Skip to content


fiwalk is a batch forensics analysis program written in C that uses Sleuth Kit. The program can output in XML or ARFF formats.

Temporary Distribution Point

fiwalk has been integrated with Sleuth Kit and can be downloaded from Github at

Legacy Distribution

fiwalk is a program that processes a disk image using the Sleuth Kit library and outputs its results in Digital Forensics XML, the Attribute Relationship File Format (ARFF) format used by the Weka Datamining Toolkit, or an easy-to-read textual format.

The fiwalk source code comes with, a Python module that makes it easy to create digital forensics programs. Also included are several demonstration programs that use Given a disk block in a disk image, this program tells you which file(s) map that sector. Given two or more images of the same disk at different points in time, this program files that are present in the earlier images that can only be recovered from the later images using file carving techniques. Given two or more images of the same disk at different points in time, this program tells you what changes took place between each one. Allows the extraction of files that match a particular pattern. Searches every file in a disk image for a particular string. When found, prints, the file and the offset within the file that the string was found. Prints a histogram of file types found in the disk image. Displays a “map” of where files are present in the disk image. Modifies a disk image of a bootable Microsoft operating system so that the image can no longer be boot and so that any Microsoft copyrighted file in the \Windows directory cannot be executed. This allows the disk image of a Microsoft operating system to be distributed without implicitly violating Microsoft’s copyright. An experimental disk redaction program which allows the removal of specific files matching specific criteria. Given a disk image and a previously created XML file, verifies that each file in the DFXML file is still present in the disk image. Given a DFXML file, sanitize file names so that no personally identifiable information is leaked if the DFXML file is distributed.

XML Example

<?xml version='1.0' encoding='ISO-8859-1'?>
<fiwalk xmloutputversion='0.2'>
    <dc:type>Disk Image</dc:type>
    <library name="tsk" version="3.0.1"></library>
    <library name="afflib" version="3.5.2"></library>
    <command_line>fiwalk -x /dev/disk2</command_line>
<!-- fs start: 512 -->
  <volume offset='512'>
       <run file_offset='0' fs_offset='37376' img_offset='37888' len='43'/>
      <hashdigest type='md5'>2bbe5c3b554b14ff710a0a2e77ce8c4d</hashdigest>
      <hashdigest type='sha1'>b3ccdbe2db1c568e817c25bf516e3bf976a1dea6</hashdigest>
<!-- end of volume -->
<!-- clock: 0 -->
    <stop_time>Sun Nov 22 11:08:36 2009</stop_time>


fiwalk can be downloaded from

See Also