-
Why a new file format?
What’s wrong with EnCase or raw block-by-block images?
The proprietary EnCase® file format
supports seeking within a compressed file, but the specification
for this file format is not publicly available and may be
encumbered by patents and other intellectual property restrictions
which inhibit widespread adoption.
Raw image files take up a lot of space. Neither format allows the
storage of arbitrary name/value pairs, provides for encryption,
chain-of-custody, or other advanced features
-
Why not put meta information
into log files?
In many cases it is advantageous to
store meta information (such as case numbers, acquisition times,
the name of the investigator, etc.) directly in the image file. For
example, storing this information in a single file with the image
makes it very unlikely that they will become separated, and perhaps
the wrong log file being used with an image. In some cases it does
make sense to store metadata separately from forensic information.
For these cases AFF supports the AFM variant, which stores original
data in split raw files and metadata in an accompanying AFF
file.
-
Can AFF files be "mounted"
like other files?
Yes. On Linux systems, AFF files can be
mounted using FUSE and the afuse
utility.
-
I keep getting the error
"affuse: FUSE support is disabled." when I try to run the affuse
command; what am I doing wrong
When you compile the
affuse command, you
must have the fuse developer libraries (libfuse-dev) installed.
This includes both the library and the fuse.h header. This is not
installed as part of the standard Linux developer
distribution.
-
How hard is it to add AFF
support to an existing forensic application?
It's easy. You just change your
fopen()
calls to
af_open(),
change fread()
to af_read(),
and so on. Once you do this, your application will be able to open
AFF, AFM and AFD files automatically. It will also be able to
handle split-raw and even EnCase-formatted files.
-
What if I want to write AFF
files. Do I need to do anything special?
AFFLIB does all of the work! Just open
a file with af_open()
and write to it
using af_write().
You can change where you are writing with af_seek().
Just be sure to close the file with af_close()
before your program
exists.
-
Why is AFFLIB distributed
under the 4-clause Berkeley License? Berkeley repudated the
advertising clause. Do we need to advertise AFFLIB if we bundled
AFF on a distribution of Unix or Linux tools?
We've decided to keep the advertising
clause because Basis Technology, the company that funded a
substantial amount of the AFFLIB development, wishes to be
acknowledged in computer forensic products that use AFF. We do not
consider the bundling of AFFLIB on a CDROM or online distribution
of Linux utilities to meet the requirements in section 3---that is,
unless the CDROM or distribution specifically mentions AFF. If you
specifically mention AFF, you do need to indicate in the copyright
statement that AFF contains code that is copyright by Simson
Garfinkel and Basis Technology Corp.
-
How long do you think it will
be before EnCase®, ProDiscover®, FTK, and the open source tools are
able to process files in this format?
We’ve had no contact with the authors
of EnCase, ProDiscover, or FTK. However, we believe that if AFF
becomes popular they will modify their tools to handle the format.
But even if they don't, you can use these tools NOW by mounting a
filesystem with FUSE and then exporting that filesystem to a
windows box using either SAMBA or VMWare (you run the tool inside
VMWare on a machine that's already running Linux with
FUSE).
-
Does AFFLIB compile under
Windows?
AFFLIB compiles under Windows using
either Cygwin or using Microsoft Visual Studio. You can download
pre-compiled versions of AFF for WIndows from the website's
Products and
Downloads directory.
-
What open source libraries
are required to compile AFF?
