements: !ruby/object:Gem::Requirement
41
+ none: false
42
+ requirements:
43
+ - - ! '>='
44
+ - !ruby/object:Gem::Version
45
+ version: '0'
46
+ - !ruby/object:Gem::Dependency
47
+ name: shoulda
48
+ requirement: !ruby/object:Gem::Requirement
49
+ none: false
50
+ requirements:
51
+ - - ! '>='
52
+ - !ruby/object:Gem::Version
53
+ version: '0'
54
+ type: :development
55
+ prerelease: false
56
+ version_requirements: !ruby/object:Gem::Requirement
57
+ none: false
58
+ requirements:
59
+ - - ! '>='
60
+ - !ruby/object:Gem::Version
61
+ version: '0'
62
+ - !ruby/object:Gem::Dependency
63
+ name: rdoc
64
+ requirement: !ruby/object:Gem::Requirement
65
+ none: false
66
+ requirements:
67
+ - - ! '>='
68
+ - !ruby/object:Gem::Version
69
+ version: '0'
70
+ type: :development
71
+ prerelease: false
72
+ version_requirements: !ruby/object:Gem::Requirement
73
+ none: false
74
+ requirements:
75
+ - - ! '>='
76
+ - !ruby/object:Gem::Version
77
+ version: '0'
78
+ - !ruby/object:Gem::Dependency
79
+ name: bundler
80
+ requirement: !ruby/object:Gem::Requirement
81
+ none: false
82
+ requirements:
83
+ - - ! '>='
84
+ - !ruby/object:Gem::Version
85
+ version: '0'
86
+ type: :development
87
+ prerelease: false
88
+ version_requirements: !ruby/object:Gem::Requirement
89
+ none: false
90
+ requirements:
91
+ - - ! '>='
92
+ - !ruby/object:Gem::Version
93
+ version: '0'
94
+ - !ruby/object:Gem::Dependency
95
+ name: jeweler
96
+ requirement: !ruby/object:Gem::Requirement
97
+ none: false
98
+ requirements:
99
+ - - ! '>='
100
+ - !ruby/object:Gem::Version
101
+ version: '0'
102
+ type: :development
103
+ prerelease: false
104
+ version_requirements: !ruby/object:Gem::Requirement
105
+ none: false
106
+ requirements:
107
+ - - ! '>='
108
+ - !ruby/object:Gem::Version
109
+ version: '0'
110
+ description: dfxml allows you to parse Digital Forensics XML data as created by tools
111
+ such as fiwalk.
112
+ email: mark@matienzo.org
113
+ executables: []
114
+ extensions: []
115
+ extra_rdoc_files:
116
+ - LICENSE.txt
117
+ - README.rdoc
118
+ files:
119
+ - 20100408-36301.0001.dd.xml
120
+ - Gemfile
121
+ - Gemfile.lock
122
+ - LICENSE.txt
123
+ - README.rdoc
124
+ - Rakefile
125
+ - VERSION
126
+ - dfxml.gemspec
127
+ - examples/totals.rb
128
+ - lib/dfxml.rb
129
+ - lib/dfxml/parser.rb
130
+ - test/helper.rb
131
+ - test/test_dfxml.rb
132
+ homepage: http://github.com/anarchivist/dfxml
133
+ licenses:
134
+ - MIT
135
+ post_install_message:
136
+ rdoc_options: []
137
+ require_paths:
138
+ - lib
139
+ required_ruby_version: !ruby/object:Gem::Requirement
140
+ none: false
141
+ requirements:
142
+ - - ! '>='
143
+ - !ruby/object:Gem::Version
144
+ version: '0'
145
+ segments:
146
+ - 0
147
+ hash: -2615441025238209260
148
+ required_rubygems_version: !ruby/object:Gem::Requirement
149
+ none: false
150
+ requirements:
151
+ - - ! '>='
152
+ - !ruby/object:Gem::Version
153
+ version: '0'
154
+ requirements: []
155
+ rubyforge_project:
156
+ rubygems_version: 1.8.23
157
+ signing_key:
158
+ specification_version: 3
159
+ summary: Parse and write Digital Forensics XML (DFXML) data
160
+ test_files: []