Skip to content


fileobject is a Digital Forensics XML tag which is used to describe information about a file.

The file object can contain information about:

  • The file's name
  • The file's hash code(s)
  • The file's location on the disk.
  • Embedded metadata
  • Block hashes, a Bloom Filter, or a Similarity Digest for the file.

Other objects can be embedded in a fileobject object:

  • The byte_runs object specifies where the file is located on the disk.
  • A sector_hash object is a list of sector hash codes.
  • The sector_hash object could contain a nsrl_bloom object, which would be a bloom filter that contains all of the sector hashes.

XML Sample

        <run file_offset='0' fs_offset='37376' img_offset='37888' len='43'/>
      <hashdigest type='md5'>2bbe5c3b554b14ff710a0a2e77ce8c4d</hashdigest>
      <hashdigest type='sha1'>b3ccdbe2db1c568e817c25bf516e3bf976a1dea6</hashdigest>
XML Tag Meaning
Every file is inside a
YES YES means that the file is an ""orphan,"" with no file name.
3210 The file size in bytes.
1 A "1" means that the file was not allocated in the file system. This may mean that the file was deleted.
1 Not sure what this means.
1114172320 The file's modification time, as a Unix timestamp (number of seconds since January 1, 1970 UTC).
1195819392 The file's inode's creation time, as a Unix timestamp.
1195794000 The file's access time, as a unix timestamp.
121130496:3210 The file's fragments. Each fragment is represented as the byte offset from the beginning of the disk image (the first byte is byte #0) and a number of bytes.
1 The number of fragments in the file.
c27c0730b858bc60c8894300a98bba55 The file's MD5, as a hexadecimal hash.
0277680d624e609f23aec9e4265c2d7d24bd3824 The file's SHA1, as a hexadecimal hash.
1 The partition number in which the file was found.