The Evimetry Filesystem Bridge: Making Your AFF4 Forensic Images Available

What is AFF4?

Advanced Forensic File format 4 (AFF4) is an open-source file format used for storing digital evidence. M.I Cohen, Simson Garfinkel, and Bradley Schatz first published the format design in "Extending the advanced forensic format to accommodate multiple data sources, logical evidence, arbitrary information, and forensic workflow."¹ AFF4 is gaining popularity thanks to the speed at which it can acquire digital evidence. This increased popularity has caused many forensic analytic tools to create compatibility with the format in recent years.

Why use AFF4?

Forensic data acquisition has traditionally been slow due to I/O limitations. For time-critical investigations, triage or live acquisitions may be the only option.

Originally the interconnect was the slow point - a USB2 limited the I/O to 45 MB/s. The introduction of USB3 raised this limit to 500 MB/s, in combination with SSD. File system types can also increase latency, but using the exFAT system can increase I/O speed to 300 MB/s. So, modern hardware should be able to perform a physical acquisition at 300 MB/s, but the deflate function of forensic acquisition limits this speed to ~70 MB/s.

AFF4 solves this problem by changing the compression protocol to increase throughput to 1GB/s. Using AFF4 reduces the time required to perform a physical acquisition and allows analysts to provide outcomes faster.²

What tools natively use AFF4?

There are a lot of tools that use AFF4, for example, Evimety, X-Ways Forensics, Sleuthkit, Rekall Forensics, Vound Software - Intella, and W4, BlackBag Macquistion, and Blacklight.³

What if my preferred tool doesn't use AFF4?

While many commercial forensic tools are adding AFF4 capability, there are still some out there that cannot read the AFF4 format. The Evimetry Filesystem Bridge can be used to load an AFF4 file and present it as a .dd file to any tool, including custom tools. Cybrary's course, The Evimetry Filesystem Bridge: Making Your AFF4 Forensic Images Available, demonstrates clearly and concisely how to do this.

Overview of The Evimetry Filesystem Bridge: Making Your AFF4 Forensic Images Available

In this course, Brian Dykstra gives a quick and simple demonstration of how the Evimetry Filesystem Bridge can be used to load AFF4 files. The two modules demonstrate how and when the Filesystem Bridge should be used and provide commentary on the general digital forensic and evidence handling process.

This course only covers how to use the Evimetry Filesystem Bridge to convert the AFF4 format for non-compatible tools. For those just starting their DFIR journey, Cybrary's Everyday Digital Forensics course is a great starting point for learning the basics of acquisition.

Modules covered in The Evimetry Filesystem Bridge: Making Your AFF4 Forensic Images Available

In module 1, Dykstra presents a refresher on digital forensics and evidence handling. For a comprehensive course on evidence handling concepts, try Cybrary's Evidence Handling: Do it the Right Way.

The rest of module 1 introduces:

• The Evimetry Filesystem Bridge
• How the Evimetry Filesystem Bridge operates
• How and where to install the Evimetry Filesystem Bridge

Module 2 gives a brief overview of the AFF4 and compatible forensic tools. After this, Dykstra demonstrates how to use the Evimetry Filesystem Bridge to view the AFF4 image using FTK, which is not compatible with AFF4.

Final thoughts

The Evimetry Filesystem Bridge: Making Your AFF4 Forensic Images Available is an excellent course for those new to using AFF4. The course is clear to follow for beginners and advanced practitioners and provides a core skill for using AFF4. AFF4 is a faster acquisition format; digital forensic practitioners should seize chances to use it to reduce latency in investigations.

References

1. http://www2.aff4.org/index.html
2. https://evimetry.com/assets/docs/Advanced%20A&A%20AFF4-PUBLIC.pdf
3. https://app.cybrary.it/browse/course/handling-bitlocker-and-filevault-2-evimetry-and-mount-image-pro