AFF4: The new standard in forensic imaging and why you should care

At this year’s Open Source Digital Forensics Conference (OSDFCon 2016) I presented an update on the AFF4 standardisation effort. For the conference we unveiled a significant milestone: support for consuming Evimetry produced AFF4 forensic images with the Sleuth Kit.

While users of Evimetry are able to exploit the benefits afforded by AFF4 seamlessly with their regular forensic tools, we believe that native support for the format across both opensource and commercial tools will accelerate forensic workflow even further.

The screenshot below demonstrates a non-linear partial physical image (containing only the allocated blocks from the target disk) being interpreted by the SleuthKit.

Screen Shot 2016-10-24 at 3.48.55 pm

We will be releasing patches for libaff4 (C++) and Sleuth Kit shortly.

My slides for the seminar are below.