has moved to this site, For information, please join the Google Group forensicswiki-reborn

Application Footprint XML

From Forensics Wiki
Jump to navigation Jump to search

The Application Footprint XML provides a means for distributing information about an application's distribution format, it's installation footprint, and the residual information left on a hard drive after it has been installed.

<?xml version='1.0' encoding='ISO-8859-1'?>
<metadata xmlns='' 
<dc:creator>Your Organization Here</dc:creator>
<dc:title>iTunes 9.0.2</dc:title>
<dc:description>Application Print of Apple MacOS iTunes 9.0.2</dc:description>
<dc:type>Application Print</dc:type>

  <!-- In this section goes information consistent with the distribution files -->

  <!-- In this section goes information consistent with the installed files -->

  <fileobject>     <!-- this is a standard fiwalk fileobject -->


  <!-- In this section goes information consistent with information left after an uninstall -->

  <!-- Descriptions of the document files that the application makes -->

  <!-- Information that is sent over the network that is characteristic for the application -->

  <!-- Characteristic information in memory -->


For each of the blocks above, we would like to indicate:

  • Files (hashes & fuzzy hashes)
  • Registry entries
  • Magic Numbers (perhaps there is an 8-byte code left in memory or in an executable that's descriptive)
  • Tool artifacts