|Title: Introduction to the use of AFF|
|Subject: Advanced Forensic Format|
|Author: Jean-François Beckers|
|Date: 08 Dec 2005|
|Licence: Creative Commons|
Introduction to the use of AFF
The Advanced Forensic Format (AFF) is an extensible open format for the storage
of disk images. It provide built in features such as compression, hash codes v
erification, meta-data informations management.
The AFFLib provide special AFF assigned tools such :
- aimage : creation of AFF images
- afcat : generate a DD image from a AFF one
- afcompare : verify a AFF his derivate DD image
- afinfo : Validation of a AFF's image hash codes (md5, sha1)
The AFFLib is developed by Mr. Simson L. Garfinkel. For recent releases and mor
e detailed informations, refer to www.afflib.org.
Goal of this article :
Introduce and describe the use of AFFLib tools in computer forensic work. After
this article, you should be able to use and understant the AFF tools in your job .
This include the AFF image creation of a device.
The verification/validation of a AFF image. The conversion of a AFF image.
Get and install AFFLib
On the afflib.org website, in the "source code", you will found the new version
of the afflib. (current 1.2.7)
When the download of the file is complete, you have to run :
# tar xvfz afflib-1.2.7.tar.gz
This extract all files from the archive
To generate the binaries, you normally just need "make"
g++ -g -Wall -I/usr/local/ssl/include -DUNIX -c -o aimage.o aimage.cpp...
g++ -g -Wall -I/usr/local/ssl/include -DUNIX -c -o afxml.o afxml.cpp
g++ -g -Wall -I/usr/local/ssl/include -DUNIX -c -o base64.o base64.cpp
g++ -g -Wall -I/usr/local/ssl/include -DUNIX -o afxml afxml.o base64.o afflib.o
Create a config file (aimage) :
This will help you to create a configuration file to read questions from.
# aimage -make_config=my.conf
This command create a sample config file "my.conf" containing :
# Sample config file for aimage...
# Syntax: ask
ask name Your Name:
ask date_acquired Date this drive was acquired (yyyy-mm-dd):
ask case_number Case Number:
# Feel free to add your own!
Create a AFF image of a device using a config file (aimage) :
This command create a forensic copy of the external media "/dev/sda" into the file "usbdrive_copy.aff".
The use of the option "--config=my.conf" indicate the aimage to ask and add the configured information into the AFF generated image.
This is helpfull in the investigation process to correctly identify the analysed drives and confirm the full process.
# ./aimage --config=my.conf --outfile=usb_drive_1gb.aff /dev/sda
Date this drive was acquired (yyyy-mm-dd):2005-12-07
Now, the "aimage" is displaying the progress of the copy.
IMAGING Wed Dec 7 14:11:49 2005
When the copy is finished, "aimage display a short report with the MD5, SHA1 hash codes and the compression rate.
Source device: /dev/sda AFF Output: usb_drive_1gb.aff
Sector size: 1024 bytes
Currently reading sector: 48,640 (512 sectors at once)
Sectors read: 49,152 ( 4.91%) # blank: 0
Time spent reading: 00:00:06 Estimated total time left: 00:04:52
Total bytes read: 50,331,648
Total bytes written: 49,807,360
Compressed bytes written: 24,983,914 >>> COMPRESSING <<<
Time spent compressing: 00:00:07
Overall compression ratio: 25.54% (0% is none; 100% is perfect)
We have now a forensic copy of the thumb drive.
The next Sleuthkit's release will support the AFF so it will be possible to dir
ectly use the produced file.
AFF Output file: usb_drive_1gb.aff
Total bytes read: 1,024,966,656
Compressed bytes written: 197,784,704
Overall compression ratio: 80.7%
raw image md5: ea cc 8b a1 43 51 50 14 5b 29 84 5f ee d0 d7 f5
raw image sha1: 4b 8b e2 b7 26 0c 20 c1 33 a9 fb 9e 49 92 1c d6 78 45 19 15
Convert the AFF to DD (afcat) :
# afcat usbdrive_copy.aff > usbdrive_copy.dd
I think this is not the best way to do it but at the time a write this article,
it's the only way it work on my system. This command create the "usbdrive_copy.dd" extracting the original content of the thumb drive from the "usbdrive_copy.aff".
Verify a AFF image's integrity (afinfo) :
# afinfo -v usbdrive_copy.aff
"afinfo" and the "-v" option are designed to verify the image integrity based on the hash codes.
If the AFF image's hash codes matche the new generated, the following report is shown :
Validating hash codes...
md5: 62 09 cd d6 06 e0 ef 11 9b 48 d6 8d cd 49 d5 3c MATCH
sha1: 23 11 2b d6 f5 4a 9a 72 1e 6d d5 e6 b2 03 63 16 50 f0 09 38 MATCH
AFF file is 14447519 bytes. Actual compression ratio with overhead: 98.6%
Validate a AFF and a derivate DD (afcompare) :
# afcompare usbdrive_copy.aff usbdrive_copy.dd
The "afcompare" verify the integrity of both images and as result report if they are the same according the hash codes.
comparing usbdrive_copy.aff and usbdrive_copy.dd...
1024458752 out of 1024966656 bytes compared (99.95%) 17.59 MBytes/sec 0:00
Read 1024966656 bytes. Files match!
Verify a DD hash code (md5sum/sha1sum) :
The Gnu/Linux systems include those utils so it's very easy to verify a DD after a copy by the use of "md5sum" and "sha1sum".
# md5sum usbdrive_copy.dd
# sha1sum usbdrive_copy.dd
The verification done, the copy process is safe, the image's integrity are veri
We are now able to :
- create a AFF file
- convert the AFF image to a DD one
- verify AFF image's integrity
- verify the DD generated image hash codes
More informations :
More explicits and descriptives articles on www.afflib.org
The advanced Forensic Format 1.0
Disk Imaging with the Advanced Forensic Format Library and Tools