ACQUISITION OF ADVANCED FORENSICS FORMAT BASED FORENSIC SOFTWARE

Informal Proposal

Chris Nelson

Digital who done it?

What is Advanced Forensic Format?

Advanced Forensic Format(AFF) is an open access format that is designed to store disk images and their accompanying forensic metadata.

AFF is structured as an extendable, highly flexible system able to provide a wide range of tools that does not limit users to one proprietary format.

AFF supports two compression algorithms. Fast and efficient zlib compression algorithm compressed files to roughly the same size as an equivalent EnCase file but AFF files can be recompressed using the LZMA algorithm to anywhere from 1/2 to 1/10th the size of the original(Garfinkel, 2012). AFFLIBv4 library download is freely available and distributed with modified license that allows the use of AFF in any program, free or commercial, provided that the copyright statement is included in both the source and binary file.

AFFLIBv4 library can be found integrated with open source programs such as BitCurator, Forensic Toolkit (FTK) Formats, SleuthKit, etc,

AFFLIB: strengths and weaknesses

AFFLIB’s support of additional file formats, e.g., EnCase and Expert Witness, permits the tools to be used for a variety of disk image formats without the need for modification or translation.

The advancement of bulk data analysis as an efficient approach to digital forensics

Only one disk image per file

strengths weaknesses

Why Choose Advanced Forensic Format?

Ability to store disk images with or without compression.

Ability to store disk images of any size.

Ability to store metadata within disk images or separately.

Ability to stored encrypted and decrypted on-the-fly for processing. This allows disk images containing privacy sensitive material to be stored on the Internet.

Ability to store images in a single file of any size or split among multiple files.

Arbitrary metadata as user-defined name/value pairs.

Extensibility.

Simple design.

Multiple platform, open source implementation for use with both open-source and proprietary forensic tools.

Freedom from intellectual property restrictions.

Provisions for internal self-consistency checking, so that part of an image can be recovered even if other parts are corrupted or otherwise lost.

Advanced digital signatures based on X.509(v)3 certificates to provide for chain-of-custody and long-term file integrity.

Provisions for certifying the authenticity of evidence files with traditional hash functions.

Automatic calculation and storage of MD5 and SHA-1 hash codes. This allows AFF files to be automatically validated after they are copied to check for accidental corruption.

This table shows a comparison of the features of various file currently on the market. A format is considered to be “non-proprietary” if its specifications is publicly available. It is extensible” if it supports the storage of arbitrary metadata. It is “seekably compressed” if it can be searched without being uncompressed in its entirety.

A bullet (•) indicates support for a feature, while a question mark (?) indicates that support for a feature is not disclosed publicly. FTK is omitted because it uses other tools’ formats.( Garfinkel, Malan, Dubec, Stevens, & Pham, 2006).

AFF Segment Format

AFF is a segmented archive file specification.

Each AFF Segment contains the following information:

The Segment Header

The Segment Data Payload

The Segment Footer

The Segment Header consists of the following:

A 4-byte Segment Header Flag ("AFF\000")

The Length of the segment name (as an unsigned 4-byte value)

The Length of the segment data payload

The “argument”, a 32-bit unsigned value

The data segment name (stored as a Unicode UTF-8 string)

The Segment Footer consists of:

The 4-byte Segment Footer Flag ("ATT\000")

The length of the entire segment, as a 32-bit unsigned value

Because the segment length can be determined by reading both the Header or the Footer, the AFF library can seek

forwards or backwards in the AFF file

How it works

AFF Segments are used to store all information inside the AFF File.

This includes the image itself and image metadata.

Each AFF file consists of an AFF File Header followed by one or more AFF Segments.

Segments can be between 32 bytes and 2³²-1 bytes long. When used to store the contents of a disk image, the image

is broken up into a number of equal-sized Image Segments. These image segments are then optionally compressed

and stored sequentially in the AFF file.

Each AFF Segment has a header, a name, a 32-bit argument, an optional data payload, and finally a tail. The header

and tail make it possible to seek rapidly through the AFF file, skipping much of the image data.

The segment size of the image file is determined when the file is converted from a RAW file to an AFF file. Once a file

is converted, it can be opened using af_open() and read using af_read() and af_seek().

The AFF library automatically handles the locating, reading, and optional decompressing of each segment as needed.

Other segments can be used to hold information such as the time that the disk was imaged, a case number, the

forensic examiner, and the MD5 or SHA-1 of the original unconverted image file.

.

Accessioning Workflow :

Utility Purpose

aconvert converts one or more RAW files to AFF format

acompare compares a raw file to its AFF file

ainfo information about an AFF file, including all the segments and their contents

acat copies an AFF file to a RAW file

afxml converts an AFF image into XML.

afsign Signature tool

afcrypto encrypt or decrypt a disk image in place

affuse allows AFF images to be “mounted” as raw files on Linux

afsegemnt view or modify an individual segment

afdiskprint generates an XML-based “diskprint” for fast image comparision

afcopy segment-by-segment copying

afverify verifies signatures

afrecover recovery of data within a corrupted AFF file

The AFF segment format library and conversion routines perform a variety tasks to optimize conversion, storage, and access as needed.

Example: “afinfo” command segment display

Glossary:

Chain of Custody - means of accountability, that shows who obtained the evidence, where

and when the evidence was obtained, who secured the evidence, who had control or

possession of the evidence.

Copy - A copy is an accurate reproduction of information contained in the data objects

independent of the original physical item.

Data Recovery - covers all processes to retrieve damaged, deleted, or otherwise hidden data

Digital Evidence - information stored or transmitted in binary form that may be relied upon

in court.

Original Digital - physical items and those data objects, which are associated with those

items at the time of seizure.

Duplicate Digital Evidence - an accurate digital reproduction of all data objects contained

on the original physical item.

Imaging – make a soft copy of and entire storage medium

References:

(2013). AFF- Forensics Wiki (http://www.forensicswiki.org/wiki/AFF)

Carrier, B.(2012). Open Source Digital Forensics Tools: The Legal Argument1.

Garfinkel, S.L. (2012). The Advanced Forensic Format library and tools version 3. Naval Postgraduate School

(https://github.com/simsong/AFFLIBv3)

Garfinkel, Simson L., David J. Malan, Karl-Alexander Dubec, Christopher C. Stevens, and Cecile Pham. (2006).

Advanced forensic format: An open, extensible format for disk imaging. In Advances in Digital Forensics II: FIP

International Conference on Digital Forensics, National Center for Forensic Science, Orlando, Florida,

January 29-February 1, 2006, ed. Martin Olivier and Sujeet Shenoi, 17-31. New York: Springer.

John, J. L.(2008). Adapting existing technologies for digitally archiving personal lives digital forensics, ancestral

computing, and evolutionary perspectives and tools.

John, J.L.(2012). Digital forensics and preservation. DPC Technology Watch Report 12-03 November 2012 Maertens, F. (2009).Evidence Handling in Computer Forensic cases. Institute of Forensic Auditors. (http://www.slideshare.net/fmaertens/IFA-8-Maart-2007-Computer-Forensics)

Matienzo, M. (2011). fiwalk with me: building emergent pre-ingest workflow for digital archival records using open

source forensic software. Yale University.