AFF is an open and extensible file format to store disk images and associated metadata.
Clone or download
Pull request Compare This branch is 91 commits ahead, 1 commit behind simsong:master.
sshock regenerate pyaff.c with a newer Cython
Cython 0.29

to see if it helps with #35
Latest commit 3d01759 Oct 16, 2018
Type Name Latest commit message Commit time
Failed to load latest commit information.
doc Fix typo. Oct 11, 2014
include/afflib Move headers into include/afflib for consistency Dec 30, 2016
lib whitespace Mar 11, 2018
lzma443 fix some GCC warnings (this clause does not guard...) May 11, 2016
m4 Support Python 3 by Cython Nov 27, 2016
man fix #34: option typo Sep 9, 2018
pyaff regenerate pyaff.c with a newer Cython Oct 16, 2018
stats Created repository on github Mar 31, 2012
tests Make distclean remove files it should. Oct 7, 2014
tools fix #34: option typo Sep 9, 2018
win32 Prepare for 3.7.17 release. Sep 9, 2018
.gitignore Support Python 3 by Cython Nov 27, 2016
AUTHORS Update AUTHORS and README. Oct 9, 2014
BUGLIST.txt Created repository on github Mar 31, 2012
COPYING Created repository on github Mar 31, 2012
ChangeLog version 3.7.4 Nov 16, 2013
INSTALL made instructions a little more clear Jun 29, 2012 Fix VPATH build of pyaff Dec 30, 2016
NEWS Prepare for 3.7.5 release. Oct 11, 2014
README update README Jun 24, 2017
README_Linux.txt Created repository on github Mar 31, 2012
README_Win32.txt Update Win32 readmes to fix issue #26. Jul 24, 2017 Created repository on github Mar 31, 2012
afflib.pubkey.asc Created repository on github Mar 31, 2012 removed more references Jan 9, 2014 Created repository on github Mar 31, 2012 Created repository on github Mar 31, 2012 Prepare for 3.7.17 release. Sep 9, 2018 Created repository on github Mar 31, 2012


		The Advanced Forensic Format
			Library and Tools
			Version 3

	2005-2006 Basis Technology, Inc.
	2005-2013 Simson L. Garfinkel <>
	2014-2017 Phillip Hellewell <>

The Advanced Forensic Format (AFF) is on-disk format for storing
computer forensic information. Critical features of AFF include:

  - AFF allows you to store both computer forensic data and associated
    metadata in one or more files. 

  - AFF allows files to be digital signed, to provide for
    chain-of-custody and long-term file integrity.

  - AFF allows for forensic disk images to stored encrypted and
    decrypted on-the-fly for processing. This allows disk images
    containing privacy sensitive material to be stored on the Internet.

  - AFF is an open format unencumbered by copyright or patent
    protection. The AFFLIB library that implements AFF is available
    for use in both Open Source and proprietary tools.

AFF Library and Toolkit is a set of programs for working with computer
forensic information. Using these tools you can:

 * Interconvert disk images between a variety of formats, including:

   - raw or "dd" 
   - splitraw (in which a single image is split between mulitple files)
   - AFF format (in which the entire disk image is stored in a single file.)
   - AFD format (in which a disk image is stored in mulitple AFF files
     stored in a single directory.)
   - AFM format (in which an AFF file is used to annotate a raw file.)

 * Compare disk images and report the data or metadata that is different. 

 * Copy disk images from one location to another, with full
   verification of data, metadata, and the automatic generation of a
   chain-of-custody segment.

 * Find errors in an AFF file and fix them.

 * Print information about a file.

 * Print detailed statistics about a file

 * Generate an XML representation of a disk image's metadata (for
   example, acquisition time or the serial number of the acquisition

 * Produce an XML "diskprint" which allows a disk image to be rapidly
   fingerprinted without having the computer the SHA1 of the entire

AFFLIBv3 implements version 3 of the AFF format. This version is
currently in maintenance mode while work on AFFv4 continues. Key
differences between AFFv3 and AFFv4 include:

 * Whereas AFFv3 uses a purpose-built container file format, AFFv4 is
   based on ZIP64.

 * Whereas AFFv3 is licensed with a four-part Berkeley license, AFFv4
   is licensed an approved Open Source license.

AFFLIB and Toolkit is provided in source code form for Linux, MacOS
and Windows. We have also created a Windows zipfile that contains:

 * precompiled versions of the AFFLIB tools and all of the libraries
   necessary to run them.

 * bulk_extractor.jar - A Java port of our system that automatically
   extracts email addresses, dates, and other information from a file
   and produces a histogram of the contents.

The AFF library can be downloaded from

AFFLIB with SleuthKit:

TSK officially supports a subset of the image formats that AFFLIB
supports.  To use the other image formats, specify the image type as
"afflib".  For example:

# fls -o 63 -i afflib foo.vmdk

Note: AFF and AFFLIB are trademarks of Simson L. Garfinkel and Basis
Technology, Inc. 

# Local Variables:
# mode: auto-fill
# mode: flyspell
# End: