Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Announcing: Advanced Forensics Format 1.0

from [Simson Garfinkel] Network Security [Permanent Link]
Subject: Announcing: Advanced Forensics Format 1.0
Date: Sun, 18 Sep 2005 20:21:52 -0400
I have developed a new file format for storing disk images and other forensic information. It's called the Advanced Forensic Format. Key features of the format include:

* Open format, free from any patent or license restriction.
  Can be used with both open-source and proprietary forensic tools.

* Extensible. Any about of metadata can be encoded in AFF files in the
  format of name/value pairs.

* Efficient. AFF supports both compression and seeking within
  compressed files.

* Open Source C/C++ Implementation. A freely redistributable C/C++
  implementation including the AFF Library and basic conversion tools
  is available for download. AFFLib is being distributed under the BSD
  license, allowing it to be incorporated in free and proprietary
  programs without the need to pay license fees.

* Byte-order independent. AFFLib has been tested on both Intel and
  PowerPC-based systems. Images created on one platform can be read on
  another.

* Automatic calculation and storage of MD5 and SHA-1 hash codes,
  allowing AFF files to be automatically validated after they are
  copied to check for accidentally corruption.

* Explicit identification of sectors that could not be read from the
  original disk.

* Because images are stored with a compression system that is not
  understood by today's anti-virus systems, a virus in the file
  doesn't trigger the anti-virus software.


I have successfully used the AFF image conversion program to convert my 172 gigabyte corpus of disk images so that it now fits in 44 gigabytes. My forensic data extraction programs can extract information from these compressed images faster than from the original raw files, because the overhead for decompressing the images is actually less than the time required to read the raw files. (CPUs are faster than disks, at least in my case.)

I am in the process of writing a new, clean, disk imaging program that combines the best features of programs such as dd_rescue, dcfldd, and a few other programs. The initial version of the program should be available within a few weeks.

The AFF library can be downloaded from:

http://www.simson.net/afflib/

It compiles on FreeBSD and Linux.

More information about AFFLIB will follow.

=====================================
Simson Garfinkel, Ph.D.
Center for Research on Computation and Society
Harvard University
simsong@eecs.harvard.edu
http://www.simson.net/
617-876-6111




[More with this subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: video file forensics, Lance James
Next by Date:  Re: Two Windows questions, Francisco Pecorella
Previous by Thread:  Two Windows questions, keydet89
Next by Thread:  Re: Announcing: Advanced Forensics Format 1.0, Thorbjørn Ellefsen
Indexes:  [Date] [Thread] [Top] [All Lists]