Title: Introduction to the use of AFF
Subject: Advanced Forensic Format
Author: Jean-François Beckers
Date: 08 Dec 2005
Version: 1.0
Translation:
Licence: Creative Commons

Introduction to the use of AFF

www.afflib.org

Introduction :

The Advanced Forensic Format (AFF) is an extensible open format for the storage of disk images. It provide built in features such as compression, hash codes v erification, meta-data informations management. The AFFLib provide special AFF assigned tools such : - aimage : creation of AFF images - afcat : generate a DD image from a AFF one - afcompare : verify a AFF his derivate DD image - afinfo : Validation of a AFF's image hash codes (md5, sha1) The AFFLib is developed by Mr. Simson L. Garfinkel. For recent releases and mor e detailed informations, refer to [2]www.afflib.org.

Goal of this article :

Introduce and describe the use of AFFLib tools in computer forensic work. After this article, you should be able to use and understant the AFF tools in your job . This include the AFF image creation of a device. The verification/validation of a AFF image. The conversion of a AFF image.

Get and install AFFLib

On the afflib.org website, in the "source code", you will found the new version of the afflib. (current 1.2.7) When the download of the file is complete, you have to run :
# tar xvfz afflib-1.2.7.tar.gz
This extract all files from the archive To generate the binaries, you normally just need "make"
# make
g++ -g -Wall -I/usr/local/ssl/include -DUNIX -c -o aimage.o aimage.cpp...
g++ -g -Wall -I/usr/local/ssl/include -DUNIX -c -o afxml.o afxml.cpp
g++ -g -Wall -I/usr/local/ssl/include -DUNIX -c -o base64.o base64.cpp
g++ -g -Wall -I/usr/local/ssl/include -DUNIX -o afxml afxml.o base64.o afflib.o

Create a config file (aimage) :

This will help you to create a configuration file to read questions from.
# aimage -make_config=my.conf
my.conf created
This command create a sample config file "my.conf" containing :
# Sample config file for aimage...
# Syntax: ask
ask name Your Name:
ask date_acquired Date this drive was acquired (yyyy-mm-dd):
ask case_number Case Number:
# Feel free to add your own!

Create a AFF image of a device using a config file (aimage) :

This command create a forensic copy of the external media "/dev/sda" into the file "usbdrive_copy.aff". The use of the option "--config=my.conf" indicate the aimage to ask and add the configured information into the AFF generated image. This is helpfull in the investigation process to correctly identify the analysed drives and confirm the full process.
# ./aimage --config=my.conf --outfile=usb_drive_1gb.aff /dev/sda Your Name:BECKERS Date this drive was acquired (yyyy-mm-dd):2005-12-07 Case Number:Test_afflib_1.2.7
Now, the "aimage" is displaying the progress of the copy.
IMAGING Wed Dec 7 14:11:49 2005
Source device: /dev/sda AFF Output: usb_drive_1gb.aff
Model #:
Sector size: 1024 bytes
Total sectors:1,000,944
[=====>----------------------------------------------------------------------]

Currently reading sector: 48,640 (512 sectors at once)
Sectors read: 49,152 ( 4.91%) # blank: 0
Time spent reading: 00:00:06 Estimated total time left: 00:04:52
Total bytes read: 50,331,648
Total bytes written: 49,807,360
Compressed bytes written: 24,983,914 >>> COMPRESSING <<<
Time spent compressing: 00:00:07
Overall compression ratio: 25.54% (0% is none; 100% is perfect)
When the copy is finished, "aimage display a short report with the MD5, SHA1 hash codes and the compression rate.
Input: /dev/sda
AFF Output file: usb_drive_1gb.aff
Total bytes read: 1,024,966,656
Compressed bytes written: 197,784,704
Overall compression ratio: 80.7%
raw image md5: ea cc 8b a1 43 51 50 14 5b 29 84 5f ee d0 d7 f5
raw image sha1: 4b 8b e2 b7 26 0c 20 c1 33 a9 fb 9e 49 92 1c d6 78 45 19 15
We have now a forensic copy of the thumb drive. The next Sleuthkit's release will support the AFF so it will be possible to dir ectly use the produced file.

Convert the AFF to DD (afcat) :

# afcat usbdrive_copy.aff > usbdrive_copy.dd
I think this is not the best way to do it but at the time a write this article, it's the only way it work on my system. This command create the "usbdrive_copy.dd" extracting the original content of the thumb drive from the "usbdrive_copy.aff".

Verify a AFF image's integrity (afinfo) :

# afinfo -v usbdrive_copy.aff
"afinfo" and the "-v" option are designed to verify the image integrity based on the hash codes. If the AFF image's hash codes matche the new generated, the following report is shown :
Validating hash codes...
md5: 62 09 cd d6 06 e0 ef 11 9b 48 d6 8d cd 49 d5 3c MATCH
sha1: 23 11 2b d6 f5 4a 9a 72 1e 6d d5 e6 b2 03 63 16 50 f0 09 38 MATCH
AFF file is 14447519 bytes. Actual compression ratio with overhead: 98.6%

Validate a AFF and a derivate DD (afcompare) :

# afcompare usbdrive_copy.aff usbdrive_copy.dd
comparing usbdrive_copy.aff and usbdrive_copy.dd...
1024458752 out of 1024966656 bytes compared (99.95%) 17.59 MBytes/sec 0:00

Read 1024966656 bytes. Files match!
The "afcompare" verify the integrity of both images and as result report if they are the same according the hash codes.

Verify a DD hash code (md5sum/sha1sum) :

The Gnu/Linux systems include those utils so it's very easy to verify a DD after a copy by the use of "md5sum" and "sha1sum".
# md5sum usbdrive_copy.dd
6209cdd606e0ef119b48d68dcd49d53c usbdrive_copy.dd
# sha1sum usbdrive_copy.dd
23112bd6f54a9a721e6dd5e6b203631650f00938 usbdrive_copy.dd
The verification done, the copy process is safe, the image's integrity are veri fied. We are now able to : - create a AFF file - convert the AFF image to a DD one - verify AFF image's integrity - verify the DD generated image hash codes More informations : More explicits and descriptives articles on www.afflib.org The advanced Forensic Format 1.0 Disk Imaging with the Advanced Forensic Format Library and Tools

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 2.5 License.