Elsevier

Digital Investigation

Volume 6, Supplement, September 2009, Pages S57-S68
Digital Investigation

Extending the advanced forensic format to accommodate multiple data sources, logical evidence, arbitrary information and forensic workflow

https://doi.org/10.1016/j.diin.2009.06.010Get rights and content
Under a Creative Commons license
open access

Abstract

Forensic analysis requires the acquisition and management of many different types of evidence, including individual disk drives, RAID sets, network packets, memory images, and extracted files. Often the same evidence is reviewed by several different tools or examiners in different locations. We propose a backwards-compatible redesign of the Advanced Forensic Format—an open, extensible file format for storing and sharing of evidence, arbitrary case related information and analysis results among different tools. The new specification, termed AFF4, is designed to be simple to implement, built upon the well supported ZIP file format specification. Furthermore, the AFF4 implementation has downward comparability with existing AFF files.

Keywords

Digital forensics
Image
Hard disk Imaging
Digital Evidence Management
Distributed Storage
Distributed Forensic Analysis
Forensic File Format
Evidence Archiving
Cryptography
Forensic Integrity

Cited by (0)

Michael Cohen is a data specialist for the Australian Federal Police in Brisbane, Australia. Michael received his Ph.D. from the Australian National University in 2001 in the field of Semiconductor Physics, but has been working in the field of Digital Forensics and Information Security since. His research interests include digital forensics, network forensics and programming, especially in Python

Simson L. Garfinkel is an Associate Professor at the Naval Postgraduate School in Monterey, California, and an associate of the School of Engineering and Applied Sciences at Harvard University. His research interests include computer forensics, the emerging field of usability and security, personal information management, privacy, information policy and terrorism. This article does not necessarily represent the view of the US Government or the US Department of Defense.

Bradley Schatz is an adjunct Associate Professor at the Queensland University of Technology (QUT) and the director of computer forensics firm, Schatz Forensic. Dr. Schatz divides his time between providing forensic services primarily to the legal sector and researching and educating in the area of computer forensics. His research focus is in the areas of volatile memory, evidence scalability, and information integration. Bradley received a bachelor's degree in Computer Science from the University of Queensland in 1995 and a Ph.D. in Computer Forensics from QUT in 2007. His early years in computing were spent practicing software engineering and network security.

Copyright © 2009 Digital Forensic Research Workshop. Published by Elsevier Ltd. All rights reserved.