گسترش فرمت های پزشکی قانونی پیشرفته به جای منابع چندگانه داده ها، شواهد منطقی، اطلاعات دلخواه و جریان کار پزشکی قانونی

Forensic analysis requires the acquisition and management of many different types of evidence, including individual disk drives, RAID sets, network packets, memory images, and extracted files. Often the same evidence is reviewed by several different tools or examiners in different locations. We propose a backwards-compatible redesign of the Advanced Forensic Format—an open, extensible file format for storing and sharing of evidence, arbitrary case related information and analysis results among different tools. The new specification, termed AFF4, is designed to be simple to implement, built upon the well supported ZIP file format specification. Furthermore, the AFF4 implementation has downward comparability with existing AFF files.

Storing and managing digital evidence is becoming increasingly more difficult, as the volume and size of digital evidence increases. Evidence sources have also evolved to include data other than disk images, such as memory images, network images and regular files. Preserving such digital evidence is an important part of most digital investigations (Carrier and Spafford, 2004), and managing the evidence in a distributed organization is now emerging as a critical requirement. This paper presents a framework for managing and storing digital evidence. We first examine existing evidence management file formats and outline their strengths and limitations. We then explain how the proposed Advanced Forensics Format (AFF4) framework extends these efforts into a universal evidence management system. The detailed description of the AFF4 proposal is then followed by concrete real world use cases.

This paper describes a significant enhancement to the Advanced Forensic Format (AFF1). AFF4, extends beyond a file format to describe a universal framework for evidence management, offering significant new features such as the ability to store multiple kinds of evidence from multiple devices in a single archive, and an improved separation between the underlying storage mechanism and forensic software that makes use of evidence stored using AFF. This improved system allows a single archive of evidence to be used in a plethora of modalities, including in a single evidence file, multiple evidence files stored on multiple workstations, and evidence stored in a relational database or object management system—all without making changes to forensic software. We have developed an open source reference implementation, but the AFF4 framework is simple enough for competing implementations. We hope this simplicity enhances AFF4's acceptance and adoption as a standard evidence management platform.