BSDforge™

Following, are FreeBSD ports, or other *BSD related projects, hosted, or worked on at BSDforge in the sysutils category.

aimage

Advanced Disk Imager

The Advanced Forensic Format Library and Tools Version 3

Simson L. Garfinkel Naval Postgraduate School 2012

The Advanced Forensic Format (AFF) is on-disk format for storing computer forensic information. Critical features of AFF include:

• AFF allows you to store both computer forensic data and associated metadata in one or more files.
• AFF allows files to be digital singed, to provide for chain-of-custody and long-term file integrity.
• AFF allows for forensic disk images to stored encrypted and decrypted on-the-fly for processing. This allows disk images containing privacy sensitive material to be stored on the Internet.
• AFF is an open format unencumbered by copyright or patent protection. The AFFLIB library that implements AFF is available for use in both Open Source and proprietary tools.

AFF Library and Toolkit is a set of programs for working with computer forensic information. Using these tools you can:

• Interconvert disk images between a variety of formats, including:
  • raw or dd
  • splitraw (in which a single image is split between mulitple files)
  • EnCase or "E01" format
  • AFF format (in which the entire disk image is stored in a single file.)
  • AFD format (in which a disk image is stored in mulitple AFF files stored in a single directory.)
  • AFM format (in which an AFF file is used to annotate a raw file.)
• Compare disk images and report the data or metadata that is different.
• Copy disk images from one location to another, with full verification of data, metadata, and the automatic generation of a chain-of-custody segment.
• Find errors in an AFF file and fix them.
• Print information about a file.
• Print detailed statistics about a file.
• Generate an XML representation of a disk image's metadata (for example, acquisition time or the serial number of the acquisition device.)
• Produce an XML "diskprint" which allows a disk image to be rapidly fingerprinted without having the computer the SHA1 of the entire disk.

AFFLIBv3 implements version 3 of the AFF format. This version is currently in maintenance mode while work on AFFv4 continues. Key differences between AFFv3 and AFFv4 include:

• Whereas AFFv3 uses a purpose-built container file format, AFFv4 is based on ZIP64.
• Whereas AFFv3 is licensed with a four-part Berkeley license, AFFv4 is licensed an approved Open Source license.

AFFLIB and Toolkit is provided in source code form for Linux, MacOS and Windows. We have also created a Windows zipfile that contains:

• precompiled versions of the AFFLIB tools and all of the libraries necessary to run them.
• bulk_extractor.jar - A Java port of our system that automatically extracts email addresses, dates, and other information from a file and produces a histogram of the contents.

AFFLIB with SleuthKit:

TSK officially supports a subset of the image formats that AFFLIB supports. To use the other image formats, specify the image type as "afflib".
For example:

# fls -o 63 -i afflib foo.vmdk

Installation

Using the FreeBSD ports tree method:

cd /usr/ports/sysutils/afio make install clean

Using the FreeBSD pkg(8) method:

pkg install sysutils/afio

AFF and AFFLIB are trademarks of Simson L. Garfinkel and Basis Technology, Inc.

• Home
• Projects::sysutils
• Projects::All