Difference between pages "Upcoming events" and "AFF"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Conferences)
 
m
 
Line 1: Line 1:
<b>PLEASE READ BEFORE YOU EDIT THE LISTS BELOW</b><br>
+
The '''Advanced Forensics Format''' ('''AFF''') is an extensible open format for the storage of [[disk image]]s and related forensic [[metadata]]. It was originally developed by [[Simson Garfinkel]] and [[Basis Technology]]. The last version of AFF is implemented in the [[AFFLIBv3]] library, which can be found on [https://github.com/simsong/AFFLIBv3 github]. [[AFF4]] builds upon many of the concepts developed in AFF. AFF4 was developed by [[Michael Cohen]], Simson Garfinkel and Bradley Schatz. That version can be downloaded from [https://code.google.com/p/aff4/ Google Code].
When events begin the same day, events of a longer length should be listed first. New postings of events with the same date(s) as other events should be added after events already in the list. Please use three-letter month abbreviations (i.e. Sep, NOT Sept. or September), use two digit dates (i.e. Jan 01 NOT Jan 1), and use date ranges rather than listing every date during an event(i.e. Jan 02-05, NOT Jan 02, 03, 04, 05).<br>
+
<i>Some events may be <u>limited</u> to <b>Law Enforcement Only</b> or to a specific audience. Such restrictions should be noted when known.</i>
+
  
This is a BY DATE listing of upcoming events relevant to [[digital forensics]].  It is not an all inclusive list, but includes most well-known activities.  Some events may duplicate events on the generic [[conferences]] page, but entries in this list have specific dates and locations for the upcoming event.
+
[[Sleuthkit]], [[Autopsy]] , [[OSFMount]], [[Xmount]], [[FTK Imager]] and [[FTK]] support the AFFv3 image format.
  
This listing is divided into three sections (described as follows):<br>
+
=AFF Background=
<ol><li><b><u>[[Upcoming_events#Calls_For_Papers|Calls For Papers]]</u></b> - Calls for papers for either Journals or for Conferences, relevant to Digital Forensics (Name, Closing Date, URL)</li><br>
+
AFF is an open and extensible file format to store disk images and associated metadata. Using AFF, the user is not locked into a proprietary format that may limit how he or she may analyze it. An open standard enables investigators to quickly and efficiently use their preferred tools to solve crimes, gather intelligence, and resolve security incidents.
<li><b><u>[[Upcoming_events#Conferences|Conferences]]</u></b> - Conferences relevant for Digital Forensics (Name, Date, Location, URL)</li><br>
+
<li><b><u>[[Training Courses and Providers]]</u></b> - Training </li><br></ol>
+
  
== Calls For Papers ==
+
Use of proprietary file formats means converting from one format to another to use multiple tools. Converting between formats risks data corruption if the formats are not well understood. Metadata may be lost if all formats do not support the same forms of metadata.
Please help us keep this up-to-date with deadlines for upcoming conferences that would be appropriate for forensic research.
+
==Extensible Design==
  
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
Use AFF to store any type of metadata such as GPS coordinates, chain of custody information, or any other user-defined data.
|- style="background:#bfbfbf; font-weight: bold"
+
! width="30%|Title
+
! width="15%"|Due Date
+
! width="15%"|Notification Date
+
! width="40%"|Website
+
|-
+
|The Sixth International Workshop on Digital Forensics (WSDF 2013)
+
|Apr 02, 2013
+
|May 02, 2013
+
|http://www.ares-conference.eu/conf/index.php?option=com_content&view=article&id=49&Itemid=95
+
|-
+
|New Security Paradigms Workshop (NSPW)
+
|Apr 12, 2013
+
|Jun 07, 2013
+
|http://www.nspw.org/2013/cfp
+
|-
+
|5th International Conference on Digital Forensics & Cyber Crime (ICDF2C 2013)
+
|Apr 30, 2013
+
|Jun 01, 2013
+
|http://d-forensics.org/2013/show/cf-papers
+
|-
+
|2nd Cyberpatterns: Unifying Design Patterns with Security, Attack and Forensic Patterns Workshop
+
|May 20, 2013
+
|Jun 10, 2013
+
|http://tech.brookes.ac.uk/CyberPatterns2013
+
|-
+
|}
+
  
See also [http://www.wikicfp.com/cfp/servlet/tool.search?q=forensics WikiCFP 'Forensics']
+
AFF supports the definition of arbitrary metadata by storing all data as name and value pairs, called segments. Some segments store the disk data and others store metadata. Because of this general design, any metadata can be defined by simply creating a new name and value pair. Each of the segments can be compressed to reduce the size of drive images, and cryptographic hashes can be calculated for each segment to ensure data integrity.
  
== Conferences ==
+
==Flexible Design==
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
|- style="background:#bfbfbf; font-weight: bold"
+
! width="40%"|Title
+
! width="20%"|Date/Location
+
! width="40%"|Website
+
|-
+
|CERIAS 14th Annual Information Security Symposium
+
|Apr 03-04<br>West Lafayette, IN
+
|http://www.cerias.purdue.edu/site/symposium2013
+
|-
+
|8th Annual Workshop on Digital Forensics and Incident Analysis (WDFIA)
+
|May 08-10<br>Lisbon, Portugal
+
|http://www.wdfia.org/default.asp
+
|-
+
|European Information Security Multi-Conference (EISMC 2013)
+
|May 08-10<br>Lisbon, Portugal
+
|http://www.eismc.org/
+
|-
+
|IEEE Symposium on Security & Privacy
+
|May 19-23<br>San Francisco, CA
+
|http://www.ieee-security.org/TC/SP2013/index.html
+
|-
+
|International Workshop on Cyber Crime
+
|May 24<br>San Francisco, CA
+
|http://stegano.net/IWCC2013/
+
|-
+
|Techno Security and Forensics Investigation Conference
+
|Jun 02-05<br>Myrtle Beach, SC
+
|http://www.thetrainingco.com/html/Security%20Conference%202013.html
+
|-
+
|Mobile Forensics World
+
|Jun 02-05<br>Myrtle Beach, SC
+
|http://www.techsec.com/html/MFC-2013-Spring.html
+
|-
+
|ADFSL 2013 Conference on Digital Forensics, Security and Law
+
|Jun 10-12<br>Richmond, VA
+
|http://www.digitalforensics-conference.org/index.htm
+
|-
+
|FIRST Conference
+
|Jun 16-21<br>Bangkok, Thailand
+
|http://conference.first.org/2013/
+
|-
+
|The 1st ACM Workshop on Information Hiding and Multimedia Security
+
|Jun 17-19<br>Montpellier, France
+
|http://ihmmsec.org/
+
|-
+
|28th IFIP TC-11 SEC 2013 International Information Security and Privacy Conference
+
|Jul 08-10<br>Auckland, New Zealand
+
|http://www.sec2013.org/
+
|-
+
|The Second International Workshop on Cyber Patterns: Unifying Design Patterns with Security, Attack and Forensic Patterns
+
|Jul 08-09<br>Abingdon, Oxfordshire, United Kingdom
+
|http://tech.brookes.ac.uk/CyberPatterns2013
+
|-
+
|Symposium On Usable Privacy and Security
+
|Jul 24-26<br>Newcastle, United Kingdom
+
|http://cups.cs.cmu.edu/soups/2013/
+
|-
+
|DFRWS 2013
+
|Aug 04-07<br>Monterey, CA
+
|http://dfrws.org/2013
+
|-
+
|Regional Computer Forensics Group GMU 2013
+
|Aug 05-09<br>Fairfax, VA
+
|http://www.rcfg.org
+
|-
+
|6th USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '13)
+
|Aug 12<br>Washington, DC
+
|https://www.usenix.org/conferences?page=1
+
|-
+
|8th USENIX Workshop on Hot Topics in Security (HotSec '13)
+
|Aug 13<br>Washington, DC
+
|https://www.usenix.org/conferences?page=1
+
|-
+
|22nd USENIX Security Symposium - USENIX Security '13
+
|Aug 14-16<br>Washington, DC
+
|https://www.usenix.org/conference/usenixsecurity13
+
|-
+
|6th International Workshop on Digital Forensics (WSDF 2013)
+
|Sep 02-06<br>Regensburg, Germany
+
|http://www.ares-conference.eu/conf/index.php?option=com_content&view=article&id=49&Itemid=95
+
|-
+
|New Security Paradigms Workshop (NSPW)
+
|Sep 09-12<br>The Banff Center, Canada
+
|http://www.nspw.org/current/
+
|-
+
|5th International Conference on Digital Forensics & Cyber Crime
+
|Sep 25-27<br>Moscow, Russia
+
|http://d-forensics.org/2013/show/home
+
|-
+
|VB2013 - the 23rd Virus Bulletin International Conference
+
|Oct 02-04<br>Berlin, Germany
+
|http://www.virusbtn.com/conference/vb2013/index
+
|-
+
|}
+
  
==See Also==
+
For flexibility, there are three variations of AFF files – AFF, AFD and AFM – and freely available tools to easily convert between the variations.
* [[Training Courses and Providers]]
+
 
==References==
+
The original AFF format is a single file that contains segments with drive data and metadata. Its contents can be compressed, but it can be quite large as the data on modern hard disks often reach 100GB in size.
* [http://faculty.cs.tamu.edu/guofei/sec_conf_stat.htm Computer Security Conference Ranking and Statistic]
+
 
* [http://www.kdnuggets.com/meetings/ Meetings and Conferences in Data Mining and Discovery]
+
For ease of transfer, large AFF files can be broken into multiple AFD format files. The smaller AFD files can be readily moved around a FAT32 file system which limits files to 2GB or stored on DVDs, which have similar size restrictions.
* http://www.conferencealerts.com/data.htm Data Mining Conferences World-Wide]
+
 
 +
The AFM format stores the metadata in an AFF file, and the disk data in a separate raw file. This format allows analysis tools that support the raw format to access the data, but without losing the metadata.
 +
 
 +
==Compression and Encryption==
 +
AFF supports two compression algorithms: zlib, which is fast and reasonably efficient, and LZMA, which is slower but dramatically more efficient. zlib is the same compression algorithm used by EnCase. As a result, AFF files compressed with zlib are roughly the same size as the equivalent EnCase file. AFF files can be recompressed using the LZMA algorithm. These files are anywhere from 1/2 to 1/10th the size of the original AFF/EnCase file.
 +
 
 +
AFF2.0 supports encryption of disk images. Unlike the password implemented by EnCase, encrypted images cannot be accessed without the necessary encryption key. FTK Imager/FTK added support for this encryption  in version 3.0 and are able to create and access AFF encrypted images.
 +
 
 +
= AFF Tools =
 +
 
 +
* [[aimage]]
 +
* [[ident]]
 +
* [[afcat]]
 +
* [[afcompare]]
 +
* [[afconvert]]
 +
* [[affix]]
 +
* [[affuse]]
 +
* [[afinfo]]
 +
* [[afstats]]
 +
* [[afxml]]
 +
* [[afsegment]]
 +
 
 +
= See Also =
 +
 
 +
* [[AFF Developers Guide]] --- A guide for programmers on how to use the AFF
 +
* [[AFF Development Task List]] --- Want to help with AFF? Here is a list of things that need to be done.
 +
 
 +
== External Links ==
 +
 
 +
* [http://www.afflib.org/ Official website]
 +
* [http://www.basistech.com/digital-forensics/aff.html Basis Technology's AFF website]
 +
* [http://www.osforensics.com/tools/mount-disk-images.html OSFMount - 3rd party tool for mounting AFF disk images with a drive letter]
 +
 
 +
[[Category:Forensics File Formats]]
 +
[[Category:Open Source Tools]]

Revision as of 06:42, 8 April 2013

The Advanced Forensics Format (AFF) is an extensible open format for the storage of disk images and related forensic metadata. It was originally developed by Simson Garfinkel and Basis Technology. The last version of AFF is implemented in the AFFLIBv3 library, which can be found on github. AFF4 builds upon many of the concepts developed in AFF. AFF4 was developed by Michael Cohen, Simson Garfinkel and Bradley Schatz. That version can be downloaded from Google Code.

Sleuthkit, Autopsy , OSFMount, Xmount, FTK Imager and FTK support the AFFv3 image format.

Contents

AFF Background

AFF is an open and extensible file format to store disk images and associated metadata. Using AFF, the user is not locked into a proprietary format that may limit how he or she may analyze it. An open standard enables investigators to quickly and efficiently use their preferred tools to solve crimes, gather intelligence, and resolve security incidents.

Use of proprietary file formats means converting from one format to another to use multiple tools. Converting between formats risks data corruption if the formats are not well understood. Metadata may be lost if all formats do not support the same forms of metadata.

Extensible Design

Use AFF to store any type of metadata such as GPS coordinates, chain of custody information, or any other user-defined data.

AFF supports the definition of arbitrary metadata by storing all data as name and value pairs, called segments. Some segments store the disk data and others store metadata. Because of this general design, any metadata can be defined by simply creating a new name and value pair. Each of the segments can be compressed to reduce the size of drive images, and cryptographic hashes can be calculated for each segment to ensure data integrity.

Flexible Design

For flexibility, there are three variations of AFF files – AFF, AFD and AFM – and freely available tools to easily convert between the variations.

The original AFF format is a single file that contains segments with drive data and metadata. Its contents can be compressed, but it can be quite large as the data on modern hard disks often reach 100GB in size.

For ease of transfer, large AFF files can be broken into multiple AFD format files. The smaller AFD files can be readily moved around a FAT32 file system which limits files to 2GB or stored on DVDs, which have similar size restrictions.

The AFM format stores the metadata in an AFF file, and the disk data in a separate raw file. This format allows analysis tools that support the raw format to access the data, but without losing the metadata.

Compression and Encryption

AFF supports two compression algorithms: zlib, which is fast and reasonably efficient, and LZMA, which is slower but dramatically more efficient. zlib is the same compression algorithm used by EnCase. As a result, AFF files compressed with zlib are roughly the same size as the equivalent EnCase file. AFF files can be recompressed using the LZMA algorithm. These files are anywhere from 1/2 to 1/10th the size of the original AFF/EnCase file.

AFF2.0 supports encryption of disk images. Unlike the password implemented by EnCase, encrypted images cannot be accessed without the necessary encryption key. FTK Imager/FTK added support for this encryption in version 3.0 and are able to create and access AFF encrypted images.

AFF Tools

See Also

External Links