Thursday 12 November 2009

XML in Forensics: fiwalk and AFF

In 2006, Simson Garfinkel attempted to solve the issue of propriatory disk image formats (as used by most forensic analysis tools), and at the same time the problem with storage of massive retrieved datasets; his solution was AFF, the Advanced File Format.

One tool that he has developed, to work alongside AFF and its base SleuthKit, is fiwalk, which covers the following features:
  • Finds all partitions & automatically processes each.
  • Handles file systems on raw device (partition-less).
  • Creates a single output file with forensic data data from all.

Unfortunately, although designed to extract forensic data into an XML format (similar to that of other tools, and indeed VeRa), there are issues with its implementation:
  • The format itself has no single point of documentation, making it difficult for other investigators to extend its functionality. The PDF above has a brief overview, whilst Forensics Wiki has a little more (although with comments such as 'not sure what this means', there is an indication that their documentation may have been by way of reverse-engineering).
  • No mention of the XML format is made in the fiwalk download itself either.
  • The system is designed on top of Sleuthkit, a set of Linux-based tools.
Although the final point is a minor one, AllBusiness recently noted that:
"The computer forensic software market has long been a duopolistic market with the two significant players being Guidance Software (GUID) and AccessData."

Displacing either market leader would be a major task; however, producing a product that complements their differing functionalities would be viable. As both Encase and FTK are Windows-based, it seems logical that Windows should be the target platform for new software in order to maximise acceptance.

1 comment:

  1. Thanks for the comments. We are working to address the issues that you have raised here.

    ReplyDelete