I had a look at the AFF4 documentation. Unfortunately, I can't say that it's written a way that would allow me to support AFF4 easily.
I then tried to compile aff4imager myself (current version, i.e. 1.0) and managed to do so in the end. However, there are some bugs. For example, I get a floating point error when trying to view the metadata from the reference image named Base-Linear.aff4 with option -V.
Using the AFF4 C/C++ library from within Guymager possibly could be an option, but if you go to http://docs.aff4.org/en/latest/#the-aff4-c-c-library and click onto "See the documentation for developers." you'll be shown an empty page - with a copyright notice from 2018.
Packages libaff4-0 and libaff4-dev did exist in Ubuntu 18.04 and 19.10, but I cannot find them for 20.04.
The first binary of aff4imager (Version 1.0 -> aff4imager) is Jan 16 2018, and it is work for me with "-V" option, and the last but one binary (Release 3.3. rc1 -> linpmem-v3.3.rc1) is Mar 2 2019 also.
(the aff4imager is part of the linpmem release: "Since the pmem tools are functionally equivalent to the aff4 imager (with extra memory capabilities) we just release the pmem tools as the main user facing tool")
I tried to compile from the last source but it failed, and 3.3 rc2 binary is also wrong...
./aff4imager-VBase-Linear.aff4@prefixrdf:<http://www.w3.org/1999/02/22-rdf-syntax-ns#>.@prefixaff4:<http://aff4.org/Schema#>.@prefixxsd:<http://www.w3.org/2001/XMLSchema#>.<aff4://427e2078-b010-462b-ba7c-f286b390ba94>aff4:caseNumber"Case ID: 1SR Canonical"^^xsd:string;aff4:evidenceNumber"Drive 1"^^xsd:string;aff4:examiner"Administrator"^^xsd:string;aff4:notes"This is an appended case note"^^xsd:string;aff4:stored<aff4://685e15cc-d0fb-4dbc-ba47-48117fc77044>;aff4:target<aff4://cf853d0b-5589-4c7c-8358-2ca1572b87eb>;aaff4:CaseNotes.<aff4://685e15cc-d0fb-4dbc-ba47-48117fc77044>aff4:contains<aff4://427e2078-b010-462b-ba7c-f286b390ba94>,<aff4://c1a6ab35-d46a-4c37-9bfe-0b3e4f0f1ca3>,<aff4://c21070c3-6d57-4f3b-9276-f83b6bfed5ae>,<aff4://c215ba20-5648-4209-a793-1f918c723610>,<aff4://cf853d0b-5589-4c7c-8358-2ca1572b87eb>,<aff4://db69295f-70c3-4e82-9530-a39507f1447b>,<aff4://fcbfdce7-4488-4677-abf6-08bc931e195b>;aff4:interfaceaff4:Volume.<aff4://c1a6ab35-d46a-4c37-9bfe-0b3e4f0f1ca3>aff4:caseDescription"Canonical Image Generation Test Case"^^xsd:string;aff4:caseName"Canonical Image Generation"^^xsd:string;aff4:examiner"Administrator"^^xsd:string;aff4:stored<aff4://685e15cc-d0fb-4dbc-ba47-48117fc77044>;aff4:target<aff4://cf853d0b-5589-4c7c-8358-2ca1572b87eb>;aaff4:CaseDetails.<aff4://c21070c3-6d57-4f3b-9276-f83b6bfed5ae>aff4:caseNumber"Case ID: 1SR Canonical"^^xsd:string;aff4:evidenceNumber"Drive 1"^^xsd:string;aff4:examiner"Administrator"^^xsd:string;aff4:notes"This is another appended case note"^^xsd:string;aff4:stored<aff4://685e15cc-d0fb-4dbc-ba47-48117fc77044>;aff4:target<aff4://cf853d0b-5589-4c7c-8358-2ca1572b87eb>;aaff4:CaseNotes.<aff4://c215ba20-5648-4209-a793-1f918c723610>aff4:chunkSize32768;aff4:chunksInSegment2048;aff4:compressionMethod<http://code.google.com/p/snappy/>;aff4:size3964928;aff4:stored<aff4://685e15cc-d0fb-4dbc-ba47-48117fc77044>;aff4:target<aff4://fcbfdce7-4488-4677-abf6-08bc931e195b>;aff4:version1;aaff4:ImageStream.<aff4://c215ba20-5648-4209-a793-1f918c723610/blockhash.md5>aaff4:BlockHashes.<aff4://c215ba20-5648-4209-a793-1f918c723610/blockhash.sha1>aaff4:BlockHashes.<aff4://cf853d0b-5589-4c7c-8358-2ca1572b87eb>aff4:acquisitionCompletionState"Completed Normally"^^xsd:string;aff4:blockSize512;aff4:dataStream<aff4://fcbfdce7-4488-4677-abf6-08bc931e195b>;aff4:diskDeviceName"/dev/sdz"^^xsd:string;aff4:diskDeviceRole0;aff4:diskDeviceType"Disk"^^xsd:string;aff4:diskFirmware"1.02a"^^xsd:string;aff4:diskInterfaceType"ATA"^^xsd:string;aff4:diskMake"Seagate"^^xsd:string;aff4:diskModel"ST-506"^^xsd:string;aff4:diskNumberOfPartitions1;aff4:diskPartitionTableType"MBR"^^xsd:string;aff4:diskSerial"SGAT5060001234"^^xsd:string;aff4:sectorCount524288;aff4:size268435456;aff4:stored<aff4://685e15cc-d0fb-4dbc-ba47-48117fc77044>;aaff4:ContiguousImage,aff4:DiskImage,aff4:Image.<aff4://db69295f-70c3-4e82-9530-a39507f1447b>aff4:operation"CAPTURE"^^xsd:string;aff4:stored<aff4://685e15cc-d0fb-4dbc-ba47-48117fc77044>;aff4:target<aff4://cf853d0b-5589-4c7c-8358-2ca1572b87eb>;aff4:timeSource"SINK"^^xsd:string;aaff4:TimeStamps.<aff4://fcbfdce7-4488-4677-abf6-08bc931e195b>aff4:dependentStream<aff4://c215ba20-5648-4209-a793-1f918c723610>;aff4:mapGapDefaultStreamaff4:Zero;aff4:size268435456;aff4:stored<aff4://685e15cc-d0fb-4dbc-ba47-48117fc77044>;aff4:target<aff4://cf853d0b-5589-4c7c-8358-2ca1572b87eb>;aaff4:Map.<file:///home/bkl/aff4/Base-Linear.aff4>aff4:contains<aff4://685e15cc-d0fb-4dbc-ba47-48117fc77044>.
Thank You for your efforts,
bkl
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello bkl,
I had a look at the AFF4 documentation. Unfortunately, I can't say that it's written a way that would allow me to support AFF4 easily.
I then tried to compile aff4imager myself (current version, i.e. 1.0) and managed to do so in the end. However, there are some bugs. For example, I get a floating point error when trying to view the metadata from the reference image named Base-Linear.aff4 with option -V.
Using the AFF4 C/C++ library from within Guymager possibly could be an option, but if you go to http://docs.aff4.org/en/latest/#the-aff4-c-c-library and click onto "See the documentation for developers." you'll be shown an empty page - with a copyright notice from 2018.
Packages libaff4-0 and libaff4-dev did exist in Ubuntu 18.04 and 19.10, but I cannot find them for 20.04.
On https://github.com/aff4/Standard everything is marked "3 years ago". Version 1.0 never got updated.
This all looks to me like a project with good ideas and good intentions that got stuck at an academic research level.
Hm.... what to do? Maybe I simply missed something?
Guy
Hi, sorry, but i wrote my answer another thread (because wrote from mail), see below.
Hi Guy,
Thank You for the response!
I found an implementation:
https://github.com/Velocidex/c-aff4
The first binary of aff4imager (Version 1.0 -> aff4imager) is Jan 16 2018, and it is work for me with "-V" option, and the last but one binary (Release 3.3. rc1 -> linpmem-v3.3.rc1) is Mar 2 2019 also.
(the aff4imager is part of the linpmem release: "Since the pmem tools are functionally equivalent to the aff4 imager (with extra memory capabilities) we just release the pmem tools as the main user facing tool")
I tried to compile from the last source but it failed, and 3.3 rc2 binary is also wrong...
The image file from:
https://github.com/aff4/ReferenceImages/blob/master/AFF4Std/Base-Linear.aff4
Thank You for your efforts,
bkl
Please have a look at my response in ticket #16
https://sourceforge.net/p/guymager/feature-requests/16/