AFF Package


AFF Package – The Advanced Forensics Format (AFF) is an extensible open format for the storage of disk images and related forensic metadata.

AFF was created to be an open and extensible file format to store disk images and associated metadata. The goal was to create a disk imaging format that would not lock users into a proprietary format that may limit how he or she may analyze it. An open standard enables investigators to quickly and efficiently use their preferred tools to solve crimes, gather intelligence, and resolve security incidents. The format was implemented in AFFLIB which was distributed with an open source license.

The original AFF format is a single file that contains segments with drive data and metadata. Its contents can be compressed, but it can be quite large as the data on modern hard disks often reach 100GB in size. AFFv3 supported three file extensions –– AFF, AFD and AFM –– and provided a tool to easily convert between the variations.

For ease of transfer, large AFF files can be broken into multiple AFD format files. The smaller AFD files can be readily moved around a FAT32 file system which limits files to 2GB or stored on DVDs, which have similar size restrictions. The AFM format stores the metadata in an AFF file, and the disk data in a separate raw file. This format allows analysis tools that support the raw format to access the data, but without losing the metadata.

Compression and Encryption

AFF Package – AFF supports two compression algorithms: zlib, which is fast and reasonably efficient, and LZMA, which is slower but dramatically more efficient. zlib is the same compression algorithm used by EnCase. As a result, AFF files compressed with zlib are roughly the same size as the equivalent EnCase file. AFF files can be recompressed using the LZMA algorithm. These files are anywhere from 1/2 to 1/10th the size of the original AFF/EnCase file.

AFF Package – AFF2.0 supports encryption of disk images. Unlike the password implemented by EnCase, encrypted images cannot be accessed without the necessary encryption key. FTK Imager/FTK added support for this encryption in version 3.0 and are able to create and access AFF encrypted images.

Tools : 



affcat [options] infile [... more infiles]


  -s name --- Just output segment name AFF Package
    -p ###  --- just output data page number ###
    -S ###  --- Just output data sector ### (assumes 512-byte sectors). Sector #0 is first
    -q      --- quiet; don't print to STDERR if a page is skipped
    -n      --- noisy; tell when pages are skipped.
    -l      --- List all of the segment names AFF Package
    -L      --- List segment names, lengths, and args
    -d      --- debug. Print the page numbers to stderr as data goes to stdout
    -b      --- Output BADFALG for bad blocks (default is NULLs)
    -v      --- Just print the version number and exit. AFF Package
    -r offset:count --- seek to offset and output count characters in each file; may be repeated


cyborg@cyborg:~$ affcat -L file_000.aff 
badflag	arg:0	len:512
badsectors	arg:2	len:8
afflib_version	arg:0	len:8
aff_file_type	arg:0	len:3
pagesize	arg:16777216	len:0
sectorsize	arg:0	len:3
page0	arg:1	len:1251341
page1	arg:1	len:15533350
page2	arg:1	len:16773997
page3	arg:1	len:16770196


affcompare [options] file1 file2
       compares file1 with file2

or     affcompare [options] -r dir1 dir2
       comparses similarly-named files in dir1 and dir2

or     affcompare [options] -s file1 file2...
       Reports if file was successfully copied to Amazon S3
       checking only for existence, not reading back the bytes.
       (Because all writes to S3 are validated by the MD5 of the object
       NOTE: S3 support is not provided in this version


fast options:
(These compare segments but not their contents.)
       -p        --- report about the results of preening AFF Package
       -e        --- Just report about existence (use with -r)
       -s        --- Just see if all of the segments are present, but don't
                     validate the contents. (Primarily for use with Amazon S3)
other options:
       -V        --- just print the version number and exit  AFF Package
       -v        --- Verbose; each file as it is compared.
       -q        --- Quiet. No output except for errors
       -a        --- print what's the same (all)
       -b        --- print the numbers of differing sectors
       -c        --- print the contents of differing sectors
       -m        --- Just report about the data (ignore metadata)
       -P ###    --- Just examine the differences on page ### AFF Package
       -q        --- Quiet; no output except for errors. AFF Package

Options documented above:
       -r dir1 dir2 --- recursively compare what's in dir1 with dir2, and
                       report what's in dir1 that's not in dir2
       -s        --- Check to see if named files are on Amazon S3

Example :

Different File.aff present in Dir1 and Dir2

cyborg@cyborg:~$ sudo affcompare   -r dir1 dir2
  Metadata segments  in both files:

    < aff_file_type arg=0 len=3
    > aff_file_type arg=0 len=3
        *** Metadata segment are different 

    < sectorsize arg=0 len=3
    > sectorsize arg=512 len=0
        *** Metadata segment are different 

  Pages only in dir1/file.aff:

  Pages only in dir2/file.aff:

Only in dir1


affconvert [options] file1 [... files]


General options:
      -q       -- Quiet mode. Don't ask questions, don't print status. AFF Package

AFF output options:
      -a ext   -- use 'ext' for aff files (default is aff)
                  (use .afd for AFD files)
      -Mn[kgm] -- set maximum size of output file. Suffix with g, m or k.
      -sn      -- set the image_pagesize (default 16777216) AFF Package
      -x       -- don't compress AFF file.
      -O dir   -- use 'dir' as the output directory
      -o file  -- output to 'file' (can only convert one at a time)
                  File is AFF is file ends .aff; otherwise assumes raw.
      -Xn      -- Set compression to n; default is 7
      -L       -- Use the LZMA compression algorithm (better but slower)

Raw output options:
      -r       -- force raw output.  AFF Package
      -e ext   -- use 'ext' for the raw files (default raw)
                  (implies -r) AFF Package

Dangerous input options:
      -z       -- zap; delete the output file if it already exists.
      -Z       -- Do not automatically probe for gzip/bzip2 compression.
      -y       -- Always answer yes/no questions 'yes.'
      -V = Just print the version number and exit. AFF Package


cyborg@cyborg:~$ affconvert -r -e iso file.aff 
convert file.aff --> file.iso
Converting page 186 of 186
bytes converted: 1560281088 
Conversion finished.


afcopy [options] file1 file
                    Copies file1 to file2
       afcopy [options] file1 file2 file3 ... dir
                    Copies file1.. into dir
       afcopy [options] file1 file2 file3 ... dir1 dir2...
                    Copies file1.. into dirs1, dir2, ...


   -v = verbose: print each file as it is copied
   -vv = very verbose: print each segment as it is copied AFF Package
   -d = print debugging information as well
   -x = don't verify hashes on reads
   -y = don't verify writes
   -Xn = recompress pages (preen) with zlib level n
   -L  = recompress pages (preen) with LZMA (smaller but slower)

   -h = help; print this message.
   -V = print the program version and exit. AFF Package
   -z = zap; copy even if the destination exists. AFF Package
   -m = just copy the missing segments AFF Package

Signature Options:
   -k filename.key   = specify private key for signing AFF Package
   -c filename.cer   = specify a X.509 certificate that matches the private key
                       (by default, the file is assumed to be the same one
                       provided with the -k option.)   -n  = read notes to accompany the copy from standard in.


cyborg@cyborg:~$ affcopy -vv file.aff file2.aff
 => file2.aff 
  badflag -> file2.aff:badflag ...
  badsectors -> file2.aff:badsectors ...
  afflib_version -> file2.aff:afflib_version ...
  aff_file_type -> file2.aff:aff_file_type ...
  pagesize -> file2.aff:pagesize ...
  sectorsize -> file2.aff:sectorsize ...
  page94 -> file2.aff:page94 ...
  page95 -> file2.aff:page95 ...
  page96 -> file2.aff:page96 ...


 afcrypto [options] filename.aff [filename2.aff ... ]
   prints if each file is encrypted or not.


    -x      --- output in XML AFF Package
    -j      --- Just print the number of encrypted segments
    -J      --- Just print the number of unencrypted segments

Data conversion options:
    -e      --- encrypt the unencrypted non-signature segments
    -d      --- decrypt the encrypted non-signature segments
    -r      --- change passphrase (take old and new from stdin)
    -O old  --- specify old passphrase
    -N new  --- specify new passphrase
    -K mykey.key  -- specifies a private keyfile for unsealing (may not be repeated) 
    -C mycert.crt -- specifies a certificate file for sealing (may be repeated)
    -S      --- add symmetric encryptiong (passphrase) to AFFILE encrypted with public key
                    (requires a private key and a specified passphrase). 
    -A      --- add asymmetric encryption to a AFFILE encrypted with a passphrase
                    (requires a certificate file spcified with the -C option

Password Cracking Options:
    -p passphrase --- checks to see if passphrase is the passphrase of the file
                exit code is 0 if it is, -1 if it is not AFF Package
    -k      --- attempt to crack passwords by reading a list of passwords from ~/.affpassphrase
    -f file --- Crack passwords but read them from file. AFF Package

    -V      --- Just print the version number and exit. AFF Package
    -D      --- debug; print out each key as it is tried AFF Package
    -l      --- List the installed hash and encryption algorithms AFF Package


cyborg@cyborg:~$ affcrypto -e -N pass1 file.aff 
file.aff:   102 segments;     0 signed;   101 encrypted;     0 pages;     0 encrypted pages
cyborg@cyborg:~$ affcrypto -r file.aff 
Enter old passphrase: pass1
Enter new passphrase: pass2
file.aff: passphrase changed.
file.aff:   109 segments;     0 signed;   101 encrypted;     0 pages;     0 encrypted pages


afdiskprint [options] infile


   -x XML     =   Verify the diskprint AFF Package
   -V         =   Just print the version number and exit.
   -h         =   Print this help. AFF Package


cyborg@cyborg:~$ affdiskprint  file.aff 
<?xml version='1.0' encoding='UTF-8'?>
<!-- XML generated by afdiskprint version 3.6.15 -->
<diskprint image_filename='file.aff'>


afinfo [options] infile


 -a = print ALL segments (normally data segments are suppressed)
   -b = print how many bad blocks in each segment (implies -a)
   -i = identify the files, don't do info on them.
   -w = wide output; print more than 1 line if necessary.
   -s segment =   Just print information about 'segment'.
                    (may be repeated)
   -m = validate MD5 hash of entire image
   -S = validate SHA1 hash of entire image
   -v = validate the hash of each page (if present)
   -y = don't print segments of lengths 16 and 20 as hex)
   -p<passphrase> = Specify <passphrase> to decrypt file
   -l = Just print the segment names and exit AFF Package
   -V = Just print the version number and exit. AFF Package

Preview Options:
   -X = no data preview; just print the segment names
   -x = print binary values in hex (default is ASCII) 

   -d = debug
   -A = if infile is a device, print the number of sectors
        and sector size to stdout in XML. Otherwise error


cyborg@cyborg:~$ affinfo -a file.aff 
file.aff is a AFF file
file.aff: has encrypted segments

Segment                       arg      length    data
=======                 =========    ========    ====
badsectors/aes256               2         24   }....K..qC2....6z.......
afflib_version/aes256           0         24   ....pM.z.....}..z.......
aff_file_type/aes256            0         19   .o...a...&;..ue.z..
pagesize/aes256          16777216          0   
sectorsize/aes256             512          0   
page95/aes256                   0   16777216   ..t...Dp.h...O...H....a6u.Z..]{.
page96/aes256                   0   16777216   .bcx.p..^p.....1=.....,.ZyhvH.aJ
page97/aes256                   0   16777216   [email protected]+/.fPp...`..
page98/aes256                   0   16777216   j6;......iYT.......w.a.....}W.$$
page99/aes256                   0   16777216   /f.X.K4.d]@.WK>..2.n~....0.M.P P
page100/aes256                  1   16776697   ..h....O!X.S2....T........Q....G


afsign [options] filename.aff


Signature Options:
   -k filename.key   = specify private key for signing
   -c filename.cer   = specify a X.509 certificate that matches the private key
                       (by default, the file is assumed to be the same one
                       provided with the -k option.)
   -Z                = ZAP (remove) all signature segments.
    -n      --- ask for a chain-of-custody note.
    -v      --- Just print the version number and exit. AFF Package


cyborg@cyborg:~$ affsign -k private.key file.aff 
Signing segments...


afstats [options] infile(s)


 -m = print all output in megabytes
      -v = Just print the version number and exit. AFF Package


cyborg@cyborg:~$ affstats -m file.aff 
Name	AF_IMAGESIZE	Compressed	Uncompressed	Blank	Bad
file.aff	15283	1487	1504 0 0


affuse [<FUSE library options>] af_image mount_point


    -d   -o debug          enable debug output (implies -f)
    -f                     foreground operation
    -s                     disable multi-threaded operation

    -o allow_other         allow access to other users
    -o allow_root          allow access to root
    -o auto_unmount        auto unmount on process termination
    -o nonempty            allow mounts over non-empty file/dir
    -o default_permissions enable permission checking by kernel
    -o fsname=NAME         set filesystem name
    -o subtype=NAME        set filesystem type
    -o large_read          issue large read requests (2.4 only)
    -o max_read=N          set maximum size of read requests

    -o hard_remove         immediate removal (don't hide files)
    -o use_ino             let filesystem set inode numbers
    -o readdir_ino         try to fill in d_ino in readdir
    -o direct_io           use direct I/O
    -o kernel_cache        cache files in kernel
    -o [no]auto_cache      enable caching based on modification times (off)
    -o umask=M             set file permissions (octal)
    -o uid=N               set file owner
    -o gid=N               set file group
    -o entry_timeout=T     cache timeout for names (1.0s)
    -o negative_timeout=T  cache timeout for deleted names (0.0s)
    -o attr_timeout=T      cache timeout for attributes (1.0s)
    -o ac_attr_timeout=T   auto cache timeout for attributes (attr_timeout)
    -o noforget            never forget cached inodes
    -o remember=T          remember cached inodes for T seconds (0s)
    -o nopath              don't supply path if not necessary
    -o intr                allow requests to be interrupted
    -o intr_signal=NUM     signal to send on interrupt (10)
    -o modules=M1[:M2...]  names of modules to push onto filesystem stack

    -o max_write=N         set maximum size of write requests
    -o max_readahead=N     set maximum readahead
    -o max_background=N    set number of maximum background requests
    -o congestion_threshold=N  set kernel's congestion threshold
    -o async_read          perform reads asynchronously (default)
    -o sync_read           perform reads synchronously
    -o atomic_o_trunc      enable atomic open+truncate support
    -o big_writes          enable larger than 4kB writes
    -o no_remote_lock      disable remote file locking
    -o no_remote_flock     disable remote file locking (BSD)
    -o no_remote_posix_lock disable remove file locking (POSIX)
    -o [no_]splice_write   use splice to write to the fuse device
    -o [no_]splice_move    move data while splicing to the fuse device
    -o [no_]splice_read    use splice to read from the fuse device

Module options:

    -o from_code=CHARSET   original encoding of file names (default: UTF-8)
    -o to_code=CHARSET	    new encoding of the file names (default: UTF-8)

    -o subdir=DIR	    prepend this directory to all paths (mandatory)
    -o [no]rellinks	    transform absolute symlinks to relative AFF Package



cyborg@cyborg:~$ affuse image.000 /mnt/new
cyborg@cyborg:~$ ls -lh /mnt/new
total 0
-r--r--r-- 1 root root 2.0G 20015-09-30 16:00 v.000.raw


afverify [options] filename.aff


    -a      --- print all segments
    -V      --- Just print the version number and exit.
    -v      --- verbose


cyborg@cyborg:~$ affverify -v file.aff 
file.aff: no signing certificate present. 

  Read              0/   16025444352 bytes; done in n/a
  Read       16777216/   16025444352 bytes; done in  0:02:54
  Read       33554432/   16025444352 bytes; done in  0:04:26
  Read       50331648/   16025444352 bytes; done in  0:04:59
  Read       67108864/   16025444352 bytes; done in  0:05:15
  Read       83886080/   16025444352 bytes; done in  0:05:25
  Read      100663296/   16025444352 bytes; done in  0:05:26
  Read      117440512/   16025444352 bytes; done in  0:05:35
  Read      134217728/   16025444352 bytes; done in  0:05:40
  Read      150994944/   16025444352 bytes; done in  0:05:42
  Read      167772160/   16025444352 bytes; done in  0:05:43
  Read      184549376/   16025444352 bytes; done in  0:05:45
  Read      201326592/   16025444352 bytes; done in  0:05:47
  Read      218103808/   16025444352 bytes; done in  0:05:52
  Read      234881024/   16025444352 bytes; done in  0:05:50


afverify [options] filename.aff


   -V         =   Just print the version number and exit AFF Package
   -x         =   Don't include the infile filename in output.
   -j segname =   Just print information about segname 
                  (may be repeated) AFF Package
   -s         =   output 'stats' for the file data (may a long time) AFF Package


cyborg@cyborg:~$ affxml file.aff 
<?xml version='1.0' encoding='UTF-8'?>
<!-- XML generated by afxml version 3.7.4 -->
<affinfo image_filename='file.aff'>
    <pages coding='base10'>94</pages>
    <badflag coding='base64'>KSO+hOFs1q5SkEnx8bvp67Om2zyHDD6ZJF4NHAa3R96zEk3IQ7uLph8DWn0JOCUfXdTL/Jb1RTsTDYkKHNuuMiCaUO5AeDb9Ekky9p59SdytTxTyREBm0GvEMLcyO6Ei9iKRneGLH9qwypkCuXKdSSyAfsWZ1emAsurJzFO/Z9a/FNZ+LdyOZoPvV0lh/2mPYc3RHp2cFnJy5h3whE9KdwLX6DksU8vJEh4zdJ4M9NXUn9SkWX41zzIi9MzP05AtSNOPdebZHSrlwPcreIGHRA5fUADUYY2+ewUVBzszgh8YcJLaZFTOsYU+aRX4RmoElnMO2RYvZ2jU90pK0FdodvoWuxGtriSIef5S2yVD5Tz0RdPYKM4L9cVgWT2XJ4pZdi3QwsnNaNRJanklCGFAFLE7aqURKMGM1qkLh5eML/EVHZqVwZvhwH7pqJqnhsK1VL+a59kj0VWQOCjR2WyhZl5O4TCc/tlxn+Kl4gybtEdlOCpGiamCeXp2eMJjsSbf2iltPmLglhI0vzmmP4le8W0O42wooR4gHcvCAz9BB4QPFAVlGyhhycXnLI5GNgjc86iN/r7y63H/oNA7dQaMfod4c03QvoK+28JGQSuM+jB/cPCnVIYylapbaBML5vz1yr59n4mKQRv9uE9o9nJ7FJnN0w3wRDq0pmZTMwvLoRA=</badflag>
    <badsectors coding='base10'>0</badsectors>
    <pagesize coding='base10'>16777216</pagesize>
    <imagesize coding='base10'>16025444352</imagesize>

Leave a reply


We're are building as a community and a team. Be a part of it.


©2018 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?