Automating Disk Forensic Processing with SleuthKit, XML and Python

Thumbnail Image
Files
Garfinkel_Automating_Disk_2009.SADFE.xml_forensics.pdf (132.63 KB)
Authors
Garfinkel, Simson L.
Subjects
Computer Forensics
XML
Sleuth Kit
Python
Advisors
Date of Issue
2009
Date
Publisher
Language
Abstract
We have developed a program called fiwalk which produces detailed XML describing all of the partitions and files on a hard drive or disk image, as well as any extractable metadata from the document files themselves. We show how it is relatively simple to create automated disk forensic applications using a Python module we have written that reads fiwalk's XML files. Finally, we present three applications using this system: a program to generate maps of disk images; an image redaction program; and a data transfer kiosk which uses forensic tools to allow the migration of data from portable storage devices without risk of infection from hostile software that the portable device may contain.
Type
Conference Paper
Description
*(IEEE/SADFE 2009), Oakland, California.
Refereed Conference Paper
URI
https://hdl.handle.net/10945/44249
Series/Report No
Department
Organization
Identifiers
NPS Report Number
Sponsors
This work was funded in part by National Institute of Standards and Technology, the Naval Postgraduate School's Research Initiation Program.
Funding
Format
Citation
Garfinkel, Simson., Automating Disk Forensic Processing with SleuthKit, XML and Python, Systematic Approaches to Digital Forensics Engineering (IEEE/SADFE 2009), Oakland, California. (Acceptance rate: 32%, 7/22)
Distribution Statement
Rights
This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.
Collections
Publications