search for: dfxml

...The SleuthKit, here: https://github.com/sleuthkit/sleuthkit If you wish to use Fiwalk on your images, you should convert any of your disk images to a raw image or Expert Witness Format. Actually, I don't suppose qemu-img has a FUSE-like wrapper that exposes the underlying image as a raw file? DFXML has an entry on the Forensics Wiki: http://www.forensicswiki.org/wiki/Category:Digital_Forensics_XML As for your external-to-filesystem data question: I think you got the essential non-file-system data. I can imagine data fragments from past/shrunken file systems, or hidden-data regions that fal...

Thank you all for your suggestions! Richard W.M. Jones: > I keep meaning to write a comprehensive "virt-diff" tool. I needed it > myself just yesterday. Most interesting. I guess there are two reasons for creating such a tool: just compare the images (show the diff) and/or check for malicious additions in the other image. Did you consider implementing the former or both? Do

...ge: ibackup (2.27-4.1) file: /usr/bin/ibackup Binary-package: emacspeak (26.0-3) file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl Binary-package: bk2site (1:1.1.9-3.1) file: /usr/lib/cgi-bin/bk2site/redirect.pl Binary-package: datafreedom-perl (0.1.7-1) file: /usr/bin/dfxml-invoice Binary-package: emacs-jabber (0.7.91-1) file: /usr/lib/emacsen-common/packages/install/emacs-jabber Binary-package: lmbench (3.0-a7-1) file: /usr/lib/lmbench/scripts/rccs file: /usr/lib/lmbench/scripts/STUFF Binary-package: rancid-util (2.3.2~a8-1) file: /var/lib/rancid/geti...