Forensicswiki.org has moved to this site, forensicswiki.xyz. For information, please join the Google Group forensicswiki-reborn
Bodyfile is an output format (as far as known) introduced by the SleuthKit.
The bodyfile is typically an intermediate file generated by fls or ils which are then provided as input to the mactime tool.
The bodyfile uses a delimiter-separated value format, with the pipe-character (|) as the delimiter.
Different version of the SleuthKit use different version of the bodyfile format.
The following fields are defined for SleuthKit 3.0 and later:
- the name field can contain ($FILE_NAME) to indicate the bodyfile entry was derived from a NTFS $FILE_NAME attribute instead of $STANDARD_INFORMATION and $DATA attributes. Note that the exact behavior is not documented by the SleuthKit project.
- the name field can contain a symbolic link target. Also see: https://github.com/sleuthkit/sleuthkit/issues/2043
- it is unclear which characters should be escaped, by observation | and \ are both escaped with \ in the name field. But what about control characters? Also see: https://github.com/sleuthkit/sleuthkit/issues/1989
- the format of the inode field is unclear for file systems like NTFS, the documentation indicates that it uses a TSK Metadata Address however by observation the implementation is TSK specific and does not seem to match what is documented. Also see: https://github.com/sleuthkit/sleuthkit/issues/1809
- the format of the mode_as_string field is unclear for file systems like NTFS, this likely can be derived from the source code. Also see: https://github.com/sleuthkit/sleuthkit/issues/1810
- the atime, mtime, ctime and crtime typically contain the number of seconds since January 1, 1970. It is unknown if a fractional part is allowed by specification. The corresponding mactime tool does allow for a fractional part to be present but ignores it. Also see: https://github.com/sleuthkit/sleuthkit/issues/1810
- on HFS+ the / character in a file name will be replaced by :. Also see: https://github.com/sleuthkit/sleuthkit/blob/3d16b8bc293ba13a5674fe9ce6a35f867ccc945d/tsk/fs/hfs_dent.c#L110
- for hard links on HFS+ the Catalog Node Identifier (CNID) of the link target is used instead as the "inode" value instead of the CNID of the file entry itself