skip to Main Content

Adding AFF4 support to The Sleuth Kit and Volatility (macOS)

AFF4 (Advanced Forensics File Format v4.0) is the new standard in forensic imaging, a new container format for storing digital evidence which accelerates the digital forensic and incident response workflow. It is already used in Evimetry, Rekall (PMEM Memory Acquisition Suite) and GRR Rapid Response.

I recommend that you check out the Evimetry Community Edition.

Evimetry Community Edition is a specially licensed subset of the Evimetry system, provided free of charge to stimulate adoption of the AFF4 forensic format. With Evimetry Community Edition, you can create AFF4 images from local devices on Windows systems, access AFF4 images from your existing forensic toolset using the Filesystem Bridge or virtual disk, and convert from AFF4 to existing image formats such as EWF and RAW.

Dr. Bradley Schatz (Schatz Forensic) announced the availability of a set of patches to The Sleuth Kit (TSK) and Volatility for reading AFF4 Standard v1.0 disk images and memory dumps some weeks ago.

Let’s install the dependencies and compile libAFF4 on our Mac to use the Advanced Forensics File Format (AFF4) already before it is pulled into the main distributions of TSK and Volatility.

1. Dependencies (to compile libAFF4 on macOS)
ossp-uuid
zlib
snappy
raptor
glog
pcre++
tclap
uriparser

We can easily install all needed packages with Homebrew:

 brew install ossp-uuid
 brew install zlib
 brew install snappy
 brew install raptor
 brew install glog
 brew install pcre++
 brew install tclap
 brew install uriparser


2. Clone and compile libAFF4

 cd /opt/
 git clone https://github.com/google/aff4
 cd aff4/
 git submodule update --init third_party/gtest
 cd third_party/gtest
 git reset --hard
 cd ../..
 ./autogen.sh
 ./configure CC=clang CXX=clang++ CXXFLAGS="-std=c++11 -stdlib=libc++ -O2 -g0 -I/opt/local/include" LDFLAGS="-stdlib=libc++ -L/opt/local/lib"
 make
 sudo make install


3. Clone and compile The Sleuth Kit (forked from sleuthkit/sleuthkit
)

 cd /opt/
 git clone https://github.com/blschatz/sleuthkit.git
 cd sleuthkit/
 git checkout release-4.4
 autoreconf --force --install --verbose
 ./configure
 make
 sudo make install

Check the TSK supported image format types:

fls -i list

fls -i list
aff4imager is the included command line tool to manage AFF4 image volumes and acquire forensic images.

aff4imager -h

aff4imager

4. Clone Volatility (forked from volatilityfoundation/volatility)

sudo -H pip install pyyaml
sudo -H pip install pyaff4
cd /opt/
mkdir blschatz
cd blschatz/
git clone https://github.com/blschatz/volatility.git
cd volatility/
python vol.py --info | grep AFF4

AFF4AddressSpace

# Creating Memory Snapshot w/ WinPMEM (AFF4)
winpmem-2.1.post4.exe -o %COMPUTERNAME%.aff4 > winpmem.log 2> error.log -t -c snappy

# View AFF4 metadata
winpmem-2.1.post4.exe -V %COMPUTERNAME%.aff4 > AFF4-metadata.txt

WinPMEM-AFF4

AFF4-Metadata

Now you have everything you need to start playing with AFF4. Happy Imaging!

Links:
Evimetry Community Edition
Compiling Sleuth Kit with AFF4 support on MacOS
AFF4 -The Advanced Forensics File Format
AFF4: The new standard in forensic imaging and why you should care
Accelerating forensic and incident response workflow: the case for a new standard in forensic imaging

Back To Top