Forensicsforensicsdisk-imagesaffchain-of-custodyencryptiondigital-signatures

AFFLib

Advanced Forensics Format Library provides utilities for handling AFF disk images with metadata, digital signatures, and encryption. It enables conversion, comparison, verification, and manipulation of forensic disk images across various formats.

Description

The Advanced Forensic Format (AFF) is an on-disk format for storing computer forensic data and associated metadata in one or more files. Key features include digital signing for chain-of-custody and integrity, on-the-fly encryption/decryption for privacy-sensitive material, and support for multiple image formats like raw/dd, splitraw, AFF, AFD, and AFM. The AFF Toolkit offers programs to interconvert disk images, compare them, copy with verification, fix errors, and generate metadata reports.

Use cases include forensic investigations requiring secure storage and transport of disk images, especially over the internet. Tools support chain-of-custody documentation, rapid fingerprinting via XML diskprints, and handling of large images split across files or directories. It integrates with Amazon S3 for cloud storage and FUSE for mounting AFF containers as filesystems.

The package afflib-tools provides executables like affcat, affcompare, affconvert, and others for practical workflows in digital forensics.

How It Works

AFF stores forensic data with metadata segments, supporting digital signatures for integrity and chain-of-custody. Images can be encrypted/decrypted on-the-fly using passphrases or public-key cryptography. Tools read/write AFF structures, verifying MACs, hashes (MD5/SHA1/SHA256), and signatures. Formats include single-file AFF, multi-file AFD directories, and annotated raw (AFM). FUSE integration allows mounting as virtual filesystems; S3 support enables cloud operations with MD5 validation.

Installation

bash

sudo apt install afflib-tools

Flags

-s nameJust output segment name (affcat)

-p ###Just output data page number (affcat)

-r dir1 dir2Recursively compare directories dir1 and dir2 (affcompare)

-vVerbose output (multiple tools)

-xDon't verify hashes on reads (affcopy)

-eEncrypt unencrypted non-signature segments (affcrypto)

-aPrint ALL segments (affinfo)

-yActually modify files (affix)

Examples

Display help for affcat, which outputs contents of an image file to stdout

affcat -h

Compare file1.aff with file2.aff

affcompare file1.aff file2.aff

Compare file.aff and file.img, printing differing sectors

affcompare -b img file.aff

Encrypt file.aff to file-encrypted.aff using passphrase

affcopy file.aff file://:mypassword@/file-encrypted.aff

Copy all .aff files to S3 with verbose output and X9 compression

affcopy -vy -X9 *.aff s3:///

Print all segments of an AFF file

affinfo -a infile

Mount AFF image at mount_point using FUSE

affuse af_image mount_point

Verify digital signatures on filename.aff

affverify filename.aff

Updated 2026-04-16kali.org ↗