Fiwalk DGI scripts
These are Domex Gateway Interface ("DGI") scripts for fiwalk, a command-line tool that uses The Sleuth Kit to extract metadata from a forensic disk image. DGI is a plug-in mechanism for fiwalk that allows an external program to return metadata or other structured information to fiwalk as key/value pairs. fiwalk outputs in a variety of formats including Digital Forensics XML (DFXML) and ARFF.
DGI key-value format
fiwalk (as of version 0.6) expects the following format:
Key-one: Value keyTwo: Second value YetAnotherKey: And another value still
Calling DGI scripts
DGI scripts for fiwalk are called from a
ficonfig uses the following format
# globpattern channel args * dgi python pronom_ident.py
More information can be found in the fiwalk documentation and the paper linked above. However, note that each glob is only matched once.
- pronom_ident.py: Uses FIDO for format identification against PRONOM
- virusscan.py: Uses ClamAV's clamd and pyclamd for virus/malware scanning
- accession.py: calls pronom_ident.py and virusscan.py
- get-mediainfo.rb: Uses MediaInfo for AV technical metadata extraction
- virusscan.rb: Uses ClamAV and libclamav gem for virus/malware scanning (slow; proof of concept)
The dependencies for the Python scripts can be installed with the following commands:
$ cd python ; pip install -r requirements.txt
- Mark A. Matienzo (mark at matienzo dot org)
- Contributors/authors of included code listed in source or licenses where applicable.
Feel free to contact me if for some reason this will not work for your use.