I was trying out AFF format to see how it works on my forensic software. It is compressed, and quite a nightmare to work with. Trying to mount the drive for malware scanning, and distributed processing is super slow, no doubt due to it trying to decompress on the fly.
I read that AFF uses either lzma or zlib compression, but have found no way to take the aff file, and decompress the image so I can work on the full uncompressed image. Does anyone know if this is even possible?
I have tried using windows and linux compression tools, to no avail.
Thank for any assistance,
–Bruce
Not tried it with aff - but doesnt ftk imager support it
I have never used FTK imager except for imaging memory. I did give it a try, and it does a great job of converting between the two formats.
Thank you for the help.
–Bruce
Could also use our OSFMount to save AFF as a raw image.
We did some testing on the AFF file format (AFF version 3 that is).
The performance isn't good. In terms of writing to an existing image the performance is totally abysmal.
For the default page size 16MB and writing 8KB blocks we got,
0.009 MB/sec
For a 1 MB page size we got
0.08 MB/sec
Good thing a lot more reading is done than writing. As it is pretty much unusable as a file format if you need to write anything to an existing image.
There are several issues making it slow. Including having an internal table of contents that is poorly laid out plus too much seeking and linear searching being done.
There was talk (about a year ago) that AFF V4 would address some of these issues. But I haven't see anything as yet.
Even though we support AFF in our tool, we would prefer to use raw images for the performance advantage.