Learn real-world skills from real-world cyber security practitioners. View upcoming Live Online Events.


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

AFF4: The New Standard in Forensic Image Format, and Why You Should Care

  • Monday, April 17, 2017 at 3:00 PM EDT (2017-04-17 19:00:00 UTC)
  • Dr. Bradley Schatz

You can now attend the webcast using your mobile device!



The traditional approach to forensic imaging hinders forensic workflow, imposing significant delays between evidence identification and meaningful analysis. Practitioners and responders are faced with the unsatisfactory choice of either forensically preserving only a limited amount of evidence while accepting the risk of missing relevant information (triage), or delaying analysis while waiting for full forensic preservation. This seminar will examine why a new forensic imaging format is needed, and outline the ongoing efforts in standardizing the Advanced Forensic Format 4 Forensic Container (AFF4). Originally proposed in 2009 by Michael Cohen, Simson Garfinkel, and Bradley Schatz, the AFF4 forensic container supports a range of next generation forensic image features such as storage virtualisation, extensible metadata, partial, non-linear and discontinuous images, and moreover significant speed improvements. Current AFF4 implementations include Evimetry, Rekall, the Pmem suite of Memory Acquisition tools, and Google Rapid Response.  The seminar will present an introduction to the format and outline the current state of adoption within the forensic ecosystem.

To learn more on this topic, attend the 10th annual SANS Digital Forensics & Incident Response (DFIR) Summit & Training. This training event brings together the most influential group of experts, the highest quality training, and the greatest industry networking opportunities in one place. Over the course of this eight-day training event, you'll enjoy:

  • Highly technical digital forensics and incident response presentations from the industry's top practitioners during the two-day Summit
  • Nine SANS DFIR courses to choose from to advance your training, build your arsenal of defenses, and learn how to better protect your organization
  • The opportunity to network with fellow attendees at receptions and community-building events
  • A DFIR NetWars tournament to sharpen your skills and solve incident-related challenges

Speaker Bio

Dr. Bradley Schatz

Bradley Schatz leads the digital forensics consultancy Schatz Forensic. Since the completion of a PhD in Digital forensics in 2007, his principal role has been as a DF practitioner in private practice. He has remained an active researcher in the field, with the practical contributions of Bradley’s research including, in 2010, bringing Windows Vista and Windows 7 analysis to the Volatility framework.

Need Help? Visit our FAQ page or email webcast-support@sans.org.

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.