- ACCESSDATA FTK IMAGER WIKI ARCHIVE
- ACCESSDATA FTK IMAGER WIKI SOFTWARE
- ACCESSDATA FTK IMAGER WIKI LICENSE
ACCESSDATA FTK IMAGER WIKI SOFTWARE
However, a chapter excerpted from Advances in Digital Forensics II (2005) includes a very thorough description of the format, together with some information about the AFFLIB software tool to support its use. The compiler of this format description did not find an AFF specification in the formal sense ( Comments welcome).
ACCESSDATA FTK IMAGER WIKI LICENSE
Successor format to AFF_1_0, which has a significantly different structure.ĪFF was originally developed by Simson Garfinkel and Basis Technology, as an "open format, free from any patent or license restriction." Comments welcomeĪdvanced Forensic Framework Disk Image, AFF Version 4 (AFF4). The Forensics Wiki refers to version 3.0, which appears to be associated with the third version of the AFFLIB tool (AFFLIBv3).
The Forensics Wiki refers to version 2.0, which appears to be associated with the second version of the AFFLIB tool (AFFLIBv2).
ACCESSDATA FTK IMAGER WIKI ARCHIVE
May be used to archive data.Ĭompression via the zlib implementation of the DEFLATE algorithm, not described at this Web site.Ĭompression via the Lempel–Ziv–Markov chain compression algorithm (LZMA), not described at this Web site. Typically used for data analysis and not part of a process to create new content. Version 1.0 of the format appears to be associated with the first version of the AFFLIB library the most recent version of AFF (version 3.0) is implemented in the AFFLIBv3 library. The provisions for internal self-consistency checking permit part of an image to be recovered even if other parts are corrupted or lost. Signatures are calculated on uncompressed data, thus permitting the signing of a disk image prior to compression without compromising the digital signatures. Hashes may be recorded for the entire image and for each individual data segment, stored in specially named segments. Certification features are intended to meet legal or law-enforcement evidentiary needs, but they also support preservation-related integrity checking. Signatures based on X.509(v)3 certificates. Hash functions, e.g., MD5 and SHA-1, and advanced digital The format also provides for the certification of content authenticity with traditional The format supports internal self-consistency checking, so that typical AFF tools can recover part ofĪn image even if other parts are corrupted or (The Lempel–Ziv–Markov chain compression algorithm is also supported, at least in versions later than AFF 1.0.) It is possible to store the disk image in a binary file and metadata as XML, although this introduces the risk that the two files might become separated.ĪFF data pages can be compressed with the open-source zlib or they can be left uncompressed. The AFF data-storage layer stores segments in binary form (segments are stored sequentially in one or more files) or as XML data, larger in size but often easier to use with non-forensic tools. Additional detail on segments is provided in the creators' published description. The metadata segments hold information about the disk image and data segments, called "pages," that carry the imaged disk information. The name and the data payload can be nearly 4 GB in extent, although the format creators report that typical segment names are less than 32 bytes with data payloads of less than 16 MB. Each AFF segment consists of a segment name, a 32-bit "flag," and a data payload.
The disk-representation layer defines specific segment names that are used to represent all the information for a disk image. Forensic disk images often play a role in law enforcement and legal investigations, and the embedded metadata provides facts for a chain of evidence or audit trail.ĪFF files are partitioned into two layers: the disk-representation layer and the data-storage layer. See Also (e.g.Extensible format for the storage of disk images with or without compression, together with related metadata that may be stored within disk images or separately. Description: The AccessData Custom Content Image (AD1) file format is a file-level disk image format created by AccessData's proprietary forensic software, such as FTK Imager.Īn AD1 image may span multiple files, with multipart files distinguished by their incrementing file extension, e.g.ad1.