Hi, Jessica Hyde here, Director of Forensics. We are excited to announce the introduction of logical forensic containers via AFF4-L in AXIOM Cyber 4.5! When you now use AXIOM Cyber to make logical acquisitions of files and folders or process memory, the default container will be AFF4-L. You can however still choose to use .zip as your container if that is what you prefer.
We previously added support for AFF4 physical images from MacQuisition in version 3.7 and support for AFF4 from other sources like Evimetry in AXIOM Cyber 4.2. Now we are bringing logical support of AFF4, AFF4-L, support to AXIOM Cyber 4.5. We are excited to comply with AFF4-L v1.1, bringing the standard from journal publications in 2019 into a forensic tool in 2020. This is the first vendor neutral standard for logical images based on the AFF4 format.
AFF4 logical containers have several advantages over using non-forensic standard containers. The primary advantages include forensic soundness, time, compression, and future portability of a shared format. Kevin Brightwell and I wrote a blog post regarding our views on AFF4 and AFF4-L and our encouragement for the community to take up the standard for logical images that explains much of these differences.
As the targeted acquisitions AXIOM Cyber creates with remote acquisition, it makes sense to store these raw files in logical container. AFF4-L provides for a forensics container in a vendor agnostic, non-proprietary format. We are happy to now be able to store raw files from remote acquisition of files and process memory in this format.
In terms of size of image, there are major gains with AFF4-L as compared to the same logical files being stored in a .zip container. This could lead to major savings in terms of storage. Here is an example of the compression. We took the same image of logical files from a Mac. The traditional .zip container was 8.4GB. The same resultant image in AFF4-L was 4GB.
The AFF4-L format is robust. And we are excited to have implemented many of the features including the compression gains. We look forward to introducing the time gains associated with striping in future releases.
The specification in the paper was easy to follow. We encourage others in the community to adopt this standard. As it is a public open source standard, we look forward to the future portability of these images as additional tools begin to support the standard. The community was entirely helpful with issues when we ran into them. We look forward to contributing documentation back to the community. To learn more about the community and AFF4, check out the documentation, overview, and github repository for the project at https://github.com/aff4/.
We are so excited to bring forth acceptance of AFF4 and AFF4-L as an open source, non-proprietary format that is tested, validated, peer-reviewed and open to anyone for both physical and logical images. If you have any questions please feel free to reach out to me, firstname.lastname@example.org with your comments or questions about our AFF4 or AFF4-L integration.
Schatz, B. L. (2019). AFF4-L: A Scalable Open Logical Evidence Container. Digital Investigation, 29. doi:10.1016/j.diin.2019.04.016