A diskprint is a collection of information captured at various stages of an applications lifecycle. The set of data associated with a particular stage is referred to as a slice. Various tools are used to extract and analyze each data set. Every slice is processed using NSRL tools. These tools are used to extract the filesystem metadata associated with each slice and store that information. The distribution of this stored file metadata can be in different formats .
In addition to the file metadata, the registry hive files are extracted and processed.
The MD5, SHA1 and SHA256 file signatures for the xml downloads are available here.
Digital Forensics XML (DFXML) is a markup language that enables the exchange of forensic information in a structured form. It is used as a distribution format for the file system metadata associated with each diskprint slice. The phyton tool dfxml_tool.py, part of the DFXML library, was used to process the slice VMDK file and output the results in this XML format. The XML output is validated using the dfxml schema.
This is a DFXML sample of the file metadata for Slice 1 of the Windows 7-32bit OS diskprint.
The Cyber Observable eXpression CybOX™ language is used as a distribution format for various objects of interest. CybOX provides a standard XML reporting format for describing different objects types associated with a slice.
The CybOX python api was used to create the XML documents from each type of object. The Product Object describes the product used to create the diskprint. This would be similar to information provided in the NSRLprod.txt file. We are distributing the file system metadata for a slice using the CybOX File Object. This is the type of information distributed in the NSRLFile.txt.
The Win Registry Key Object characterizes a Windows Registry object. The perl tool regdump.pl in the Perl Parse_Win32Registry-1.0 module was used to analyze the registry hives extracted from a slice. The generated XML identifies the root key and all its subkeys.
These are the cybOX objects for Slice 1 of the Windows 7-32bit OS diskprint.
Below is the complete distribution of a the Windows 7-32bit objects to date.
The MD5, SHA1 and SHA256 file signatures for the zip file downloads are available here.
1stSlice. Installed the OS into the VM. Selected of the English Language. Accepted the license terms. Restarted to Windows.
2ndSlice. Configured system name and user identity. Entered product code. Rejected automatic updates to the system. Set the system time. Rejected setting the clock for daylight saving time.
3rdSlice. Configured the network settings.
4thSlice. Manually restarted the system. The network was configured with its own IP. This allows for the capture of network communication.
5thSlice.Restarted the OS and Logged In.
6thSlice. The VM tools were installed. The System was restarted.