This is the top level element for documents that use this schema. A general container to accomodate different metadata entries. This is the program that created the XML file. The actual name of the program. The version of the creating file. The operating system in which the file was created. This element describes how the environment was set. The compiler if (if any) used to compile the program. The date the program was compiled. A reference to any libraries used to compile the program. This is a description of the execution environment. os_sysname is the system name (reported by uname -s). os_release is the release (reported by uname -r). os_version is the os version (reported by uname -v). The name of the host machine in which the program was executed. The command line used to program. The username under which the program was executed. The date and time that the program was executed. This is where the file actually resides. A general structure to represent the attribute of the "value" element. A general structure to represent a xs:dateTime with the "prec" attribute. fileobject is the key file element for the standard digital forensic XML. A sequence of bytes with associated metadata. This is a unique identifier for the file. This is the size of the file in bytes. This is the partition where the file is at. This is the SleuthKit ALLOC flag. I believe that it means that the file is allocated. This is the number (st_ino from the stat(2) system call). Numerical User id. is the NTFS "Attribute Type" reported by SleuthKit. File opening mode. This is the time the file was last modified. This is the time the file was last accesed. This is the time the file was created. The name of the file. This is the result of running libmagic to identify the file type. This is the NTFS Sequence Number. Represents a cryptographic hash. A specific location of bytes on a mass storage device. These can be grouped in a byte_runs array. Represents a cryptographic hash. The name of the file. This is the hash algorithm that applies to this object. A mass storage system volume, which is defined as a collection of byte blocks that are all the same size. main element - image name