The traditional approach to forensic imaging hinders forensic workflow, imposing significant delays between evidence identification and meaningful analysis. Practitioners and responders are faced with the unsatisfactory choice of either forensically preserving only a limited amount of evidence while accepting the risk of missing relevant information (triage), or delaying analysis while waiting for full forensic preservation. This seminar will examine why a new forensic imaging format is needed, and outline the ongoing efforts in standardizing the Advanced Forensic Format 4 Forensic Container (AFF4). Originally proposed in 2009 by Michael Cohen, Simson Garfinkel, and Bradley Schatz, the AFF4 forensic container supports a range of next generation forensic image features such as storage virtualisation, extensible metadata, partial, non-linear and discontinuous images, and moreover significant speed improvements. Current AFF4 implementations include Evimetry, Rekall, the Pmem suite of Memory Acquisition tools, and Google Rapid Response. The seminar will present an introduction to the format and outline the current state of adoption within the forensic ecosystem.
To learn more on this topic, attend the 10th annual SANS Digital Forensics & Incident Response (DFIR) Summit & Training.'this training event brings together the most influential group of experts, the highest quality training, and the greatest industry networking opportunities in one place. Over the course of this eight-day training event, you'll enjoy: