What is AFF4

The Advanced Forensics File format 4 was originally designed and published in “Extending the advanced forensic format to accommodate multiple data sources, logical evidence, arbitrary information and forensic workflow” M.I. Cohen, Simson Garfinkel and Bradley Schatz, digital investigation 6 (2009) S57–S68.

The format is an open source format used for the storage of digital evidence and data.

The original paper was released with an earlier implementation written in python. This project is a complete open source re-implementation for a general purpose AFF4 library. ~ http://www2.aff4.org

Environment

• Ubuntu 22.0.4 ARM distro

• (optional) - I did this on an M1 Macbook and utilized docker for this distro. At the time of this writing (2023.02.23) this image (22.0.4) was simply invoked by:

    docker pull ubuntu
  

Compile Walkthrough

1. Install the necessary* dependencies

   *dependency list can be reduced (example: build-essential is too broad but includes gcc)

    apt update
   
    apt install build-essential libsnappy-dev libssl-dev automake autoconf libtool zlib1g-dev libcppunit-dev libraptor2-dev liblz4-dev git
   

1. Clone the 'aff4-cpp-lite' repository from GitHub https://github.com/aff4

    git clone https://github.com/aff4/aff4-cpp-lite.git
   

2. change the directory to the 'aff4-cpp-lite' folder

3.  cd aff4-cpp-lite
   

Build the source code

autoconf

autoreconf --install

./configure

make

make install

Compiled Tools

1. aff4-digest

2. aff4-extract

3. aff4-info