Skip to main content

Comparing Fiwalk Reports

Testimonial: Eddy Colloton
Type: Software Workflow

I have found the Digital Forensics XML (DFXML) output of Fiwalk, short for “file and inode walk,” to be a detailed yet easy to produce form of documentation for disk images, especially of volumes containing many files, such as computer hard drives. The reports contain the offset of every file, and an md5 checksum, all stored in a standardized XML structure. Fiwalk is part of the SleuthKit suite of tools, available here: http://www.sleuthkit.org/sleuthkit/

SleuthKit can be complicated to install in a macOS or linux environment, it requires compiling the application and potentially troubleshooting a lack of dependencies or other installation errors. One way around this process is to use BitCurator, which comes with SleuthKit preinstalled.

If 2 disk images are made from the same, or very similar volumes, the results can be compared using python scripts available on the DFXML github page. This script requires Python 3.1 or above. I recommend downloading python3 following the homebrew instructions here: https://www.saintlad.com/install-python-3-on-mac/

  • To create a DFXML output of a fiwalk report form a disk image, run the following command (note that the output comes before the input):
    • Fiwalk -X [/path_to_output.xml] [/path_to_disk_image]
  • Download the DFXML github repo here: https://github.com/simsong/dfxml
  • Navigate to the DFXML directory via the command line:
    • cd [~/path/to/DFXML/]
  • To compare 2 different DFXML fiwalk reports, run the following python script:
    • python3 idifference.py [fiwalk_report1.xml] [fiwalk_report2.xml] > differences.txt
  • The output in the text file will be structured into the following categories:
    • New Files
    • Deleted Files
    • Files with modified content
    • Files with changed file properties
Resource Category
Software Workflows
Back to Top