aff4-forensic¶
Pure-Rust, read-only AFF4 (Advanced Forensic Format 4) tooling:
aff4(the reader) — opens AFF4 Standard v1.0 disk images:aff4:Mapvirtual addressing, all four chunk codecs (Null / Deflate / Snappy / LZ4), symbolic-stream fills (Zero / FF /SymbolicStream{XX}/ UnknownData / UnreadableData), URL-encoded ZIP entry names, and AFF4-Logical (AFF4-L) file containers.Read + Seekover the virtual stream. Zerounsafe, no C bindings.aff4-forensic(the analyzer) — recomputes the integrity claims an image makes about itself:AFF4-HASH-MISMATCH(a storedaff4:hashdoes not match the recomputed digest) andAFF4-HASH-UNREADABLE(a region could not be acquired).
Quick start¶
use aff4::Aff4Reader;
use std::io::Read;
let mut reader = Aff4Reader::open("image.aff4".as_ref())?;
let mut buf = vec![0u8; 512];
reader.read_exact(&mut buf)?; // virtual sector 0
# Ok::<(), aff4::Aff4Error>(())
use aff4_forensic::audit_image;
for finding in audit_image("image.aff4".as_ref())? {
println!("{}: {}", finding.code, finding.note);
}
# Ok::<(), aff4::Aff4Error>(())
Trust¶
Every byte-level claim is reconciled against the AFF4 reference corpus (Evimetry 3.0) and pyaff4 — see Reader Validation and Audit Validation. Findings are observations ("consistent with tampering or media corruption"), never verdicts — see Finding Codes.
Privacy Policy · Terms of Service · © 2026 Security Ronin Ltd.