search

sleuthkit / autopsy

Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It can be used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card.
http://www.sleuthkit.org/autopsy/
2.41k stars 597 forks source link

AFF image support #7270

Closed seanthegeek closed 3 years ago

seanthegeek commented 3 years ago

According to this old Sluthkit page, Autopsy v2 supported AFF images.

Autopsy and TSK support raw, Expert Witness, and AFF file formats.

When I try to add a data source in Autopsy 4.19.1, AFF is not one of the supported file types.

image

If I try to open the image by filtering on All Files, Autopsy doesn’t know what to do with it.

Errors occurred while ingesting image

  1. Possible encryption detected (High entropy (7.99)) (Sector offset: 0)

image

A friend mentioned this might be fixed by a plugin, but the list of available plugins is blank.

image

Do modern versions of Autopsy support AFF images? If so, how? Currently, I’ve resorted to converting AFF images to RAW using affconvert. Of course, those files are much larger.

seanthegeek commented 3 years ago

Ah, I see now that AFF3 and AFFLIBv3 have been depreciated.

AFF3 and AFFLIBv3 have been depreciated and should not be used for new projects.

The AFF4 GitHub repository is gone. So I'll stick with E01 (Encase format) for compressed images. FTK Imager does a great job with compression when the compression setting is maxed out at 9. A 62 GB RAW image, was converted to a 24 GB E01 file!

So, if anyone else is reading this and wondering how to convert AFF images to E01 images:

  1. Convert the AFF image to RAW using affconvert

    affconvert example.aff -r example.raw

  2. Convert the RAW image to E01 using by adding the RAW image as a source, right clicking it-and exporting the image in E01 format. Or use ewfaquire

    ewfaquire -c best example.raw