Plugins for fiwalk to run processes against files contained within disk images
Python Ruby
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.

Fiwalk DGI scripts

These are Domex Gateway Interface ("DGI") scripts for fiwalk, a command-line tool that uses The Sleuth Kit to extract metadata from a forensic disk image. DGI is a plug-in mechanism for fiwalk that allows an external program to return metadata or other structured information to fiwalk as key/value pairs. fiwalk outputs in a variety of formats including Digital Forensics XML (DFXML) and ARFF.

More information on fiwalk and DFXML can be found in the link above and in Garfinkel 2012 (doi:10.1016/j.diin.2011.11.002; preprint available).

DGI key-value format

fiwalk (as of version 0.6) expects the following format:

Key-one: Value
keyTwo: Second value
YetAnotherKey: And another value still

Calling DGI scripts

DGI scripts for fiwalk are called from a ficonfig-formatted configuration file. ficonfig uses the following format

# globpattern    channel    args
*                dgi        python

More information can be found in the fiwalk documentation and the paper linked above. However, note that each glob is only matched once.

Included Scripts

  • Python
    • Uses FIDO for format identification against PRONOM
    • Uses ClamAV's clamd and pyclamd for virus/malware scanning
    • calls and
  • Ruby
    • get-mediainfo.rb: Uses MediaInfo for AV technical metadata extraction
    • virusscan.rb: Uses ClamAV and libclamav gem for virus/malware scanning (slow; proof of concept)

The dependencies for the Python scripts can be installed with the following commands:

$ cd python ; pip install -r requirements.txt


  • Mark A. Matienzo (mark at matienzo dot org)
  • Contributors/authors of included code listed in source or licenses where applicable.


Apache 2.0

Feel free to contact me if for some reason this will not work for your use.