Hello,
According to this old Sluthkit page, Autopsy v2 supported AFF images.
Autopsy and TSK support raw, Expert Witness, and AFF file formats.
When I try to add a data source in Autopsy 4.19.1, AFF is not one of the supported file types.
If I try to open the image by filtering on All Files, Autopsy doesn’t know what to do with it.
Errors occurred while ingesting image
- Possible encryption detected (High entropy (7.99)) (Sector offset: 0)
A friend mentioned this might be fixed by a plugin, but the list of available plugins is blank.
Do modern versions of Autopsy support AFF images? If so, how? Currently, I’ve resorted to converting AFF images to RAW using affconvert. Pf course, those files are much larger.
Ah, I see now that AFF3 and AFFLIBv3 have been depreciated.
AFF3 and AFFLIBv3 have been depreciated and should not be used for new projects.
The AFF4 GitHub repository is gone. So I’ll stick with E01 (Encase format) for compressed images. FTK Imager does a great job with compression when the compression setting is maxed out at 9. A 62 GB RAW image, was converted to a 24 GB E01 file!
So, if anyone else is reading this and wondering how to convert AFF images to E01 images:
- Convert the
AFF image to RAW using affconvert
affconvert example.aff -r example.raw
- Convert the
RAW image to E01 using by adding the RAW image as a source, right clicking it-and exporting the image in E01 format. Or use ewfaquire
ewfaquire -c best example.raw
AFF4 is now at AFF4 · GitHub
