NOTE: AFFLIB is currently maintained at sshock/AFFLIBv3.		     
		     
		     
		     The Advanced Forensic Format
			  Library and Tools
			      Version 3

			 Simson L. Garfinkel
		      Naval Postgraduate School
				 2012


The Advanced Forensic Format (AFF) is on-disk format for storing
computer forensic information. Critical features of AFF include:

  - AFF allows you to store both computer forensic data and associated
    metadata in one or more files. 

  - AFF allows files to be digital singed, to provide for
    chain-of-custody and long-term file integrity.

  - AFF allows for forensic disk images to stored encrypted and
    decrypted on-the-fly for processing. This allows disk images
    containing privacy sensitive material to be stored on the Internet.

  - AFF is an open format unencumbered by copyright or patent
    protection. The AFFLIB library that implements AFF is available
    for use in both Open Source and proprietary tools.

AFF Library and Toolkit is a set of programs for working with computer
forensic information. Using these tools you can:

 * Interconvert disk images between a variety of formats, including:

   - raw or "dd" 
   - splitraw (in which a single image is split between mulitple files)
   - EnCase or "E01" format
   - AFF format (in which the entire disk image is stored in a single file.)
   - AFD format (in which a disk image is stored in mulitple AFF files
     stored in a single directory.)
   - AFM format (in which an AFF file is used to annotate a raw file.)

 * Compare disk images and report the data or metadata that is different. 

 * Copy disk images from one location to another, with full
   verification of data, metadata, and the automatic generation of a
   chain-of-custody segment.

 * Find errors in an AFF file and fix them.

 * Print information about a file.

 * Print detailed statistics about a file

 * Generate an XML representation of a disk image's metadata (for
   example, acquisition time or the serial number of the acquisition
   device.)

 * Produce an XML "diskprint" which allows a disk image to be rapidly
   fingerprinted without having the computer the SHA1 of the entire
   disk.

AFFLIBv3 implements version 3 of the AFF format. This version is
currently in maintenance mode while work on AFFv4 continues. Key
differences between AFFv3 and AFFv4 include:

 * Whereas AFFv3 uses a purpose-built container file format, AFFv4 is
   based on ZIP64.

 * Whereas AFFv3 is licensed with a four-part Berkeley license, AFFv4
   is licensed an approved Open Source license.



AFFLIB and Toolkit is provided in source code form for Linux, MacOS
and Windows. We have also created a Windows zipfile that contains:

 * precompiled versions of the AFFLIB tools and all of the libraries
   necessary to run them.

 * bulk_extractor.jar - A Java port of our system that automatically
   extracts email addresses, dates, and other information from a file
   and produces a histogram of the contents.


The AFF library can be downloaded from https://github.com/simsong/AFFLIBv3

====
AFFLIB with SleuthKit:

TSK officially supports a subset of the image formats that AFFLIB
supports.  To use the other image formats, specify the image type as
"afflib".  For example:


# fls -o 63 -i afflib foo.vmdk



================
Note: AFF and AFFLIB are trademarks of Simson L. Garfinkel and Basis
Technology, Inc. 


# Local Variables:
# mode: auto-fill
# mode: flyspell
# End: