README
¶
VERSION: v1.0.0-BETA-9
FileTrove walks a directory tree, identifies every file, computes metadata, and writes all results into a SQLite database with TSV export support.
What it collects
| Category | Details |
|---|---|
| File type | MIME type, PRONOM identifier, format version, identification proof/note, extension — via siegfried |
| File & directory timestamps | Creation, modification, and access times |
| Hashes | MD5, SHA1, SHA256, SHA512, BLAKE2B-512 |
| Entropy | Shannon entropy (files up to 1 GB) |
| Extended attributes | xattr from ext3/ext4, btrfs, APFS, and others |
| EXIF metadata | Extracted from image files |
| YARA-X | Match results from your own rule files |
| NSRL | Flags known software files via the National Software Reference Library |
| Dublin Core | Optional session-level descriptive metadata |
Each file and directory gets a UUIDv4 as a unique identifier. All results land in a SQLite database and can be exported to TSV.
Installation
-
Get a distribution bundle — download from the releases page, or build one from source (see BUILDING.md):
task dist:bundle # builds binaries + bundles siegfried.sigThe bundle at
build/<os>_<arch>/contains everything you need. -
Run the installer from the bundle directory:
cd build/darwin_arm64 # or linux_amd64, etc. ./ftrove --install .This creates the scan database (
db/filetrove.db) andlogs/directory. The siegfried signature file is included in the bundle. The NSRL bloom filter (~150–240 MB depending on variant) is downloaded automatically during install. Use--nsrl-variantto select which subset to download (default:all). -
You're ready.
Building from source without
task dist? You can build the NSRL bloom filter locally. See BUILDING.md for details ontask nsrl:build-alland disk space requirements.
YARA-X
YARA-X scanning requires a C library that is not bundled with FileTrove. It is built automatically during task build if not already present. See BUILDING.md for setup instructions.
- Example rule files:
testdata/yara/ - When a rule matches, the rule name, session UUID, and file UUID are recorded in the
yaratable. The rule file itself is not stored.
NSRL
The NSRL bloom filter is not bundled in the repository. It is downloaded automatically during ftrove --install from the GitHub Releases page. Three variants are available:
| Variant | Subsets | Size |
|---|---|---|
modern |
Modern OS software | ~150 MB |
mobile |
Modern + Android + iOS | ~200 MB |
all |
Modern + Android + iOS + Legacy | ~240 MB |
./ftrove --install . --nsrl-variant all # default
./ftrove --install . --nsrl-variant modern # smallest
NSRL checks are skipped gracefully if no bloom filter is present — scanning still works.
When NIST publishes a new RDS version, rebuild by updating NSRL_VERSION in Taskfile.nsrl.yml and running one of the build targets. See BUILDING.md for details.
You can also build a custom Bloom filter from any newline-delimited list of SHA1 hashes:
admftrove --creatensrl hashes.txt --nsrlversion "my-hashset-v1"
Optional flags: --nsrl-out (output filename, default nsrl.bloom), --nsrl-estimate (expected hash count; auto-counted from file if omitted) and --nsrl-fpr (false positive rate, default 0.01). Copy the resulting bloom file into db/. ftrove loads db/nsrl-<variant>.bloom based on --nsrl-variant (default all), with a fallback to db/nsrl.bloom.
Running a scan
./ftrove -i $DIRECTORY
FileTrove walks $DIRECTORY recursively. Run ./ftrove -h for all available flags.
Viewing results
List all sessions and export one to TSV:
./ftrove -l
./ftrove -t 926be141-ab75-4106-8236-34edfcf102f2
You can also query the SQLite database directly:
- CLI:
sqlite3 db/filetrove.db - GUI: sqlitebrowser
- Visualisation: Sqliteviz
Exporting to PREMIS v3 XML
FileTrove can export the metadata of a session as PREMIS v3 XML. The export includes one premis:object per file (with fixity values, format information, file size, and storage location) as well as a premis:event for the scan event, written to stdout.
./ftrove -P 926be141-ab75-4106-8236-34edfcf102f2
Redirect stdout to save the output to a file:
./ftrove -P 926be141-ab75-4106-8236-34edfcf102f2 > session.premis.xml
Use ./ftrove -l to list available session UUIDs.
webftrove — Web Interface
webftrove is a companion tool that opens a read-only web interface for an existing FileTrove database. It runs a local HTTP server on port 9000 and opens your default browser automatically.
Features
- Browse all sessions with file and directory counts
- Filter files by name/path (with optional NOT negation), extension, MIME type (multi-select), NSRL status, and YARA hits
- Sort by filename, size, modification time, entropy, extension, or MIME type
- Live filtering via HTMX — results update without page reload
- File detail view: all hashes, EXIF metadata, YARA matches, extended attributes, NTFS ADS
- Directory listing with full-text search
- Click 📂 next to any path to open the containing directory in the local file browser
- Light and dark theme, toggle in the navigation bar
Installation
webftrove is included in the release packages (.deb for Linux, .tar.gz for macOS). No separate build step is needed — just use the binary from the release bundle.
To build from source instead:
git clone https://github.com/steffenfritz/FileTrove.git
cd FileTrove
go build ./cmd/webftrove/
This produces a single self-contained webftrove binary (templates are embedded). Copy it to any location you like, e.g.:
cp webftrove /usr/local/bin/
No additional files are required — webftrove carries everything it needs inside the binary.
Usage
Point webftrove at any filetrove.db file using the --db flag:
webftrove --db /path/to/db/filetrove.db
The browser opens automatically at http://localhost:9000. The database is opened in read-only mode; no data is ever written or modified.
Typical workflow after a scan:
# 1. Run a scan with ftrove
./ftrove -i /media/evidence -p "Case 2025-042" -a "J. Smith"
# 2. Open the results in the browser
webftrove --db db/filetrove.db
Requirements
- The
filetrove.dbmust exist and be a valid FileTrove database (created byftrove --installor a previous scan). - Port 9000 must be available on localhost.
- An internet connection is required on first load to fetch Tailwind CSS and HTMX from CDN. Subsequent loads are cached by the browser.
Background
FileTrove is the successor of filedriller, based on the iPres 2021 paper Marrying siegfried and the National Software Reference Library.
Documentation
¶
Index ¶
- Constants
- Variables
- func CheckInstall(version string) error
- func CheckVersion(db *sql.DB, version string) (bool, string, error)
- func ConnectFileTroveDB(dbpath string) (*sql.DB, error)
- func CreateFileList(rootDir string) ([]string, []string, []string, error)
- func CreateFileTroveDB(dbpath string, version string, initdate string) error
- func CreateNSRLBloom(nsrlsourcefile string, nsrlversion string, nsrloutfile string, ...) error
- func CreateUUID() (string, error)
- func DebugCheckInstalled(fd os.File) error
- func DebugCreateDebugPackage() (os.File, error)
- func DebugHostinformation(fd os.File) error
- func DebugWriteFileList(fd os.File, filelist []string, dirlist []string) error
- func DebugWriteFlags(fd os.File, args []string) error
- func DownloadNSRLBloom(dst string, url string) error
- func Entropy(path string) (entropy float64, err error)
- func ExportSessionDCTSV(sessionuuid string) error
- func ExportSessionDirectoriesTSV(sessionuuid string) error
- func ExportSessionEXIFTSV(sessionuuid string) error
- func ExportSessionFilesTSV(sessionuuid string) error
- func ExportSessionJSONL(sessionuuid string, w io.Writer) error
- func ExportSessionPREMIS(sessionuuid string, w io.Writer) error
- func ExportSessionSessionTSV(sessionuuid string) ([]string, error)
- func ExportXATTRTSV(sessionuuid string) error
- func ExportYaraTSV(sessionuuid string) error
- func GetDistinctExtensions(db *sql.DB, sessionUUID string) ([]string, error)
- func GetDistinctMimes(db *sql.DB, sessionUUID string) ([]string, error)
- func GetImageFiles(db *sql.DB, sessionuuid string) (map[string]string, error)
- func GetSiegfriedDB(installPath string) error
- func GetXattr(filePath string) (map[string]string, error)
- func Hashit(inFile string, hashalg string) ([]byte, error)
- func InsertDC(db *sql.DB, sessionuuid string, dcuuid string, dc DublinCore) error
- func InsertExif(db *sql.DB, exifuuid string, sessionid string, fileuuid string, e ExifParsed) error
- func InsertSession(db *sql.DB, s SessionMD) error
- func InstallFT(installPath string, version string, initdate string, nsrlVariant string) (error, error, error, error)
- func ListSessions(db *sql.DB) error
- func PrepInsertDir(db *sql.DB) (*sql.Stmt, error)
- func PrepInsertFile(db *sql.DB) (*sql.Stmt, error)
- func PrepInsertNTFSADS(db *sql.DB) (*sql.Stmt, error)
- func PrepInsertXattr(db *sql.DB) (*sql.Stmt, error)
- func PrepInsertYara(db *sql.DB) (*sql.Stmt, error)
- func PrintBanner()
- func PrintLicense(version string)
- func ReturnSupportedHashes() [5]string
- func YaraCompile(ruleFile string) (*yarax.Rules, error)
- func YaraScan(rules *yarax.Rules, inFile string) (*yarax.ScanResults, error)
- type DCRecord
- type DirMD
- type DirRecord
- type DublinCore
- type ExifParsed
- type ExifRecord
- type FileDetail
- type FileFilters
- type FileMD
- type FileRecord
- type FileTime
- type HashSumsFile
- type JSONLRecord
- type NSRLFilter
- type NtfsadsRecord
- type ResumeInfo
- type SessionInfo
- type SessionInfoMD
- type SessionMD
- type SessionSummary
- type SiegfriedType
- type WebDirMD
- type WebExifRow
- type WebFileMD
- type WebNtfsAdsRow
- type WebXattrRow
- type WebYaraRow
- type XattrRecord
- type YaraRecord
Constants ¶
const ( // MaxFileSize is the max size file that should be processed. This defaults to 1 GB. MaxFileSize = 1073741824 // MaxEntropyChunk is the max byte size of a chunk read MaxEntropyChunk = 256000 )
const ( NSRLBloomURLModern = "https://github.com/steffenfritz/FileTrove/releases/download/nsrl-2026.03.1/nsrl-modern.bloom" NSRLBloomURLMobile = "https://github.com/steffenfritz/FileTrove/releases/download/nsrl-2026.03.1/nsrl-mobile.bloom" NSRLBloomURLAll = "https://github.com/steffenfritz/FileTrove/releases/download/nsrl-2026.03.1/nsrl-all.bloom" )
NSRL bloom filter download URLs per variant. Update these constants when a new NSRL build is published to GitHub Releases.
const SiegfriedVersion = "1_11"
Variables ¶
var NSRLVariants = map[string]string{ "modern": NSRLBloomURLModern, "mobile": NSRLBloomURLMobile, "all": NSRLBloomURLAll, }
NSRLVariants lists valid values for the --nsrl-variant flag.
Functions ¶
func CheckInstall ¶
CheckInstall checks if all necessary files are available
func CheckVersion ¶
CheckVersion checks if the binary version is compatible with the database. Only the base version (the part before '+') is compared, so that builds from different commits but the same release (e.g. 1.0.0-BETA-4+abc vs 1.0.0-BETA-4+def) are treated as compatible.
func ConnectFileTroveDB ¶
ConnectFileTroveDB creates a connection to an existing sqlite database.
func CreateFileList ¶
CreateFileList walks rootDir and returns three lists: regular files, directories, and skipped paths.
Skipped paths include symlinks (not followed), special files (sockets, devices, FIFOs), and any path that could not be accessed (e.g. permission denied, stale network mount). The walk continues past inaccessible entries rather than aborting.
Note: filepath.WalkDir crosses filesystem boundaries, including mounted network shares. Callers that need to stay within a single device should compare the device ID of each entry (via DirEntry.Info().Sys()) against the root device.
func CreateFileTroveDB ¶
CreateFileTroveDB creates a new an empty sqlite database for FileTrove. It contains information like configurations, sessions and db versions.
func CreateNSRLBloom ¶
func CreateNSRLBloom(nsrlsourcefile string, nsrlversion string, nsrloutfile string, estimatedItems uint, fpr float64) error
CreateNSRLBloom reads a newline-delimited SHA1 hash file and creates a Bloom filter. nsrlsourcefile may be "-" to read from stdin, in which case estimatedItems must be > 0. estimatedItems is a hint for filter sizing. If 0, the file is pre-scanned to count the actual number of hashes, which guarantees the target FPR is met. fpr is the target false positive rate (e.g., 0.0001 for 0.01%).
func DebugCheckInstalled ¶
DebugCheckInstalled checks if FileTrove is installed by checking if the database exists
func DebugCreateDebugPackage ¶
DebugCreateDebugPackage creates the file for compiling information into a debug package
func DebugHostinformation ¶
DebugHostinformation writes host stats and returns on error
func DebugWriteFileList ¶
func DebugWriteFlags ¶
DebugWriteFlags takes parsed flags from main and writes them to the diag file
func DownloadNSRLBloom ¶
DownloadNSRLBloom downloads the pre-built NSRL bloom filter from the given URL.
func ExportSessionDCTSV ¶
ExportSessionDCTSV exports all Dublin Core metadata from a session to a TSV file. Filtering is done by session UUID.
func ExportSessionDirectoriesTSV ¶
ExportSessionDirectoriesTSV exports all directory metadata from a session to a TSV file. Filtering is done by session UUID.
func ExportSessionEXIFTSV ¶
ExportSessionEXIFTSV exports all exif metadata from a session to a TSV file. Filtering is done by session UUID.
func ExportSessionFilesTSV ¶
ExportSessionFilesTSV exports all file metadata from a session to a TSV file. Filtering is done by session UUID.
func ExportSessionJSONL ¶
ExportSessionJSONL writes all records for the given session as JSONL to w. Each line is a self-contained JSON object with a "type" discriminator field. Tables exported (in order): session, files, directories, exif, dublincore, yara, xattr, ntfsads. Optional tables are silently skipped when they contain no rows for the session.
func ExportSessionPREMIS ¶
ExportSessionPREMIS writes all file objects for a session as a PREMIS v3 XML document to w. The document contains one Agent (FileTrove software), one Event (ingestion) per session, and one Object per file. Streaming: files are encoded row by row without full in-memory load.
func ExportSessionSessionTSV ¶
ExportSessionSessionTSV exports all session metadata from a session to a TSV file. Filtering is done by session UUID.
func ExportXATTRTSV ¶
ExportXATTRTSV exports all files that have xattributes to a TSV file. Filtering is done by session UUID.
func ExportYaraTSV ¶
ExportYaraTSV exports all files that matched YARA rules to a TSV file. Filtering is done by session UUID.
func GetDistinctExtensions ¶
GetDistinctExtensions returns distinct file extensions present in a session
func GetDistinctMimes ¶
GetDistinctMimes returns distinct MIME types present in a session
func GetImageFiles ¶
GetImageFiles queries all files that have mime type image from a session
func GetSiegfriedDB ¶
GetSiegfriedDB downloads the signature db
func InsertExif ¶
InsertExif inserts exif metadata into the FileTrove database
func InsertSession ¶
InsertSession adds session metadata to the database
func InstallFT ¶
func InstallFT(installPath string, version string, initdate string, nsrlVariant string) (error, error, error, error)
InstallFT creates necessary directories and databases. nsrlVariant selects which pre-built bloom filter to download ("modern", "mobile", "all"). An empty string defaults to "all".
func ListSessions ¶
ListSessions lists all sessions from the FileTrove database
func PrepInsertDir ¶
PrepInsertDir prepares a statement for the addition of a single directory
func PrepInsertFile ¶
PrepInsertFile prepares a statement for the addition of a single file
func PrepInsertNTFSADS ¶
PrepInsertNTFSADS prepares a statement for the addition of ADS found in NTFS keys and values
func PrepInsertXattr ¶
PrepInsertXattr prepares a statement for the addition of xattr keys and values
func PrepInsertYara ¶
PrepInsertYara prepares a statement for the addition of a matching YARA rule
func PrintBanner ¶
func PrintBanner()
PrintBanner prints a pre-generated ascii banner with the program name
func PrintLicense ¶
func PrintLicense(version string)
PrintLicense prints a short license text func PrintLicense(version string, build string) {
func ReturnSupportedHashes ¶
func ReturnSupportedHashes() [5]string
ReturnSupportedHashes returns a list of supported hashes
func YaraCompile ¶
YaraCompile compiles a string that is provided via a flag from the main function
Types ¶
type DCRecord ¶
type DCRecord struct {
UUID string `json:"uuid"`
Sessionuuid string `json:"sessionuuid"`
DublinCore
}
DCRecord mirrors the full dublincore table row for JSONL export.
type DirRecord ¶
type DirRecord struct {
Diruuid string `json:"diruuid"`
Sessionuuid string `json:"sessionuuid"`
DirMD
Hierarchy int64 `json:"hierarchy"`
}
DirRecord mirrors the full directories table row for JSONL export.
type DublinCore ¶
type DublinCore struct {
Title string `json:"title"`
Creator string `json:"creator"`
Contributor string `json:"contributor"`
Publisher string `json:"publisher"`
Subject string `json:"subject"`
Description string `json:"description"`
Date string `json:"date"`
Language string `json:"language"`
Type string `json:"type"`
Format string `json:"format"`
Identifier string `json:"identifier"`
Source string `json:"source"`
Relation string `json:"relation"`
Rights string `json:"rights"`
Coverage string `json:"coverage"`
}
DublinCore is a struct that holds 15 core elements of DC https://datatracker.ietf.org/doc/html/rfc5013
func ReadDC ¶
func ReadDC(dcjson string) (DublinCore, error)
ReadDC reads a json file and unmarshals it into the DublinCore struct
type ExifParsed ¶
type ExifParsed struct {
ExifVersion string `json:"exifversion"`
DateTime string `json:"datetime"`
DateTimeOrig string `json:"datetimeorig"`
Artist string `json:"artist"`
Copyright string `json:"copyright"`
Make string `json:"make"`
Software string `json:"software"`
XPTitle string `json:"xptitle"`
XPComment string `json:"xpcomment"`
XPAuthor string `json:"xpauthor"`
XPKeywords string `json:"xpkeywords"`
XPSubject string `json:"xpsubject"`
}
func ExifDecode ¶
func ExifDecode(fileName string) (ExifParsed, error)
type ExifRecord ¶
type ExifRecord struct {
Exifuuid string `json:"exifuuid"`
Sessionuuid string `json:"sessionuuid"`
Fileuuid string `json:"fileuuid"`
ExifParsed
}
ExifRecord mirrors the full exif table row for JSONL export.
type FileDetail ¶
type FileDetail struct {
File WebFileMD
Exif *WebExifRow
Yara []WebYaraRow
Xattr []WebXattrRow
NtfsAds []WebNtfsAdsRow
}
FileDetail holds a file and all its related table data
func GetFileDetail ¶
func GetFileDetail(db *sql.DB, fileUUID string) (FileDetail, error)
GetFileDetail returns a file with all related table data
type FileFilters ¶
type FileFilters struct {
Query string
QueryNegate bool
Ext string
Mimes []string
NSRL string
YaraOnly bool
SortBy string
Order string
Limit int
Offset int
}
FileFilters holds filter and pagination parameters for file queries NSRL accepts: "" (all), "only" (NSRL known), "exclude" (non-NSRL only)
type FileMD ¶
type FileMD struct {
Filename string `json:"filename"`
Filepath string `json:"filepath"`
Filenameextension string `json:"filenameextension"`
Filesize int64 `json:"filesize"`
Filemd5 string `json:"filemd5"`
Filesha1 string `json:"filesha1"`
Filesha256 string `json:"filesha256"`
Filesha512 string `json:"filesha512"`
Fileblake2b string `json:"fileblake2b"`
Filesffmt string `json:"filesffmt"`
Filesfmime string `json:"filesfmime"`
Filesfformatname string `json:"filesfformatname"`
Filesfformatversion string `json:"filesfformatversion"`
Filesfidentnote string `json:"filesfidentnote"`
Filesfidentproof string `json:"filesfidentproof"`
Filesfregistry string `json:"filesfregistry"`
Filectime string `json:"filectime"`
Filemtime string `json:"filemtime"`
Fileatime string `json:"fileatime"`
Filensrl string `json:"filensrl"`
Fileentropy float64 `json:"fileentropy"`
}
FileMD holds the metadata for each inspected file and that is written to the table files
type FileRecord ¶
type FileRecord struct {
Fileuuid string `json:"fileuuid"`
Sessionuuid string `json:"sessionuuid"`
FileMD
Hierarchy int64 `json:"hierarchy"`
}
FileRecord mirrors the full files table row for JSONL export.
type FileTime ¶
FileTime holds all metadata times of a file
func GetFileTimes ¶
GetFileTimes returns a type that holds the access, change and birth time of a file if available.
type HashSumsFile ¶
HashSumsFile contains all hashes for a single file
func HashAllFiles ¶
func HashAllFiles(inFile string) (HashSumsFile, error)
HashAllFiles computes all supported hashes in a single file read using io.MultiWriter.
type JSONLRecord ¶
type JSONLRecord struct {
Type string `json:"type"`
Payload interface{} `json:"payload"`
}
JSONLRecord is the top-level envelope for every JSONL line. The "type" field lets consumers filter records with: jq 'select(.type == "file")'
type NSRLFilter ¶
type NSRLFilter struct {
Filter *bloom.BloomFilter
Version string // NSRL RDS version (e.g., "2026.03.1-modern")
HashType string // "sha1" (future: "sha256")
FPR float64 // target false positive rate
Items uint // number of hashes inserted
Subsets []string // e.g., ["modern"], ["modern", "android", "ios"]
}
NSRLFilter wraps a Bloom filter with NSRL metadata
func LoadNSRL ¶
func LoadNSRL(nsrlbloomfile string) (*NSRLFilter, error)
LoadNSRL loads a serialized NSRLFilter from a .bloom file into memory
func (*NSRLFilter) Contains ¶
func (nf *NSRLFilter) Contains(sha1hash string) bool
Contains checks if a given SHA1 hash is present in the NSRL Bloom filter
type NtfsadsRecord ¶
type NtfsadsRecord struct {
Ntfsadsuuid string `json:"ntfsadsuuid"`
Sessionuuid string `json:"sessionuuid"`
Fileuuid string `json:"fileuuid"`
Adsname string `json:"adsname"`
Adsvalue string `json:"adsvalue"`
}
NtfsadsRecord mirrors the full ntfsads table row for JSONL export.
type ResumeInfo ¶
type ResumeInfo struct {
Rowid int
LastFile string
Mountpoint string
ProcessedFiles int
NSRLFiles int
}
ResumeInfo holds information from the database needed for resuming a session
func ResumeLatestEntry ¶
func ResumeLatestEntry(db *sql.DB, sessionuuid string) (ResumeInfo, error)
ResumeLatestEntry gets the rowid and filepath of the latest entry of a session.
type SessionInfo ¶
type SessionInfo struct {
}
SessionInfo holds information for printing session information
type SessionInfoMD ¶
type SessionInfoMD struct {
Sessionmd SessionMD
Rowid string
Filecount int
Oldestfile string
Oldestfiledate string
Youngestfile string
Youngestfiledate string
Nsrlcount int
Difffiletypes int
}
SessionInfo holds information about a single session
func ListSession ¶
func ListSession(db *sql.DB, sessionuuid string) (SessionInfoMD, error)
ListSession returns information summary about a single session
type SessionMD ¶
type SessionMD struct {
UUID string `json:"uuid"`
Starttime string `json:"starttime"`
Endtime string `json:"endtime"`
Project string `json:"project"`
Archivistname string `json:"archivistname"`
Mountpoint string `json:"mountpoint"`
Pathseparator string `json:"pathseparator"`
ExifFlag string `json:"exifflag"`
Dublincoreflag string `json:"dublincoreflag"`
Yaraflag string `json:"yaraflag"`
Yarasource string `json:"yarasource"`
XattrFlag string `json:"xattrflag"`
NtfsadsFlag string `json:"ntfsadsflag"`
Filetroveversion string `json:"filetroveversion"`
Nsrlversion string `json:"nsrlversion"`
Sfversion string `json:"siegfriedversion"`
Filetrovedbversion string `json:"filetrovedbversion"`
Goversion string `json:"goversion"`
}
SessionMD holds the metadata written to table sessionsmd
type SessionSummary ¶
SessionSummary holds a session with aggregated counts for web display
func GetSessionSummaries ¶
func GetSessionSummaries(db *sql.DB) ([]SessionSummary, error)
GetSessionSummaries returns all sessions with file and directory counts
type SiegfriedType ¶
type SiegfriedType struct {
FileName string
SizeInByte int64
Registry string
FMT string
FormatName string
FormatVersion string
MIMEType string
IdentificationNote string
IdentificationProof string
SiegOutput string
}
SiegfriedType is a struct for all the strings siegfried returns
func SiegfriedIdent ¶
func SiegfriedIdent(s *siegfried.Siegfried, inFile string) (SiegfriedType, error)
SiegfriedIdent gets PRONOM metadata and the size of a single file
type WebDirMD ¶
type WebDirMD struct {
DirUUID string
Dirname string
Dirpath string
Dirctime string
Dirmtime string
Diratime string
Hierarchy int
}
WebDirMD holds directory metadata for web display
type WebExifRow ¶
type WebExifRow struct {
ExifVersion string
DateTime string
DateTimeOrig string
Artist string
Copyright string
Make string
XPTitle string
XPComment string
XPAuthor string
XPKeywords string
XPSubject string
}
WebExifRow holds EXIF metadata for web display
type WebFileMD ¶
type WebFileMD struct {
FileUUID string
SessionUUID string
Filename string
Filepath string
Ext string
Filesize int64
Filemd5 string
Filesha1 string
Filesha256 string
Filesha512 string
Fileblake2b string
Filesffmt string
Filesfmime string
Filesfformatname string
Filesfformatversion string
Filesfidentnote string
Filesfidentproof string
Filectime string
Filemtime string
Fileatime string
Filensrl string
Fileentropy float64
HasYara bool
}
WebFileMD holds file metadata with UUIDs needed for web display
func QueryFiles ¶
QueryFiles returns files for a session with optional filters and pagination. Returns the matching files, total count of matches, and any error.
type WebNtfsAdsRow ¶
WebNtfsAdsRow holds a single NTFS alternate data stream entry
type WebXattrRow ¶
WebXattrRow holds a single extended attribute entry
type WebYaraRow ¶
type WebYaraRow struct {
RuleName string
}
WebYaraRow holds a single YARA rule match
Source Files
Directories