has moved to this site, For information, please join the Google Group forensicswiki-reborn

DFXML Example: source tag

From Forensics Wiki
Jump to navigation Jump to search

The <source> tag is used to introduce the source of forensic data. Currently we are using these for disk images, as the example below illustrates:

<source type='Disk Image'>
  <device_model>SEAGATE ST32550W SUN2.1G 0418</device_model>
  <acquisition_commandline>aimage scsi1 /project2/b28.aff</acquisition_commandline>
  <device_capabilities>pass2: >SEAGATE ST32550W SUN2.1G 0418< Fixed Direct Access SCSI-2 device 
pass2: Serial Number 01806486
pass2: 20.000MB/s transfers (10.000MHz, offset 15, 16bit), Tagged Queueing Enabled
  <sectorsize coding='base10'>512</sectorsize>
  <devicesectors coding='base10'>4194995</devicesectors>

After the source tag you may find some fileobject tags. They may be grouped within a volume tag:

  <volume offset='32256'>
      <byte_run offset='0' img_offset='114688' len='32768'>
      <byte_run offset='0' img_offset='1523712' len='32768'>
      <byte_run offset='0' img_offset='6356992' len='39659'>


Coding is assumed to be in base10, except for hash codes, which are assumed to be base16.