Abstract
This paper describes the Advanced Forensic Format (AFF), which is designed as an alternative to current proprietary disk image formats. AFF offers two significant benefits. First, it is more flexible because it allows extensive metadata to be stored with images. Second, AFF images consume less disk space than images in other formats (e.g., EnCase images). This paper also describes the Advanced Disk Imager, a new program for acquiring disk images that compares favorably with existing alternatives.
Chapter PDF
Similar content being viewed by others
References
AccessData, Forensic Toolkit (www.accessdata.com/products/ftk).
Apple Developer Connection, dd, BSD General Commands Manual (developer.apple.com/documentation/Darwin/Reference/Man pages/man1/dd.1.html).
Armor Forensics, SafeBack (www.forensics-intl.com/safeback.htm).
ASR Data Acquisition and Analysis, Expert Witness Compression Format Specification (www.asrdata.com/SMART/whitepaper.html), April 7, 2002.
ASR Data Acquisition and Analysis, SMART (www.asrdata.com/ SMART).
B. Carrier, The Sleuth Kit & Autopsy: Forensic Tools for Linux and other Unixes (www.sleuthkit.org), 2005.
DIBS USA, Computer Forensics (www.dibsusa.com).
DIBS USA, DIBS RAID — Rapid Action Imaging Device (www.dibs usa.com/products/raid.html).
J. Gailly and M. Adler, The gzip Home Page (www.gzip.org), 2003.
J. Gailly and M. Adler, zlib (v.1.2.3) (www.zlib.net), 2005.
K. Garloff, dd_rescue (www.garloff.de/kurt/linux/ddrescue), August 28, 2004.
Guidance Software, EnCase Forensic (www.guidancesoftware.com /products/ef_index.asp).
Guidance Software, EnCase Forensic Edition User Manual, Version 4 (www.guidancesoftware.com/support/downloads.asp).
Guidance Software, EnCase Legal Journal, April 2004.
Internal Revenue Service, ILook v8 — Computer Forensic Application, IRS Criminal Investigation Division — Electronic Crimes, Washington, DC (www.ilook-forensics.org/homepage.html).
B. Kaliski and K. Kingdon, Extensions and Revisions to PKCS #7 (ftp.rsasecurity.com/pub/pkcs/pkcs-7/pkcs-7v16.pdf), 1997.
PyFlag, Advanced Open Standard Forensics Format (pyflag.source forge.net/Documentation/articles/forensic_format.html).
PyFlag, Disk Forensics (pyflag.sourceforge.net/Documentation/tu torials/forensics.html).
PyFlag, PyFlag IO Sources (pyflag.sourceforge.net/Documentation /manual/iosource.html).
J. Seward, bzip2 and libbzip2 (www.bzip.org/index.html).
Sleepycat Software (www.sleepycat.com).
Technology Pathways, ProDiscover Image File Format (v.1.3) (www.techpathways.com/uploads/ProDiscoverImageFileFormatv4.pdf).
Technology Pathways, The ProDiscover Family of Computer Security Tools (www.techpathways.com/DesktopDefault.aspx?tabindex =3&tabid=12).
P. Turner, Unification of digital evidence from disparate sources (digital evidence bags), Proceedings of the Fifth Annual Digital Forensics Research Workshop, 2005.
Vogon International, Imaging Software (www.vogon-forensic-hardw are.com/forensic-hardware/data-capture/advanced-imaging-softwa re.htm).
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 IFIP Internatonal Federation for Information Processing
About this paper
Cite this paper
Garfinkel, S., Malan, D., Dubec, KA., Stevens, C., Pham, C. (2006). Advanced Forensic Format: an Open Extensible Format for Disk Imaging. In: Olivier, M.S., Shenoi, S. (eds) Advances in Digital Forensics II. DigitalForensics 2006. IFIP Advances in Information and Communication, vol 222. Springer, Boston, MA. https://doi.org/10.1007/0-387-36891-4_2
Download citation
DOI: https://doi.org/10.1007/0-387-36891-4_2
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-36890-0
Online ISBN: 978-0-387-36891-7
eBook Packages: Computer ScienceComputer Science (R0)