Re: [sleuthkit-users] Disk image in TSK

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

It's pretty easy to add supports for new file formats to TSK. You just add it to the img_open_table() in img_types.c, add the bitfields to TSK_IMG_TYPE_ENUM in tsk_img.h, and update img_open.c. Try this search to see all the places that AFF is referenced:
	https://github.com/sleuthkit/sleuthkit/search?utf8=%E2%9C%93&q=AFF <https://github.com/sleuthkit/sleuthkit/search?utf8=%E2%9C%93&q=AFF>

The issue with AFF is that version 3 doesn't offer compelling features over EWF. Version 4 does, but as others have said, it isn't ready for general use yet.

Simson

> On Jun 27, 2016, at 6:02 PM, Edward Diener <eld...@tr...> wrote:
> 
> On 6/27/2016 4:32 PM, Simson Garfinkel wrote:
>> I don't recommend using AFF at this point for production purposes.
>> 
>> Why do you want to use it?
> I was curious whether it is integrated into TSK or not and, if so, how was it done ? I actually have little use for it in the project on which I am working.
> 
> Eddie Diener
>> 
>> 
>> ----
>> Sent from my phone.
>> 
>>> On Jun 27, 2016, at 3:16 PM, Edward Diener <eld...@tr...> wrote:
>>> 
>>>> On 6/27/2016 3:08 PM, Edward Diener wrote:
>>>> Hello Eddie,
>>>> 
>>>> You're correct regarding RAW files. RAW can have different extensions
>>>> other
>>>> than ".dd" also, such as .001, .raw, .img, etc., so saying "RAW" includes
>>>> all of those. Single refers to a single disk image file such as
>>>> someimage.dd, and split refers to a disk image file separated into
>>>> multiple
>>>> chunks such as someotherimage.001, someotherimage.002,
>>>> someotherimage.003,
>>>> ... Windows doesn't come with an included disk imager as far as I'm
>>>> aware.
>>> There is a product called FTK Imager from AccessData which can create
>>> EWF image files.
>>>> RAW and .dd is pretty much considered an industry standard, regardless of
>>>> the file extension actually used or the examiner's chosen platform.
>>> I will investigate these on the web.
>>>> You're also correct regarding EWF (Expert Witness Format). AFF (Advanced
>>>> Forensic Format) uses AFFLIB, which can be found here:
>>>> https://github.com/sshock/AFFLIBv3/releases.
>>> How do I add support for AFF to TSK if I need it ? The docs don't seem
>>> to mention this.
>>>> I hope this helps!
>>> Very helpful. Thanks !
>>>> Hoyt
>>>> 
>>>> 
>>>> On Sat, Jun 25, 2016 at 7:42 AM, Edward Diener <
>>>> eldlistmailingz@...> wrote:
>>>> 
>>>>> What are the disk image formats in TSK ?
>>>>> 
>>>>> I see mention of single and split raw images. To what do these refer ?
>>>>> Are these files created by the Linux 'dd' command ? What about on other
>>>>> operating systems such as Windows ?
>>>>> 
>>>>> I also see mention of EWF and AFF. I assume that EWF are images created
>>>>> by the libewf project and I can see that TSK 4.2.0 supports libewf. What
>>>>> is needed to support AFF and where would I find more information
>>>>> about it ?
>>>>> 
>>>>> Eddie Diener
>>> ------------------------------------------------------------------------------
>>> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
>>> Francisco, CA to explore cutting-edge tech and listen to tech luminaries
>>> present their vision of the future. This family event has something for
>>> everyone, including kids. Get more information and register today.
>>> http://sdm.link/attshape
>>> _______________________________________________
>>> sleuthkit-users mailing list
>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>> http://www.sleuthkit.org
> 
> 