I am pleased to announce the availability of both a set of patches to the Sleuth Kit and an open source C/C++ implementation for reading AFF4 Standard v1.0 disk images. Last week the AFF4 Standard v1.0 was released by Bradley Schatz (Evimetry) and Michael Cohen (Google) .
Originally proposed in 2009 by Michael Cohen, Simson Garfinkel, and Bradley Schatz, the AFF4 forensic container enables new approaches to forensics, unparalleled forensic acquisition speeds and more accurate representation of evidence. These are enabled through next-generation forensic image features such as storage virtualisation, arbitrary metadata, and partial, non-linear and discontiguous images. The standard is the culmination of research spanning 6 years and 4 scientifically peer reviewed papers.
The release of these is a significant step forwards to the wider adoption of the format, enabling a large portion of the open source forensic toolchain to access AFF4 forensic images, and commercial implementers the ability to support reading the format by integration of a single unencumbered library.
The patches to the SleuthKit were contributed by Schatz Forensic (Evimetry), while the C/C++ library was originally developed by Michael Cohen (Google), with AFF4 Standard v1.0 support added by Schatz Forensic.
This release follows the release last week of the AFF4 Standard v.1.0 and a Python reference implementation (reader), and the release of Evimetry Community Edition, a freely licensed subset of the AFF4-based forensic tool.
For more information on the AFF4, attend the webcast “AFF4: The New Standard in Forensic Image Format, and Why You Should Care”, given by Bradley Schatz, in association with SANS, on 17 April 2017.
Implementers and interested parties are invited to join the AFF4 working group at email@example.com .