Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Windows-7/32 Diskprint

A diskprint is a collection of information captured at various stages of an applications lifecycle. The set of data associated with a particular stage is referred to as a slice. Various tools are used to extract and analyze each data set. Every slice is processed using NSRL tools. These tools are used to extract the filesystem metadata associated with each slice and store that information. The distribution of this stored file metadata can be in different formats .

In addition to the file metadata, the registry hive files are extracted and processed.

The MD5, SHA1 and SHA256 file signatures for the xml downloads are available here.


Digital Forensics XML (DFXML) is a markup language that enables the exchange of forensic information in a structured form. It is used as a distribution format for the file system metadata associated with each diskprint slice. The phyton tool, part of the DFXML library, was used to process the slice VMDK file and output the results in this XML format. The XML output is validated using the dfxml schema.

This is a DFXML sample of the file metadata for Slice 1 of the Windows 7-32bit OS diskprint.


CybOX XML Generation

The Cyber Observable eXpression CybOX™ language is used as a distribution format for various objects of interest. CybOX provides a standard XML reporting format for describing different objects types associated with a slice.

The CybOX python api was used to create the XML documents from each type of object. The Product Object describes the product used to create the diskprint. This would be similar to information provided in the NSRLprod.txt file. We are distributing the file system metadata for a slice using the CybOX File Object. This is the type of information distributed in the NSRLFile.txt.

The Win Registry Key Object characterizes a Windows Registry object. The perl tool in the Perl Parse_Win32Registry-1.0 module was used to analyze the registry hives extracted from a slice. The generated XML identifies the root key and all its subkeys.

These are the cybOX objects for Slice 1 of the Windows 7-32bit OS diskprint.


Below is the complete distribution of a the Windows 7-32bit objects to date.

The MD5, SHA1 and SHA256 file signatures for the zip file downloads are available here.

1stSlice. Installed the OS into the VM. Selected of the English Language. Accepted the license terms. Restarted to Windows. MD5( 05d79f442f5c900698007d13b6842107

2ndSlice. Configured system name and user identity. Entered product code. Rejected automatic updates to the system. Set the system time. Rejected setting the clock for daylight saving time. MD5( ec2b28ccdaa97bbd67c9882a74553697

3rdSlice. Configured the network settings. MD5( 12e72c0075c5c768cd701b27b2ab4410

4thSlice. Manually restarted the system. The network was configured with its own IP. This allows for the capture of network communication. MD5( 38b0c99fc019ca5827f83dc7bd40464f

5thSlice.Restarted the OS and Logged In. MD5( 7a89970fa76b94af134c1aefb5f180e0

6thSlice. The VM tools were installed. The System was restarted. MD5( d6f34c93cef52f60cf7213c5fb3dd96f



Created June 28, 2016, Updated November 15, 2019