AFFLIB RSS Feedhttp://afflib.org/index.phpInformation about AFFensimsong@acm.orgCopyright 2008 Simson L. Garfinkel and Basis Technology Corp.2008-08-19T14:09:13-07:00 hourly 1 2000-01-01T12:00+00:00 Tue, 19 Aug 2008 14:10:01 -0700AFFLIB 3.3 Releasedsimsong@acm.orgreleases2008-08-19T14:09:13-07:00http://afflib.org/./announcements_files/bbfacf3ee66dbc17b19ec49a52d5331c-11.php#unique-entry-id-11http://afflib.org/./announcements_files/bbfacf3ee66dbc17b19ec49a52d5331c-11.php#unique-entry-id-11SUPPORT FOR VMWARE DISK IMAGES

AFFLIB 3.3 incorporates the disk image subsystem from the open-source
QEMU processor virtualization project. Although most of QEMU is
distributed under the GPL license, the disk subsystem is distributed
under a less restrictive license that allows any use.

As a result, forensic programs linked with AFFLIB can now
transparently access disk images stored in any of the following
formats; currently the format is specified with the indicated extension.

So far we have only tested with VMWare .vmdk images:

* VMWare VMDK (.vmdk) (tested)

We also have the ability to add additional file types, including:
* Bochs Virtual HD Image
* cloop
* cow
* DMG
* qcow
* qcow2
* VFAT
* Parallels
* Connectix Virtual PC

Support for these will be enabled if requested.
================================================================
SIGNIFICANTLY IMPROVED PERFORMANCE

Now that the feature set for AFFLIB is largely complete, we are
beginning to pay attention to performance issues. In particular, we
found a significant problem in versions 3.0 through 3.2 that would
significantly degrade performance of disk images larger than 1GB. This
has now been addressed.
]]>AFF publicationssimsong@acm.orgpublications2008-07-20T23:37:12-07:00http://afflib.org/./announcements_files/b3372c0b00f54db8b813912b51c9c930-10.php#unique-entry-id-10http://afflib.org/./announcements_files/b3372c0b00f54db8b813912b51c9c930-10.php#unique-entry-id-10AFF-related publications.
]]>AFFLIB 3.2.3 Releasedsimsong@acm.orgreleases2008-07-20T22:29:08-07:00http://afflib.org/./announcements_files/2cc8aa0859ce00a98ce9affff86dfd16-9.php#unique-entry-id-9http://afflib.org/./announcements_files/2cc8aa0859ce00a98ce9affff86dfd16-9.php#unique-entry-id-9
This release features a more in-depth regression suite which now automatically validates the AFFLIB encryption and digital signature features. (There are also bugfixes for the bugs that we found as a result of the automated regression testing.) Some of the command-line options for the afsign, afcrypto and afcopy commands have been changed for consistency. XML generation of afxml has been improved.

]]>MANDIANT Announces support for AFFsimsong@acm.orgAnnouncements2008-06-05T07:36:44-07:00http://afflib.org/./announcements_files/bb0e4b59ab362aab5dd816004c52fe32-8.php#unique-entry-id-8http://afflib.org/./announcements_files/bb0e4b59ab362aab5dd816004c52fe32-8.php#unique-entry-id-8
]]>AFFLIB 3.2.1 Released with signaturessimsong@acm.orgreleases2008-05-29T22:55:48-07:00http://afflib.org/./announcements_files/dba7644cdb14a8740646e4e2a08ce8d5-7.php#unique-entry-id-7http://afflib.org/./announcements_files/dba7644cdb14a8740646e4e2a08ce8d5-7.php#unique-entry-id-7public key. It also includes improved support for libewf when compiled with multibyte string support.

]]>AFFLIB 3.2 Released with full support for public key cryptographysimsong@acm.orgreleases2008-05-12T11:17:59-07:00http://afflib.org/./announcements_files/6231d11be14a0de358f6bc9cb3ca74c7-6.php#unique-entry-id-6http://afflib.org/./announcements_files/6231d11be14a0de358f6bc9cb3ca74c7-6.php#unique-entry-id-6
AFFLIB now supports the following features:
  • Images in AFF or AFD format can be digitally signed.
  • Raw files and split/raw files can be digitally signed using the AFM format.
  • Images in the AFF or AFD format can be encrypted with a passphrase.
  • Images in the AFF or AFD format can be encrypted with a public key; once encrypted, the image can only be accessed by someone with the corresponding private key.

Encryption keys and passphrases can be specified either in filenames or in environment variables, allowing for transparent operating with existing AFF-compliant programs such as SleuthKit. Encryption is fully operable in the affuse program, allowing an encrypted AFF image to be mounted as an unencrypted, raw image in a Linux file system. This can be used in conjunction with VMWare player and Windows XP, allowing programs such as EnCase and FTK to access AFF-encrypted images.

The draft of a journal article that describes AFF encryption appears at http://www.afflib.org/affcrypto.pdf.
]]>AFFLIB 3.1 and AIMAGE 3.1 Releasedsimsong@acm.orgreleases2007-11-28T11:58:18-08:00http://afflib.org/./announcements_files/d433bd78050cd544c91dc32957d21955-5.php#unique-entry-id-5http://afflib.org/./announcements_files/d433bd78050cd544c91dc32957d21955-5.php#unique-entry-id-5
With this release we have separated out AIMAGE from the AFFLIB code base to allow for more rapid development of AIMAGE without continually producing new AFF releases.

Other improvements with AFFLIB 3.1 include:

* Better support for compiling on different versions of Linux
* Better error reporting in the afsign and afverify

This is a minor release which does not offer improved performance, but if you are using the digital signature features you should upgrade.
]]>AFFLIB 3.0 Releasedsimsong@acm.orgreleases2007-11-11T05:46:37-08:00http://afflib.org/./announcements_files/c9253ff23419749be4612e4ede62bb5d-4.php#unique-entry-id-4http://afflib.org/./announcements_files/c9253ff23419749be4612e4ede62bb5d-4.php#unique-entry-id-4Version 3.0 is a significant upgrade to AFFLIB which introduces the
following features:

  • STRONG DIGITAL SIGNATURES WITH X.509 CERTIFICATES
  • SIGNED BILL-OF-MATERIALS AND CHAIN OF CUSTODY
  • SIGNED ISO FILES
  • PARITY PAGES ALLOW RECONSTRUCTION OF DAMAGED DISK IMAGES

STRONG ENCRYPTION FOR AFF FILES.


With Version 3.0 we are introducing the ability to encrypt AFF evidence files with the AES-256 algorithm, the strongest encryption algorithm available today.

Each AFF 3.0 file can be encrypted with a unique AES-256 key. This key is can then itself be encrypted using a passphrase provided by the user, or using an X.509 public key. Because of this two-step process, the passphraseor public key can be changed in just a few seconds without having to decrypt and re-encrypt the entire disk image.

Whereas some other forensic programs provide the ability to put a "password" on an evidence file, those passwords can be disregarded by non-conformant programs. (For example, GetData claims that it's MountImage Pro program can "open EnCase password protected image files without the password.) AFF 3.0 uses true encryption: if you do not know the correct decryption key, the only way to access the evidence is to brute-force the encryption passphrase (if there is one). THERE IS NO BACK DOOR.


STRONG DIGITAL SIGNATURES WITH X.509 CERTIFICATES


Version 3.0 introduces strong digital signatures (SHA-256) signed with X.509 certificates.

Digital signatures represents a significant improvement for evidence integrity over today's standard practice of recording the MD5 or SHA-1 of an imaged disk in an investigator's notebook.

AFF Digital Signatures, signatures are written for the entire disk image, all of the disk's metadata, and every 16-megabyte AFF "page." Because digital signatures are written after each "page" is acquired, the integrity of these pages can be established in court even if the entire disk cannot be images (for example, because the device is fault, or because there is insufficient time).

AFF Digital Signatures complement existing integrity measures. Because the signature is stored in its own metadata segment, the signature does not change the content of the acquired disk image.

Signatures can be written with either self-signed certificates or with X.509 certificates that are issued as part of an organization's PKI. Using X.509 certificates means that AFF can support RSA or DSA algorithms with 1024, 2048 or larger keys.


SIGNED BILL-OF-MATERIALS AND CHAIN OF CUSTODY


Version 3.0 introduces a special XML structure that contains a list of every AFF segment in the file, a signature for each segment, a set of "notes," and a public key. This structure is called an "AFF Bill Of Materials" (AFFBOM).

When an AFF image is created with AIMAGE, the AFFBOM is created and signed with the private key belonging to the person who did the acquisiton. Thereafter, each time a signed AFF file is copied, a new AFFBOM can be created which includes a new AFFBOM which covers all of the original segments and all of the previous AFFBOMs. In this manner the sequence of signed bill-of-materials becomes a custody chain, showing who has copied the image and verifying that no evidentuary segments have been added, deleted, or modified.


SIGNED ISO FILES


AFF's "AFM" format allows a disk image to be stored in an uncompressed raw file (eg "file.iso") and the associated metadata to be stored in a ".afm" file. The AFM format can also handle raw data stored as a series of "split" raw files (eg "file.001", "file.002", "file.003" etc.)

Beacuse AFF tools operating on named segments that are independent of the underlying storage container, the AFM format allows any ISO-file to be signed using the "afsign" command. When filename.iso is signed, the afsign create a new file called filename.afm which contains the signatures, the signed bill of materials, and other metadata.

Although it is also possible sign ISO files using existing tools such as PGP with detached signatures, afsign has several advantages:

  • afsign will sign every 16-megabytes chunk of the ISO file. In this way, if the file is corrupted, you will be able to pinpoint what data is invalid and what data is still good.
  • Unlike PGP, afsign allows you to add arbitrary metadata and maintain chain-of-custody information.
  • You can sign with X.509 certificates


PARITY PAGES ALLOW RECONSTRUCTION OF DAMAGED DISK IMAGES


Because every 16-megabyte chunk of an AFF or AFM file is signed, it is easy to detect when a page has been modified or accidently corrupted. The BoM allows missing pages to be detected.

Similar to RAID5 on hard drives, an AFF parity page makes possible to reconstruct damaged or missing AFF data segments. Once repaired or reconstructed, the signature (which is stored in a differnet location) can be used to determine if the reconstruction is correct.

Partiy Pages are automatically created when an image is signed with afsign. The rewritten aimage that will be part of AFFLIB 3.1 will create parity pages as the drive is imaged.

AVAILABILITY


AFFLIB 3.0.0 is available now.


NEW AND MODIFIED TOOLS IN AFF 3.0:


The following tools have been aded for AFF 3.0:

* afsign - signs an AFF file.

* afverify - verifies the signature and chain-of-custody segments of
an AFF file.

* afcrypto - manipulates the cryptographic properties of an AFF file.
- Can change the passphrase

The following tools have been modified:

* afcopy - If you provide a signing key, a signed bill-of-materials
will be added to extend the chain-of-custody.


Other changes in AFF3.0:

* A few bugs have been fixed which caused difficulties in testing. (No
users reported problems with them.)

COMING IN AFFLIB 3.1:


I've pushed out Version 3.0 so that people can start to experiment with it now. Meanwhile, I'm now working on the following features which, I'm hoping, will make it into Version 3.1:

  • Public key encryption (so agents in the field can encrypt to a public key, and the images can only be decrypted in the lab.)
  • Dramatically improved performance when opening AFF files with signed bill-of-materials. (The BOM will be used as a table-of-contents so that large AFF files do not need to be scanned from end-to-end.)
  • The ability to image raw and AFF files at the same time will be removed (since AFF can now write raw files directly).
  • page-at-a-time imaging, resulting in more compact AFF files (less wasted space) and easier implementation of novel data recovery algorithms.
  • Calculation of parity pages while the image is written, rather than afterwards.
]]>Scrave Releasedsimsong@acm.orgcarvers2007-08-19T23:24:30-07:00http://afflib.org/./announcements_files/089e431b790ae3354c421936b682d39f-3.php#unique-entry-id-3http://afflib.org/./announcements_files/089e431b790ae3354c421936b682d39f-3.php#unique-entry-id-3http://www.afflib.org/downloads/scrave-0.0.1.tar.gz
]]>Version 2.3 Releasedsimsong@acm.orgreleases2007-07-01T18:21:44-07:00http://afflib.org/./announcements_files/0c88caed330e75f89a006b0f5cee6855-2.php#unique-entry-id-2http://afflib.org/./announcements_files/0c88caed330e75f89a006b0f5cee6855-2.php#unique-entry-id-2aimage still doesn't run under Windows, but that is on the list.

]]>Version 2.2.22 Releasedsimsong@acm.orgreleases2007-06-10T21:22:19-07:00http://afflib.org/./announcements_files/6e55154f30bffb4be92f9d69384f4766-1.php#unique-entry-id-1http://afflib.org/./announcements_files/6e55154f30bffb4be92f9d69384f4766-1.php#unique-entry-id-1
]]>New Websitesimsong@acm.orgAnnouncements2007-05-27T17:48:37-07:00http://afflib.org/./announcements_files/3996d95ccaca8ccbbadeef02ca151f97-0.php#unique-entry-id-0http://afflib.org/./announcements_files/3996d95ccaca8ccbbadeef02ca151f97-0.php#unique-entry-id-0]]>