Advanced Forensics Format

Latest revision as of 04:46, 16 August 2025

Advanced Forensics Format is an open-source format developed originally by Basis Technology and Simson L. Garfinkel, and is maintained by Phillip Hellewell^[1], that:

• Is designed to support precision forensics using compression, encryption, and segmentation, ^[2] As well as an alternative to current proprietary disk image formats.^[3],
• Offers two significant benefits. First, it is more flexible due to allowing extensive metadata to be stored with metadata. Second, AFF images consume less disk space than disk images in other formats (e.g., EnCase images).^[4]
• Is a library that is available for use in both Open Source and proprietary tools implementing AFF.

The last format that offers Open Source tooling is based on the version 3, and it is still presently maintained by Phillip Hellewell. Advanced Forensics Format version 4 (AFF4) was originally written in Python,^[5] however the format appears to have become closed: papers documenting format are not publicly available,^[6] despite the blog entry is titled as "Open Standard". The associated tool is also offered as trialware only.^[7]

[edit] Software

• Philip (sshock) Hellewell's AFFLIB version 3 - GitHub offers toolkit for working with AFF images.^[8]
• Exterro FTK Imager (trialware, mostly Windows-only) - supports the AFF4 format and execution on portable drives (as of FTK Imager 4.7)
• Magnet AXIOM 4.2 and Magnet AXIOM Cyber 4.2 download link (trialware) - Mentioned as blog entry, the software is available only at customer portal that is linked in this URL.
• The Sleuth Kit and Autopsy - supports AFF image format.^[9]

[edit] Links

• Philip (sshock) Hellewell's AFFLIB version 3 - GitHub
• Simon L. (simsong) Garfinkel's AFFLIB version 3 (archived repository) - GitHub
• Internet Archive's copy of afflib.org, current website is occupied by web squatter
• Rekall Memory Forensic Framework (archived repository) - GitHub - For evaluating AFF4 imaging technology

[edit] References

1. ↑ AFFLIB version 3 - GitHub
2. ↑ Advanced Forensic Format (AFF) - Cyber Triage
3. ↑ Advanced Forensic Format: An open, extensible format for disk imaging - S. Garfinkel, D. Malan, K. Dubec, C. Stevens and C. Pham - Computer Science of Harvard University
4. ↑ Advanced Forensic Format: An open, extensible format for disk imaging - S. Garfinkel, D. Malan, K. Dubec, C. Stevens and C. Pham - Computer Science of Harvard University
5. ↑ AFF4 - The Advanced Forensics File Format - Internet Archive copy
6. ↑ AFF4 & AFF4-L -- An Open Standard for Forensic Imaging - Magnet Forensics blog
7. ↑ Updates in Magnet AXIOM 4.2 Include Support for AFF4, Skype Warrant Returns, and WhatsApp - Magnet Forensics blog
8. ↑ Makefile.am lines 1-2 - AFFLIBv3 - GitHub
9. ↑ Reference Documents - SleuthKitWiki