|Introduction | Sustainability Factors | Content Categories | Format Descriptions | Contact|
|Full name||Advanced Forensic Format, version 1.0|
Extensible format for the storage of disk images with or without compression, together with related metadata that may be stored within disk images or separately. Forensic disk images often play a role in law enforcement and legal investigations, and the embedded metadata provides facts for a chain of evidence or audit trail.
AFF files are partitioned into two layers: the disk-representation layer and the data-storage layer. The disk-representation layer defines specific segment names that are used to represent all the information for a disk image. Each AFF segment consists of a segment name, a 32-bit "flag," and a data payload. The name and the data payload can be nearly 4 GB in extent, although the format creators report that typical segment names are less than 32 bytes with data payloads of less than 16 MB. The metadata segments hold information about the disk image and data segments, called "pages," that carry the imaged disk information. Additional detail on segments is provided in the creators' published description.
The AFF data-storage layer stores segments in binary form (segments are stored sequentially in one or more files) or as XML data, larger in size but often easier to use with non-forensic tools. It is possible to store the disk image in a binary file and metadata as XML, although this introduces the risk that the two files might become separated.
AFF data pages can be compressed with the open-source zlib or they can be left uncompressed. (The Lempel–Ziv–Markov chain compression algorithm [LZMA] is also supported, at least in versions later than AFF 1.0.)
The format supports internal self-consistency checking, so that typical AFF tools can recover part of an image even if other parts are corrupted or otherwise lost. The format also provides for the certification of content authenticity with traditional hash functions, e.g., MD5 and SHA-1, and advanced digital signatures based on X.509(v)3 certificates. Certification features are intended to meet legal or law-enforcement evidentiary needs, but they also support preservation-related integrity checking. Hashes may be recorded for the entire image and for each individual data segment, stored in specially named segments. Signatures are calculated on uncompressed data, thus permitting the signing of a disk image prior to compression without compromising the digital signatures. The provisions for internal self-consistency checking permit part of an image to be recovered even if other parts are corrupted or lost.
|Production phase||Typically used for data analysis and not part of a process to create new content. May be used to archive data.|
|Relationship to other formats|
|May contain||Compression via the zlib implementation of the DEFLATE algorithm, not described at this Web site.|
|May contain||Compression via the Lempel–Ziv–Markov chain compression algorithm (LZMA), not described at this Web site.|
|Has later version||The Forensics Wiki refers to version 2.0, which appears to be associated with the second version of the AFFLIB tool (AFFLIBv2). Comments welcome|
|Has later version||The Forensics Wiki refers to version 3.0, which appears to be associated with the third version of the AFFLIB tool (AFFLIBv3). Comments welcome|
|Other||AFF4, Advanced Forensic Framework Disk Image, AFF Version 4 (AFF4). Successor format to AFF_1_0, which has a significantly different structure.|
|LC experience or existing holdings|
|Disclosure||AFF was originally developed by Simson Garfinkel and Basis Technology, as an "open format, free from any patent or license restriction."|
|Documentation||The compiler of this format description did not find an AFF specification in the formal sense (Comments welcome). However, a chapter excerpted from Advances in Digital Forensics II (2005) includes a very thorough description of the format, together with some information about the AFFLIB software tool to support its use.|
|Adoption||Some adoption by law enforcement and legal investigators. Some adoption in archives, supported by the inclusion of AFF capabilities in the popular BitCurator and FTK Imager tools.|
|Licensing and patents||No license on the format. Regarding the AFFLIB application, its implementation is distributed under a license that allows code to be freely integrated into other open-source and proprietary programs. For a 2009 statement related to this, see the harvested page at the Internet Archive.|
|Transparency||Transparent wrapper; content within wrapper may require algorithms and tools to read, and/or require sophistication to build tools.|
|Self-documentation||Arbitrary metadata is formatted as user-defined name/value pairs. The compiler of this page did not find a core set of required metadata to embed; this may be determined by the tools selected to work with AFF files. Comments welcome|
|External dependencies||None identified.|
|Technical protection considerations||
The developers state that AFF allows for forensic disk images to stored encrypted and decrypted on-the-fly for processing. Comments welcome
||From the File Extension Source. See Notes for comment on additional filename extensions in later versions.|
|Magic numbers||Hex: 41 46 46
|From the File Extension Source.|
|General||Regarding overall structure and filename conventions in version 3 of AFF, the Forensics Wiki reports as follows: "The original AFF format is a single file that contains segments with drive data and metadata. Its contents can be compressed, but it can be quite large as the data on modern hard disks often reach 100GB in size. AFFv3 supported three file extensions -- AFF, AFD and AFM -- and provided a tool to easily convert between the variations. For ease of transfer, large AFF files can be broken into multiple AFD format files. The smaller AFD files can be readily moved around a FAT32 file system which limits files to 2GB or stored on DVDs, which have similar size restrictions. The AFM format stores the metadata in an AFF file, and the disk data in a separate raw file. This format allows analysis tools that support the raw format to access the data, but without losing the metadata."|
AFF was originally developed by Simson Garfinkel and Basis Technology. From the Forensics wiki: "AFF was created [circa 2005-06] to be an open and extensible file format to store disk images and associated metadata. The goal was to create a disk imaging format that would not lock users into a proprietary format that may limit how he or she may analyze it. An open standard enables investigators to quickly and efficiently use their preferred tools to solve crimes, gather intelligence, and resolve security incidents. The format was implemented in AFFLIB which was distributed with an open source license. After AFFLIB was published, Joachim Metz published libewf, an open source implementation of the EnCase Expert Witness format. Later, Guidance Software modified its format to allow single disk volumes larger than 4GiB. Together these two changes significantly decreased the need for AFF and AFFLIB."
The GitHub site for the AFFLIBv3 tool includes a ReadMe file about the creation and maintenance of the software library which is suggestive of the likely sequence for file format development: 2005-2006 Basis Technology, Inc.; 2005-2013 Simson L. Garfinkel; and 2014 Phillip Hellewell (sshock).