Dev Docs: Where to start?

[jonstewart]

Hola,

I'd potentially like to use aff4 in a new project, but I'm not sure where to start.

• Where can I read the docs?
• Who's in charge?
• What policies apply? (I note my team member has made significant contributions and had to change them to conform with the notoriously C++-hostile Google C++ "Style" Guidelines. But then... it seems... the API is C++-based? So there are ABI breakage issues?)
• What works?
• What needs to be fixed?

The possible universe where AFF4 becomes a common alternative to E01/L01 is the one I want to live in and I'm willing to invest in it becoming a reality, but I am a conservative investor.

cheers,

Jon

[scudette]

Hi Jon, The docs for the AFF4 standard can be found at https://github.com/aff4/Standard - this gives information about the file format itself. There are also reference images at https://github.com/aff4/ReferenceImages.

The C++ implementation can be accessed via the pure C api or the C++ API (more powerful API).

You can see the full capabilities of in the imager binary (aff4imager or winpmem) - so you can get imaging, extraction etc. The winpmem binary also features imaging with invalid regions (i.e. to cover IO errors - this is required because on windows VSM blocks certain memory pages resulting in a read error).

So the best documentation of how to use the library is probably the imager code itself. This example shows writing maps (sparse image) with support for reading sectors with possible IO errors https://github.com/Velocidex/c-aff4/blob/master/tools/pmem/win_pmem.cc#L369

If you have any specific questions, please do not hesitate to contact us. We also offer commercial custom development services at support@velocidex.com. We are also keen to accept PRs that improve the code base. If you want to deviate from the Google style guide - please explain exactly what deviations are desired and why. We do try to keep to c++11 compatibility if possible.

[jonstewart]

Thanks, Michael. I will go through those links.

C++11 makes sense although ‘14 has some nice fixes and is five years old (but LTS distros can live for a while...), so I’d recommend adopting ‘14 at some point. The Google C++ Style Guide has gotten much less weird/reactionary over the years, but still has some superstitions that run contrary to consensus best practices (like forbidding nontrivial static objects [I dislike singletons as much as the next guy, but a Meyers Singleton will handle destruction correctly unless one is being devious] and nonconst out-param references [which the guide calls “confusing,” missing the point that references obviate tests for nullity]). The Google Style Guide may have its place in a very large organization with many young developers, and it does have the benefit of being a rulebook, and I don’t really want to waste time obsessing over it... but it is a weird guide when one is coming from the usual Sutter/Meyers/Stroustrup tradition.

@uckelman-sf hasn’t been able to get aff4imager to work, despite much trying. I will have him post issues here.

I’d heard a rumor that “logical” evidence files (i.e., archives, not sparse images) were being worked on. I’m keenly interested in that, if such a project is underway.