Forensics
Announcing: Advanced Forensics Format 1.0 Sep 19 2005 12:21AM
Simson Garfinkel (simsong eecs harvard edu) (1 replies)
I have developed a new file format for storing disk images and other
forensic information. It's called the Advanced Forensic Format. Key
features of the format include:

* Open format, free from any patent or license restriction.
Can be used with both open-source and proprietary forensic tools.

* Extensible. Any about of metadata can be encoded in AFF files in the
format of name/value pairs.

* Efficient. AFF supports both compression and seeking within
compressed files.

* Open Source C/C++ Implementation. A freely redistributable C/C++
implementation including the AFF Library and basic conversion tools
is available for download. AFFLib is being distributed under the BSD
license, allowing it to be incorporated in free and proprietary
programs without the need to pay license fees.

* Byte-order independent. AFFLib has been tested on both Intel and
PowerPC-based systems. Images created on one platform can be read on
another.

* Automatic calculation and storage of MD5 and SHA-1 hash codes,
allowing AFF files to be automatically validated after they are
copied to check for accidentally corruption.

* Explicit identification of sectors that could not be read from the
original disk.

* Because images are stored with a compression system that is not
understood by today's anti-virus systems, a virus in the file
doesn't trigger the anti-virus software.

I have successfully used the AFF image conversion program to convert
my 172 gigabyte corpus of disk images so that it now fits in 44
gigabytes. My forensic data extraction programs can extract
information from these compressed images faster than from the
original raw files, because the overhead for decompressing the images
is actually less than the time required to read the raw files. (CPUs
are faster than disks, at least in my case.)

I am in the process of writing a new, clean, disk imaging program
that combines the best features of programs such as dd_rescue,
dcfldd, and a few other programs. The initial version of the program
should be available within a few weeks.

The AFF library can be downloaded from:

http://www.simson.net/afflib/

It compiles on FreeBSD and Linux.

More information about AFFLIB will follow.

=====================================
Simson Garfinkel, Ph.D.
Center for Research on Computation and Society
Harvard University
simsong (at) eecs.harvard (dot) edu [email concealed]
http://www.simson.net/
617-876-6111

[ reply ]
Re: Announcing: Advanced Forensics Format 1.0 Sep 19 2005 01:58PM
Thorbjørn Ellefsen (thorbjorn protectit as)


 

Privacy Statement
Copyright 2010, SecurityFocus