Category: Open Source Forensics
We recently contributed patches to the Sleuth Kit to read AFF4 images. While we are waiting for those to be pulled into the main distribution, the following recipe should suffice for compiling a stand alone copy on MacOS. Dependencies The following dependencies are needed to compile libAFF4 on OSX. I use MacPorts, and the corresponding packages i needed to install are: ossp-uuid zlib snappy raptor2 google-glog pcrexx * tclap (missing *.
Sleuth Kit support for the AFF4 Standard v1.0 Released
I am pleased to announce the availability of both a set of patches to the Sleuth Kit and an open source C/C++ implementation for reading AFF4 Standard v1.0 disk images. Last weekthe AFF4 Standard v1.0 was released by Bradley Schatz (Evimetry) and Michael Cohen (Google) . Originally proposed in 2009 by Michael Cohen, Simson Garfinkel, and Bradley Schatz, the AFF4 forensic container enables new approaches to forensics, unparalleled forensic acquisition speeds and more accurate representation of evidence.
AFF4 Standard v1.0 Released
Today marks the release of the Advanced Forensic Format 4 (AFF4) Standard v1.0. Originally proposed in 2009 by Michael Cohen, Simson Garfinkel, and Bradley Schatz, the AFF4 forensic container enables new approaches to forensics, unparalleled forensic acquisition speeds and more accurate representation of evidence. These are enabled through next-generation forensic image features such as storage virtualisation, arbitrary metadata, and partial, non-linear and discontiguous images. The standard is the culmination of research spanning 8 years and 4 scientifically peer reviewed papers.
AFF4: The new standard in forensic imaging and why you should care
At this year's Open Source Digital Forensics Conference (OSDFCon 2016) I presented an update on the AFF4 standardisation effort. For the conference we unveiled a significant milestone: support for consuming Evimetry produced AFF4 forensic images with the Sleuth Kit. While users of Evimetry are able to exploit the benefits afforded by AFF4 seamlessly with their regular forensic tools, we believe that native support for the format across both opensource and commercial tools will accelerate forensic workflow even further.
libewf Java bindings released
As a part of the AFF4 work I have been involved in, I recently created a set of java bindings for libewf. If you want read access to the block content or metadataof EnCase compatible forensic images from the java programming language then this is for you. They are currently tested on the windows platform (x86). UNIX and x64 support should be trivial. They are now included in the libewf repository as libewf-java.
Mounting EWF’s on windows with freely available tools
Harlan recently posted a small reference to mounting EWF’s on windows machines using freely available utilities. David Loveall has produced a script called proxy_ewf.py which will do the heavy lifting of mounting EWF's via imdisk. It is not straightforward to get working so I have copied the instructions originally provided by David Loveall and further expanded on them below. Extract the Windows mount_ewf files into a directory. I used the current mount_ewf_windows-20091123.
New tool – CERT/CMU Live View
I am in Lafayette, Indiana this week at DFRWS2006. A gent from CERT was present and demonstrating an excellet tool called "Live View" which, from first impressions to be a p2v GUI that automates running dd images in vmware. It appears that the features of it are far beyond what dd2vmdk does in some respects: you appear to point it at an image upon which it: * generates a vmware vmdk