![]() ![]() Adding data to a Custom Content Image (AD1).It is important to understand that within FTK Imager, there are two methods of generating an AD1 image: ![]() To this end, I used an existing Windows 10 (Version 20H2) virtual machine in QEMU I had been using for various tests and installed FTK Imager version 4.2.1, which was the version I had to hand at that point in time. Research & Experimentation AD1 Sample Generationįor the next step in my experimentation process, I needed a good variety of AD1 files to conduct testing on, whose data content I controlled. Whereas traditional forensic images (such as the raw DD format), would usually include data from every layer of this model. To use Brian Carriers 3 infamous file system abstraction model it would be analogous to say that AD1 files contain data which would only reside on the ‘file system’ layer and beyond, having no concept of the data at lower levels. There is no disk geometry or volume information contained within an AD1 file, meaning it cannot be read by tools such as the Sleuth Kit’s mmls command. The primary point to note at this stage is that the AD1 file format is not a traditional forensic image, but rather a container, comprising the logical file data. Additionally, the documentation also stipulates that any version of FTK Imager starting from version 3.4.2, will only generate AD1v4 format images 2.ĭISCLAIMER: This article will only be discussing the data structures associated with the newer AD1v4 format, please assume all AD1 files mentioned or used as samples from this point on are of the AD1v4 format. This is significant because older versions of AccessData software are not able to recognise the newer AD1v4 format, but it is possible to convert them into the older format using FTK Imager 3.4.0. Interestingly, according to an official FTK Imager user guide, there are two versions of the AD1 image format, specifically the newer AD1v4, and the older AD1v3. However, from the surface, it appeared that this was not necessarily the case with AD1 files. Traditional forensic image files, such as DD, AFF or E01 files, typically contain the entire file system structure, including partition data, slack space, unallocated data, full file metadata, etc. Now as to exactly what a ‘forensic image container’ means in this context was the next phase of my research. The AD1 File FormatĪD1 files are an AccessData proprietary format described on their official blog as being a “ forensic image container” 1, meaning that they are not very well documented online, which is to be expected. Should anyone reading this know of a CLI tool or method that I am not aware of which can perform these extractions, please let me know. Interestingly, even after extensive searching online, I could not find a reliable way to extract AD1 data from the Linux command-line.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |