Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Windows-7/32 Diskprint

A diskprint is a collection of information captured at various stages of an applications lifecycle. The set of data associated with a particular stage is referred to as a slice. Various tools are used to extract and analyze each data set. Every slice is processed using NSRL tools. These tools are used to extract the filesystem metadata associated with each slice and store that information. The distribution of this stored file metadata can be in different formats .

In addition to the file metadata, the registry hive files are extracted and processed.

The MD5, SHA1 and SHA256 file signatures for the xml downloads are available here.

DFXML

Digital Forensics XML (DFXML) is a markup language that enables the exchange of forensic information in a structured form. It is used as a distribution format for the file system metadata associated with each diskprint slice. The phyton tool dfxml_tool.py, part of the DFXML library, was used to process the slice VMDK file and output the results in this XML format. The XML output is validated using the dfxml schema.

This is a DFXML sample of the file metadata for Slice 1 of the Windows 7-32bit OS diskprint.

s1_dfxml_tool_25.xml

CybOX XML Generation

The Cyber Observable eXpression CybOX™ language is used as a distribution format for various objects of interest. CybOX provides a standard XML reporting format for describing different objects types associated with a slice.

The CybOX python api was used to create the XML documents from each type of object. The Product Object describes the product used to create the diskprint. This would be similar to information provided in the NSRLprod.txt file. We are distributing the file system metadata for a slice using the CybOX File Object. This is the type of information distributed in the NSRLFile.txt.

The Win Registry Key Object characterizes a Windows Registry object. The perl tool regdump.pl in the Perl Parse_Win32Registry-1.0 module was used to analyze the registry hives extracted from a slice. The generated XML identifies the root key and all its subkeys.

These are the cybOX objects for Slice 1 of the Windows 7-32bit OS diskprint.

dp_cybox_prod.xml
s1_cyboxfileobj_25.xml
s1_cyboxWinReg-sam.xml
s1_cyboxWinReg-security.xml
s1_cyboxWinReg-software50.xml
s1_cyboxWinReg-system50.xml

Below is the complete distribution of a the Windows 7-32bit objects to date.

The MD5, SHA1 and SHA256 file signatures for the zip file downloads are available here.

1stSlice. Installed the OS into the VM. Selected of the English Language. Accepted the license terms. Restarted to Windows.

win7_32slice1.zip MD5(win7_32slice1.zip)= 05d79f442f5c900698007d13b6842107

2ndSlice. Configured system name and user identity. Entered product code. Rejected automatic updates to the system. Set the system time. Rejected setting the clock for daylight saving time.

win7_32slice2.zip MD5(win7_32slice2.zip)= ec2b28ccdaa97bbd67c9882a74553697

3rdSlice. Configured the network settings.

win7_32slice3.zip MD5(win7_32slice3.zip)= 12e72c0075c5c768cd701b27b2ab4410

4thSlice. Manually restarted the system. The network was configured with its own IP. This allows for the capture of network communication.

win7_32slice4.zip MD5(win7_32slice4.zip)= 38b0c99fc019ca5827f83dc7bd40464f

5thSlice.Restarted the OS and Logged In.

win7_32slice5.zip MD5(win7_32slice5.zip)= 7a89970fa76b94af134c1aefb5f180e0

6thSlice. The VM tools were installed. The System was restarted.

win7_32slice6.zip MD5(win7_32slice6.zip)= d6f34c93cef52f60cf7213c5fb3dd96f

 

Contacts

Created June 28, 2016, Updated November 15, 2019