Advanced Forensic Format

This article may incorporate text from a large language model. It may include hallucinated information or fictitious references. Copyright violations or claims lacking verification should be removed. Please see the associated project page for additional guidance. (September 2025) (Learn how and when to remove this message)

The Advanced Forensic Format (AFF) is an open, extensible format for storing disk images together with forensic metadata. AFF was introduced in 2006 as a patent-unencumbered alternative to proprietary evidence containers, allowing data and metadata to be kept together or separately and supporting features such as compression, digital signatures and optional encryption.^[1][2][3]

AFF was proposed by Garfinkel and collaborators in 2006 in an IFIP/DFRWS-linked volume, positioning it as a flexible, open format for disk imaging with richer metadata than raw images and reduced storage through compression.^[1] The format’s reference implementation is the open-source AFFLIB library and tools, initially from Basis Technology and later maintained by community contributors.^[3]

AFF defines a container that stores disk data and associated metadata in segments. Implementations support lossless compression and optional encryption, and can embed a cryptographic signature for chain-of-custody and integrity verification.^[3][2] The AFFLIB API exposes an image as a stream plus a name–value metadata store; tools include an imager (aimage), a converter (afconvert), and utilities for exporting metadata (e.g., afxml).^[4][5]

AFF version 3 implementations commonly use three related on-disk layouts:^[6][7]

• .aff — single-file container holding image data and metadata.
• .afd — split layout (multiple AFF files in a directory) for easier transfer of large images.
• .afm — metadata in AFF paired with a separate raw (dd) image.

AFF4 (Advanced Forensic Framework 4) was proposed in 2009 as a redesign that generalises AFF into a framework for evidence containers. AFF4 separates storage from semantics, supports multiple evidence types in a single archive, and introduces chunked storage with indexed “bevies” for efficient random access.^[8][9]

AFF4 is object-oriented: every entity (evidence stream, container, map) is assigned a globally unique URN and described with RDF triples (linked-data facts). Evidence data are stored as compressed chunks grouped into bevies, with a separate index enabling random access; typical containers are either directory-based or ZIP/ZIP64 archives.^[10][11] AFF4 supports HTTP range access for remote use, map streams for storage virtualisation (e.g., reconstructing RAID or referencing carved files without duplication), and cryptographic metadata about chunks and maps to support verification workflows.^[12]

Open implementations include a Python reference library (pyaff4), a C/C++ implementation (c-aff4 and forks), and a lightweight reader (aff4-cpp-lite). Canonical sample images are published for conformance testing.^{[13][14][15][16][17]}

Subsequent research proposed “wirespeed” extensions for higher-throughput acquisition, including faster compression (e.g., Snappy), block-level hashing and partial imaging semantics to represent unreadable or unacquired regions.^[18]

AFF4-L generalises AFF4 to logical evidence, supporting deduplicated content storage and arbitrarily rich, structured metadata. A DFRWS 2019 paper describes a prototype implementation and use cases for scalable logical imaging.^[19][20]

The AFFLIB toolset can interconvert images among raw (dd), split-raw, AFF/AFD/AFM, and other formats, verify images, and generate chain-of-custody segments.^[21] Community corpora (e.g., Digital Corpora) reference AFF images and provide conversion guidance.^[22] Industry discussions and vendor documentation describe AFF4/AFF4-L as open containers aimed at interoperability and performance in modern workflows.^[23]

• Expert Witness Format (E01)
• Raw image format
• The Sleuth Kit
• Autopsy

• github.com/sshock/AFFLIBv3 — AFFLIB v3 (reference implementation and tools)
• link.springer.com/content/pdf/10.1007/0-387-36891-4_2.pdf — “Advanced Forensic Format” (IFIP/DFRWS 2006) full text (Springer PDF)
• www.loc.gov/preservation/digital/formats/fdd/fdd000412.shtml — Library of Congress: AFF 1.0 description
• www.loc.gov/preservation/digital/formats/fdd/fdd000413.shtml — Library of Congress: AFF4 description
• forensics.wiki/aff4/ — AFF4 design overview