fiwalk - fiwalk - find and extract files of a given type
fiwalk is a program that processes a disk image using the SleuthKit
library and outputs its results in Digital Forensics XML, the Attribute
Relationship File Format (ARFF) format used by the Weka Datamining
Toolkit, or an easy-to-read textual format.
The fiwalk source code comes with fiwalk.py, a Python module that makes
it easy to create digital forensics programs. Also included are several
demonstration programs that use fiwalk.py:
* iblkfind.py – Given a disk block in a disk image, this program
tells you which file(s) map that sector.
* icarvingtruth.py - Given two or more images of the same disk
at different points in time, this program files that are present
in the earlier images that can only be recovered from the later
images using file carving techniques.
* idifference.py - Given two or more images of the same disk at
different points in time, this program tells you what changes
took place between each one.
* iextract.py - Allows the extraction of files that match a
* igrep.py - Searches every file in a disk image for a particular
string. When found, prints, the file and the offset within the
file that the string was found.
* ihistogram.py – Prints a histogram of file types found in the disk image.
* imap.py - Displays a “map” of where files are present in
the disk image.
* imicrosoft_redact.py - Modifies a disk image of a bootable
Microsoft operating system so that the image can no longer be
boot and so that any Microsoft copyrighted file in the \Windows
directory cannot be executed. This allows the disk image of a
Microsoft operating system to be distributed without implicitly
violating Microsoft’s copyright.
* iredact.py - An experimental disk redaction program which
allows the removal of specific files matching specific criteria.
* iverify.py – Given a disk image and a previously created
XML file, verifies that each file in the DFXML file is still
present in the disk image.
* sanitize_xml.py - Given a DFXML file, sanitize file names so
that no personally identifiable information is leaked if the
DFXML file is distributed.
by Lawrence R. Rogers (2012-11-26):
* Release 0.6.16-2
Rebuilt with the sleuthkit 4.0.1
by Simson Garfinkel (2011-12-02):
* Release 0.6.16-1
* xml.cpp: moved library versions from xml.h to xml.cpp
(xml::add_DFXML_build_environment): now includes exiv2 version in dfxml output
* xml.cpp (printf): added #ifdef GNUC_HAS_DIAGNOSTIC_PRAGMA to allow compiling with older GCC
* python/ireport.py: renamed from istats and changed to work with dfxml
* python/Makefile.am (EXTRA_DIST): Changed istats to ireport.
* python/dfxml.py (fileobjects_iter): replaced iteritems() with items() to allow for migration to Python 3.
Replaced unicode() with "" for migration to Python 3.