dfxml:byte_run

<xs:element name="byte_run">
  <xs:annotation>
    <xs:documentation>A specific location of bytes on a mass storage device. These are grouped in a byte_runs array. Child elements are one or more cryptographic hashes of the run's content. One might use this for sector-level hashes of a file's contents.</xs:documentation>
  </xs:annotation>
  <xs:complexType>
    <xs:sequence>
      <xs:element ref="dfxml:hashdigest" minOccurs="0" maxOccurs="unbounded"/>
    </xs:sequence>
    <xs:attribute name="file_offset" type="xs:nonNegativeInteger"/>
    <xs:attribute name="fs_offset" type="xs:nonNegativeInteger"/>
    <xs:attribute name="img_offset" type="xs:nonNegativeInteger"/>
    <xs:attribute name="len" type="xs:nonNegativeInteger"/>
    <xs:attribute name="uncompressed_len" type="xs:nonNegativeInteger"/>
    <xs:attribute name="fill" type="xs:string"/>
    <xs:attribute name="type" type="xs:string">
      <xs:annotation>
        <xs:documentation>This attribute is used to denote whether the file's contents are resident in the file metadata structure. The SleuthKit uses this to denote residency in the NTFS MFT entry, using the corresponding flags "TSK_FS_ATTR_RES" to denote a resident file, and "TSK_FS_BLOCK_FLAG_RES" for the data block.</xs:documentation>
      </xs:annotation>
    </xs:attribute>
    <xs:anyAttribute namespace="##other" processContents="lax"/>
  </xs:complexType>
</xs:element>