This is a prototype forensics system to generate and validate evidence based on the DFXML format.  The forensics searches are
conducted using constraint programming, specifically it is written in C++ using the Gecode API.  The validation code is written in
Scala.  This code is copyrighted and is not licensed for public or private distribution beyond refereeing purposes.

This prototype has been developed and tested on both Linux and OS X.

COMPILATION AND RUNNING STEPS

To compile and run these examples:

1. Install Gecode from:  http://www.gecode.org

2. Install libjpeg development files, e.g., libjpeg-turbo8-dev on Ubuntu 12.04.

3. Install Scala 2.10.x from http://scala-lang.org

4. Run "make all" from top-level directory.

5. In the "XML" directory, download the Schardt hacking case image from NIST.  The image file that you create should be named
SCHARDT.RAW, have size 4871301120 bytes, and have MD5 aee4fcd9301c03b3b054623ca261959a.

6. In the "XML" directory, run "./q-ex-pattern-file SCHARDT.RAW all".  This searches for MFT-entry like occurrences within the
specified parts of the disk image.  "all" may be replaced with "allocated" or "unallocated" to refine the search.  This program
does not generate DFXML evidence.

7. In the "XML" directory, run "./q-pattern-file SCHARDT.RAW".  This searches for MFT-entry like occurrences within the disk
image.  The DFXML-based evidence output is written to testntfsmftentryxml.xml.

8. In the "Validator" directory, the DFXML-based evidence produced in step 7 can be validated using "scala FileObjectFiwalk".

9. In the "Validator" directory, the DFXML evidence "SCHARDT.xml" produced by running "fiwalk -X SCHARDT.RAW" can be validated
using "scala FileObjectFiwalk SCHARDT.xml".  Note: fiwalk is part of The SleuthKit distribution and not distributed with this
system.





