File Formats and Common Forensic Software Programs

Question 1

The Advanced Forensic Format AFF

Answer 1

was invented by Basis Technology. It is an open file standard with three variations: AFF, AFM, and AFD. AFF stores all data and metadata in a single file. AFM stores the data and metadata in separate files, AFD stores the data and metadata in multiple small files. Sleuth Kit and Autopsy both support AFF.

Question 2

EnCase

Answer 2

Is a proprietary format that is defined by Guidance Software for use in its EnCase tool to store hard drive images and individual files. It includes a hash of the file to ensure nothing was changed when it was copied from the source.

Question 3

EnCase Software

Answer 3

very widely used forensic toolkit. This allows the examiner to connect an Ethernet cable or null modem cable to a suspect machine and to view the data on that machine.

Question 4

Forensic Toolkit FTK

Answer 4

Forensic analysis tool that is very popular with law enforcement. Can select which hash to use to verify the drive when you copy it, which features you want to use on the suspect drive, and how to search.

Question 5

Sleuth Kit

Answer 5

A collection of command-line tools that are available as a free download.

Question 6

Autopsy

Answer 6

A free download, cost effect option for a forensics toolkit.

Question 7

Disk Investigator

Answer 7

Free utility that comes as GUI for use with Windows operating systems. Not as full featured as EnCase, but remarkably easy to use.