AFF4 (Advanced Forensics File Format v4.0) is the new standard in forensic imaging, a new container format for storing digital evidence which accelerates the digital forensic and incident response workflow. It is already used in Evimetry, Rekall (PMEM Memory Acquisition Suite) and GRR Rapid Response.
I recommend that you check out the Evimetry Community Edition.
Evimetry Community Edition is a specially licensed subset of the Evimetry system, provided free of charge to stimulate adoption of the AFF4 forensic format. With Evimetry Community Edition, you can create AFF4 images from local devices on Windows systems, access AFF4 images from your existing forensic toolset using the Filesystem Bridge or virtual disk, and convert from AFF4 to existing image formats such as EWF and RAW.
Let’s install the dependencies and compile libAFF4 on our Mac to use the Advanced Forensics File Format (AFF4) already before it is pulled into the main distributions of TSK and Volatility.
1. Dependencies (to compile libAFF4 on macOS)
We can easily install all needed packages with Homebrew:
brew install ossp-uuid brew install zlib brew install snappy brew install raptor brew install glog brew install pcre++ brew install tclap brew install uriparser
2. Clone and compile libAFF4
cd /opt/ git clone https://github.com/google/aff4 cd aff4/ git submodule update --init third_party/gtest cd third_party/gtest git reset --hard cd ../.. ./autogen.sh ./configure CC=clang CXX=clang++ CXXFLAGS="-std=c++11 -stdlib=libc++ -O2 -g0 -I/opt/local/include" LDFLAGS="-stdlib=libc++ -L/opt/local/lib" make sudo make install
3. Clone and compile The Sleuth Kit (forked from sleuthkit/sleuthkit)
cd /opt/ git clone https://github.com/blschatz/sleuthkit.git cd sleuthkit/ git checkout release-4.4 autoreconf --force --install --verbose ./configure make sudo make install
Check the TSK supported image format types:
fls -i list
4. Clone Volatility (forked from volatilityfoundation/volatility)
sudo -H pip install pyyaml sudo -H pip install pyaff4 cd /opt/ mkdir blschatz cd blschatz/ git clone https://github.com/blschatz/volatility.git cd volatility/ python vol.py --info | grep AFF4
# Creating Memory Snapshot w/ WinPMEM (AFF4) winpmem-2.1.post4.exe -o %COMPUTERNAME%.aff4 > winpmem.log 2> error.log -t -c snappy # View AFF4 metadata winpmem-2.1.post4.exe -V %COMPUTERNAME%.aff4 > AFF4-metadata.txt
Now you have everything you need to start playing with AFF4. Happy Imaging!
Evimetry Community Edition
Compiling Sleuth Kit with AFF4 support on MacOS
AFF4 -The Advanced Forensics File Format
AFF4: The new standard in forensic imaging and why you should care
Accelerating forensic and incident response workflow: the case for a new standard in forensic imaging