📜 Post with us on Reddit
📝 Create a new article
🏭 Create a company page
🇬🇧 - in English
🇫🇷 - en Français (FR)
🇵🇹 - em Português (PT)
🇩🇪 - auf Deutsch (DE)
🇯🇵 - 日本語で (JA)
Sponsored articles

You can edit almost every page by Creating an account and confirming your email.

Advanced Forensic Format

From EverybodyWiki Bios & Wiki


Advanced Forensic Format
Filename extension.aff, .afd, .afm
Developed bySimson Garfinkel; community contributors
Type of formatDisk image, digital forensics
Extended fromRaw disk image
Extended toAFF4
StandardOpen specification (implemented by AFFLIB)
Websitegithub.com/sshock/AFFLIBv3

The Advanced Forensic Format (AFF) is an open, extensible format for storing disk images together with forensic metadata. AFF was introduced in 2006 as a patent-unencumbered alternative to proprietary evidence containers, allowing data and metadata to be kept together or separately and supporting features such as compression, digital signatures and optional encryption.[1][2][3]

History

AFF was proposed by Garfinkel and collaborators in 2006 in an IFIP/DFRWS-linked volume, positioning it as a flexible, open format for disk imaging with richer metadata than raw images and reduced storage through compression.[1] The format’s reference implementation is the open-source AFFLIB library and tools, initially from Basis Technology and later maintained by community contributors.[3]

Design and features

AFF defines a container that stores disk data and associated metadata in segments. Implementations support lossless compression and optional encryption, and can embed a cryptographic signature for chain-of-custody and integrity verification.[3][2] The AFFLIB API exposes an image as a stream plus a name–value metadata store; tools include an imager (aimage), a converter (afconvert), and utilities for exporting metadata (e.g., afxml).[4][5]

Variants

AFF version 3 implementations commonly use three related on-disk layouts:[6][7]

  • .aff — single-file container holding image data and metadata.
  • .afd — split layout (multiple AFF files in a directory) for easier transfer of large images.
  • .afm — metadata in AFF paired with a separate raw (dd) image.

Advanced Forensic Framework 4 (AFF4)

AFF4 (Advanced Forensic Framework 4) was proposed in 2009 as a redesign that generalises AFF into a framework for evidence containers. AFF4 separates storage from semantics, supports multiple evidence types in a single archive, and introduces chunked storage with indexed “bevies” for efficient random access.[8][9]

Design

AFF4 is object-oriented: every entity (evidence stream, container, map) is assigned a globally unique URN and described with RDF triples (linked-data facts). Evidence data are stored as compressed chunks grouped into bevies, with a separate index enabling random access; typical containers are either directory-based or ZIP/ZIP64 archives.[10][11] AFF4 supports HTTP range access for remote use, map streams for storage virtualisation (e.g., reconstructing RAID or referencing carved files without duplication), and cryptographic metadata about chunks and maps to support verification workflows.[12]

Implementations and tooling

Open implementations include a Python reference library (pyaff4), a C/C++ implementation (c-aff4 and forks), and a lightweight reader (aff4-cpp-lite). Canonical sample images are published for conformance testing.[13][14][15][16][17]

Performance-oriented extensions

Subsequent research proposed “wirespeed” extensions for higher-throughput acquisition, including faster compression (e.g., Snappy), block-level hashing and partial imaging semantics to represent unreadable or unacquired regions.[18]

AFF4-L (logical imaging)

AFF4-L generalises AFF4 to logical evidence, supporting deduplicated content storage and arbitrarily rich, structured metadata. A DFRWS 2019 paper describes a prototype implementation and use cases for scalable logical imaging.[19][20]

Tooling and support

The AFFLIB toolset can interconvert images among raw (dd), split-raw, AFF/AFD/AFM, and other formats, verify images, and generate chain-of-custody segments.[21] Community corpora (e.g., Digital Corpora) reference AFF images and provide conversion guidance.[22] Industry discussions and vendor documentation describe AFF4/AFF4-L as open containers aimed at interoperability and performance in modern workflows.[23]

See also

References

  1. 1.0 1.1 Garfinkel, Simson L.; Malan, David J.; Dubec, Karl-Alexander; Stevens, Christopher C.; Pham, Cecile (2006). "Advanced Forensic Format: An Open, Extensible Format for Disk Imaging". In Olivier, Martin S.; Shenoi, Sujeet. Advances in Digital Forensics II. IFIP Advances in Information and Communication Technology. 222. New York, NY: Springer. pp. 13–27. doi:10.1007/0-387-36891-4_2. Retrieved 8 September 2025. Search this book on
  2. 2.0 2.1 "Advanced Forensic Format Disk Image, AFF Version 1.0". Library of Congress — Sustainability of Digital Formats. 23 September 2015. Retrieved 8 September 2025.
  3. 3.0 3.1 3.2 "AFFLIBv3 — Advanced Forensic Format Library and Tools". GitHub. Retrieved 8 September 2025.
  4. Garfinkel, Simson L. (2011). "Digital media triage with bulk data analysis and bulk_extractor (appendix describing AFFLIB tools)" (PDF). simson.net. Retrieved 8 September 2025.
  5. "Chapter 4: AFF Library and Tools (excerpts)" (PDF). Harvard University (CS). Retrieved 8 September 2025.
  6. "afflib-tools (Debian package description)". Debian. Retrieved 8 September 2025.
  7. "AFFLIB — README". GitHub. Retrieved 8 September 2025.
  8. Cohen, Michael I.; Garfinkel, Simson L.; Schatz, Bradley (2009). "Extending the advanced forensic format to accommodate multiple data sources, logical evidence, arbitrary information and forensic workflow" (PDF). Digital Investigation. 6 (Supplement): S57–S68. doi:10.1016/j.diin.2009.06.010. Retrieved 8 September 2025.
  9. "Advanced Forensic Framework Disk Image, AFF Version 4 (AFF4)". Library of Congress — Sustainability of Digital Formats. 2018. Retrieved 8 September 2025.
  10. "Advanced Forensic Framework 4 (AFF4) — design overview". forensics.wiki. Retrieved 8 September 2025.
  11. "Forensic Imaging v4.0: AFF4 (OSDFCon 2016 slides)" (PDF). OSDFCon. 2016. Retrieved 8 September 2025.
  12. "Advanced Forensic Framework 4 (AFF4)". forensics.wiki. Retrieved 8 September 2025.
  13. "The Python implementation of the AFF4 standard (pyaff4)". GitHub. Retrieved 8 September 2025.
  14. "c-aff4 (C/C++ AFF4 library)". GitLab. Retrieved 8 September 2025.
  15. "aff4-cpp-lite — a lightweight C/C++ AFF4 reader library". GitHub. Retrieved 8 September 2025.
  16. "AFF4 Standard Specification v1.0 (repository)". GitHub. Retrieved 8 September 2025.
  17. "Canonical AFF4 Standard Images". GitHub. Retrieved 8 September 2025.
  18. "Wirespeed: Extending the AFF4 container format for scalable acquisition and live analysis (DFRWS 2015 slides)" (PDF). DFRWS. 2015. Retrieved 8 September 2025.
  19. Schatz, Bradley; Cohen, Michael I. (2019). "AFF4-L: A scalable open logical evidence container". Digital Investigation. 29: S139–S147. doi:10.1016/j.diin.2019.04.014. Retrieved 8 September 2025.
  20. "AFF4-L: A Scalable Open Logical Evidence Container (paper PDF)" (PDF). DFRWS. 2019. Retrieved 8 September 2025.
  21. "AFFLIB — features and tools". GitHub. Retrieved 8 September 2025.
  22. "Format conversion (RAW, E01, AFF)". Digital Corpora. Retrieved 8 September 2025.
  23. "AFF4 & AFF4-L — An Open Standard for Forensic Imaging". Magnet Forensics (blog). 2019. Retrieved 8 September 2025.

External links


This article "Advanced Forensic Format" is from Wikipedia. The list of its authors can be seen in its historical and/or the page Edithistory:Advanced Forensic Format. Articles copied from Draft Namespace on Wikipedia could be seen on the Draft Namespace of Wikipedia and not main one.


Retrieved from "https://en.everybodywiki.com/index.php?title=Advanced_Forensic_Format&oldid=5249767"
License CC BY-SA 3.0
Powered by MediaWiki