Home > Uncategorized > Image compression with the Advanced Forensics Format and ‘afconvert’.

Image compression with the Advanced Forensics Format and ‘afconvert’.

I’ve spoken about the Advanced Forensics Format in a prior blog posting. The aff format allows for meta data to be stored in the image and also enables significant image compression.

To get an idea of the compression rates available I first took an image (with dcfldd) of an old usb thumb drive I had lying around. Note: Afflib tools has its own imaging tool called ‘aimage’.

# dcfldd if=/dev/sdc1 hash=md5,sha256 hashwindow=500M hashconv=after bs=512 of=/scratch/usb.img
260096 blocks (127Mb) written.0 – 133234688: 9edebad806bc6d7793e6bb5b79c53e3f
0 – 133234688: 6edd40d9aaac7e9a8ac16ed80c5b8a4e36b64db9a9bac0fa90fcf759f10506c3
Total (md5): 9edebad806bc6d7793e6bb5b79c53e3f
Total (sha256): 6edd40d9aaac7e9a8ac16ed80c5b8a4e36b64db9a9bac0fa90fcf759f10506c3

260224+0 records in
260224+0 records out
#

The resulting image size is approx 133MB.

# ls -l /scratch/usb.img
-rw-r–r– 1 root root 133234688 2010-07-01 14:19 /scratch/usb.img
#

I then convert the dd image to aff using ‘afconvert’ also from afflibs tools.  ‘afconvert’ allows an examiner to convert a raw forensics disk image (plus a number of other formats) to the advanced forensics format. The syntax is pretty simple. Just provide ‘afconvert’ with the name of the raw image on the command line. The new filename is the old name with a .aff extension. md5 and sha1 hashes are automatically calculated.

# afconvert /scratch/usb.img
convert /scratch/usb.img –> /scratch/usb.aff
Converting page 7 of 7
md5: 9edebad806bc6d7793e6bb5b79c53e3f
sha1: 4367d0bf2403994e19131a6c1f1fd5b39b47fc85
bytes converted: 133234688
Total pages: 8  (8 compressed)

Conversion finished.
#

With default compression the image size was reduced significantly from 133MB to 38MB.

# ls -l /scratch/usb*
-rwxr-xr-x 1 root root  38222139 2010-07-01 14:19 /scratch/usb.aff
-rw-r–r– 1 root root 133234688 2010-07-01 14:19 /scratch/usb.img
#

By default ‘afconvert’ uses gzip/bzip compression. LZMA is an alternative compression algorithm for image conversions which provides better compression rates.  Let’s convert and force use of the LZMA compression algorithm. The -L switch instructs ‘afconvert’ to use LZMA compression while the -z switch forces afconvert to overwrite an already existing .aff file of the same name.

# afconvert /scratch/usb.img
/scratch/usb.aff: file exists. Delete it before converting.
#

# afconvert -L -z /scratch/usb.img
convert /scratch/usb.img –> /scratch/usb.aff
Converting page 7 of 7
md5: 9edebad806bc6d7793e6bb5b79c53e3f
sha1: 4367d0bf2403994e19131a6c1f1fd5b39b47fc85
bytes converted: 133234688
Total pages: 8  (8 compressed)
Conversion finished.
#

The resulting image size with LZMA compression is 35.9MB.

# ls -l /scratch/usb.aff
-rwxr-xr-x 1 root root 35998367 2010-07-01 14:19 /scratch/usb.aff
#

This is better encryption but not significantly better for the additional time taken to complete the conversion. It took about 3 times the effort to convert the image with LZMA compared with standard gzip/bzip compression.

If you’re more concerned with speed of the imaging process than compression you can use the -x switch to instruct ‘afconvert’ not to use compression. The conversion is significantly faster.

# afconvert -x -z /scratch/usb.img
convert /scratch/usb.img –> /scratch/usb.aff
Converting page 7 of 7
md5: 9edebad806bc6d7793e6bb5b79c53e3f
sha1: 4367d0bf2403994e19131a6c1f1fd5b39b47fc85
bytes converted: 133234688
Total pages: 8  (0 compressed)
Conversion finished.
#

# ls -l /scratch/usb.aff
-rwxr-xr-x 1 root root 133235985 2010-07-01 14:19 /scratch/usb.aff
#

The -Xn switch ( where n is a whole number from 1 ) allows you to apply varying degrees of compression when converting.  The default is 7 when not given.

# afconvert -X1 -z /scratch/usb.img
convert /scratch/usb.img –> /scratch/usb.aff
Converting page 7 of 7
md5: 9edebad806bc6d7793e6bb5b79c53e3f
sha1: 4367d0bf2403994e19131a6c1f1fd5b39b47fc85
bytes converted: 133234688
Total pages: 8  (8 compressed)
Conversion finished.

# ls -l /scratch/usb.aff
-rwxr-xr-x 1 root root 39530306 2010-07-01 14:19 /scratch/usb.aff

# afconvert -X9 -z /scratch/usb.img
[snip]

# ls -l /scratch/usb.aff
-rwxr-xr-x 1 root root 38172377 2010-07-01 14:19 /scratch/usb.aff
#

The results are a bit confusing as the default value of 7 still gives worse compression rates than not using the switch at all. The range is 1 to 9. Using any value above 9 results in no compression. I would expect 9 to give the best compression but it only gives very slightly better compression than default gzip/bzip (38.1MB versus 38.2MB) and the default LZMA total of 35.9MB. I expect with a larger disk images of 80GB for example you would see better levels of encryption. Something for another day perhaps.

Advertisements
Categories: Uncategorized
  1. December 15, 2010 at 4:35 pm

    Nice tutorial !
    Is it possible to convert it in an other place then where the original file stands ?

  2. January 11, 2011 at 5:46 pm

    Hi Netsorcist
    Sorry I haven’t had a chance to test whether you could convert and have the output file sent to another device. I guess it should be possible.
    DGB.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: