Skip to content

Fileobject

fileobject is a Digital Forensics XML tag which is used to describe information about a file.

The file object can contain information about:

  • The file's name
  • The file's hash code(s)
  • The file's location on the disk.
  • Embedded metadata
  • Block hashes, a Bloom Filter, or a Similarity Digest for the file.

Other objects can be embedded in a fileobject object:

  • The byte_runs object specifies where the file is located on the disk.
  • A sector_hash object is a list of sector hash codes.
  • The sector_hash object could contain a nsrl_bloom object, which would be a bloom filter that contains all of the sector hashes.

XML Sample

    <fileobject>
      <filename>README.txt</filename>
      <id>2</id>
      <filesize>43</filesize>
      <partition>1</partition>
      <alloc>1</alloc>
      <used>1</used>
      <inode>6</inode>
      <type>1</type>
      <mode>511</mode>
      <nlink>1</nlink>
      <uid>0</uid>
      <gid>0</gid>
      <mtime>1258916904</mtime>
      <atime>1258876800</atime>
      <crtime>1258916900</crtime>
      <byte_runs>
        <run file_offset='0' fs_offset='37376' img_offset='37888' len='43'/>
      </byte_runs>
      <hashdigest type='md5'>2bbe5c3b554b14ff710a0a2e77ce8c4d</hashdigest>
      <hashdigest type='sha1'>b3ccdbe2db1c568e817c25bf516e3bf976a1dea6</hashdigest>
    </fileobject>
XML Tag Meaning
Every file is inside a
YES YES means that the file is an ""orphan,"" with no file name.
3210 The file size in bytes.
1 A "1" means that the file was not allocated in the file system. This may mean that the file was deleted.
1 Not sure what this means.
1114172320 The file's modification time, as a Unix timestamp (number of seconds since January 1, 1970 UTC).
1195819392 The file's inode's creation time, as a Unix timestamp.
1195794000 The file's access time, as a unix timestamp.
121130496:3210 The file's fragments. Each fragment is represented as the byte offset from the beginning of the disk image (the first byte is byte #0) and a number of bytes.
1 The number of fragments in the file.
c27c0730b858bc60c8894300a98bba55 The file's MD5, as a hexadecimal hash.
0277680d624e609f23aec9e4265c2d7d24bd3824 The file's SHA1, as a hexadecimal hash.
1 The partition number in which the file was found.