- Digital Forensics Fundamentals
- Understanding Artifacts in Digital Forensics
- Chain of Custody and Evidence Integrity
- Verifying Integrity and Authenticity with PowerShell
- Evidence Collection Strategy
- Volatility Order in Evidence Collection
- Write Protection and Read-Only Access
- Anti-Forensic Techniques
- Hidden Items
- Alternate Data Streams (ADS)
- Timestomping
- Triage and Obfuscation
- PowerShell Obfuscation
- Cloud Monitoring and Identity Management
- NTFS Timestamp Distinctions
- Windows Registry Forensics
- Understanding the Registry
- Registry Hive Files
- Registry Keys and Values
- Key Forensic Registry Locations
- Eric Zimmerman Tools for Rapid Triage
- Categories of Digital Artifacts
- Runtime or Memory Artifacts
- Host Storage Artifacts
- System and Application Logs
- Network Telemetry
- Cloud and SaaS Audit Artifacts
- Identity and Mobile Artifacts
- Master File Table Analysis
- USN Journal Analysis
- Prefetch Analysis
- Amcache Analysis
- ShimCache Analysis
- Registry Hive Analysis
- RAID Configuration Challenges
- System Boot Process
- Firmware and ROM
- BIOS or UEFI
- MBR or GPT
- Bootloader
- Kernel
- Operating System
- File System Organization
- Disk Space Categories
- Allocated vs Unallocated Space
- Slack Space
- System Areas
- Odd Places
- Critical Principle
- Browser Forensics Example
- MAC(b) Timestamp Analysis
- File Recovery and Carving
- Recovery Limitations
- Practical Example
- Forensic Image Formats
- Raw/DD Format
- E01 / EnCase Format
- SMART Format
- AFF Format
- Partial Acquisition Support
Digital Forensics Fundamentals
Understanding Artifacts in Digital Forensics
An artifact represents any trace of data left on a system that reveals past user or system activity. For example, when an attacker installs a scanning tool such as Advanced_Scanner.exe, this creates a hypothesis that the system was used for scanning other hosts on the network.
The concept of systematic investigation in digital forensics means the process follows a structured, repeatable, and well-documented methodology so the investigation is not random or improvised. This ensures consistency and reliability across different cases and investigators.
The principle of admissible evidence means the evidence must be collected and handled in a way that ensures it is legally acceptable in court. This requirement drives many of the strict procedures followed during forensic investigations.
Chain of Custody and Evidence Integrity
In digital forensics, the chain of custody is the chronological arrangement of events in order of time and the documented history of who handled digital evidence, when, and why, from its initial collection to its final presentation in court. In a company hack case, an investigator takes a suspicious laptop and writes down everyone who touches it, making sure the evidence is handled in order and can be used in court.
Authenticity in cybersecurity means verifying that data or a system truly comes from the source it claims to come from. For example, when a company receives a software update, authenticity ensures that the update was actually released by the legitimate vendor and not tampered with by an attacker.
Integrity refers to the assurance that the data has not been altered or corrupted since it was created or sent. A real-world scenario is receiving an email with an attached financial report where even if the email is authentic, integrity checks like a hash or digital signature confirm that the report hasn't been modified in transit. The key distinction is that authenticity proves who created it, while integrity proves it hasn't changed.
Verifying Integrity and Authenticity with PowerShell
When verifying integrity, you can use file hashing to ensure data hasn't been modified:
Get-FileHash C:\Path\To\Your\File.ext -Algorithm SHA512For authenticity verification, you can examine file metadata and digital signatures:
Get-Item .\Evidence.E01 | Select-Object Name, CreationTime, LastWriteTime, LastAccessTime
Get-AuthenticodeSignature .\installer.exeEvidence Collection Strategy
In a digital forensics investigation, the goal is to figure out what evidence to collect, where to get it from, and in what order, while making sure nothing is altered. Evidence can come from different sources like the computer's memory (RAM), the host system (disk files and logs), network data (traffic captures), or cloud and application logs.
Because some data disappears quickly, investigators follow a volatility order where they capture RAM first, then temporary logs, followed by host logs that rotate, and finally disk images. A quick plan involves safely isolating the system, taking memory snapshots, and pulling logs from the critical time window. Decisions about what to collect first are guided by an impact matrix measuring how critical the data is to the incident and volatility measuring how quickly the data might disappear to prioritize what needs immediate attention versus what can wait. To ensure integrity, every piece of evidence is hashed and documented in the chain of custody.
Files like Security.evtx represent logs where old entries are deleted and new logs are written in their place, making them subject to rotation and potential loss.
Volatility Order in Evidence Collection
The volatility hierarchy guides collection priorities. RAM Capture is the most volatile and contains running processes and in-memory data. For example, you might find a process named malware.exe with PID 4321 and command line showing "malware.exe --steal-data" still active in memory.
Ephemeral or Temporary Logs are short-lived logs that can disappear quickly from temporary directories. These might show events like a failed login attempt from 192.168.1.50 for user JohnDoe at a specific timestamp with EventID 4625.
Host Logs that Rotate are longer-lived logs on the host that may be overwritten eventually. These include firewall logs showing blocked connections from specific source IPs to destination addresses with timestamps and actions taken.
Disk Images represent the most stable evidence, preserving all files, deleted data, and metadata. These capture complete file information including creation times, last write times, and full paths to documents and other artifacts.
Write Protection and Read-Only Access
A hardware write-blocker is a physical device you connect between your forensic workstation and a hard drive. It makes the drive read-only, so you can examine or copy its data without ever accidentally changing anything on the original drive.
A read-only mount is a way to access a disk or disk image using software so that you can look at the files and folders but the system won't allow any changes. Think of it like opening a book under glass where you can read it, but you can't write or erase anything.
Anti-Forensic Techniques
Hidden Items
Hidden items are files or folders intentionally marked so they don't appear in normal directory views, making them easy to overlook during investigations. Attackers use this to conceal tools, malware, or stolen data without changing the file system structure. An example would be a folder named C:\Windows\System32\Drivers\Temp marked as hidden so it doesn't show up in File Explorer.
Alternate Data Streams (ADS)
ADS lets a file store extra hidden data inside it without changing its visible size, making it a common trick for hiding malicious scripts or logs. The file looks normal, but a second stream inside it contains hidden content. For example, hiding a script inside a normal text file using ADS can be done with commands, and the file size remains unchanged before and after adding the hidden stream. The file might show 3mb before and 3mb after, with the hidden content only visible through special tools or by accessing the stream directly. You can view this using tools like HxD which will reveal the hidden streams tag containing the concealed data.
echo Hidden content > normalfile.txt:secret
more < normalfile.txt:secret
Timestomping
Timestomping is when an attacker alters the file's timestamps to make it look older or unrelated to their activity. This breaks forensic timelines by making the file appear harmless or created long before the attack. A malware file called update.exe might be changed so its creation date looks like "2019" even though it was added yesterday.
(Get-Item "C:\temp\evil.exe").CreationTime = "01/01/2019 10:00"
(Get-Item "C:\temp\evil.exe").LastWriteTime = "01/01/2019 10:00"
(Get-Item "C:\temp\evil.exe").LastAccessTime = "01/01/2019 10:00"
Using tools like MetaSploit, the same result can be achieved through specific timestomping commands that manipulate all three timestamp values simultaneously.
Triage and Obfuscation
Triage involves selecting specific files and artifacts in order to have faster results and response times. When opening an XDR platform, you might focus on Security.evtx, PowerShellOperations.evtx with EventCode 4104, $MFT, and $J journal files as priority targets.
PowerShell Obfuscation
Original commands might look straightforward, such as a PowerShell command that uses execution bypass to invoke a web request downloading payload.exe from a malicious domain. However, bad actors obfuscate these commands making them harder to read. They might use mixed case letters like pOwErShElL with random capitalization, string concatenation breaking up URLs with plus signs, or base64 encoding that turns the entire command into an encoded string starting with SQBuAHYAbwBrAGUALQBX.
This obfuscation serves two purposes. First, it makes it hard to read so investigators looking at PowerShell files spend more time trying to understand what the command does. Second, it helps evade antivirus detection because the AV might not exactly recognize what the obfuscated command represents.
For instance, when Invoke-WebRequest connects to a malicious domain, that becomes an Indicator of Compromise (IOC) that gets saved and marked as malware for blocking. However, if the original command goes through ten encoding cases, the AV might see seemingly random characters and think it's just text rather than recognizing the malicious behavior.
When building timelines, investigators should construct activity chains showing the progression from creation to execution to network activity to persistence mechanisms to exfiltration, marking each phase with confidence tags. Understanding obfuscation techniques helps contextualize these timeline entries.
Cloud Monitoring and Identity Management
CloudWatch monitors the performance and health of your AWS applications, while CloudTrail is an audit and compliance service that logs API activity and user actions within your AWS account.
Azure identity refers to the management of user and service identities in Azure, primarily through Microsoft Entra ID formerly known as Azure Active Directory, which acts as the cloud-based identity provider for authentication and access control.
Microsoft Defender for Identity is a cloud-based security solution that helps secure your identity monitoring across your organization. Defender for Identity is fully integrated with Microsoft Defender XDR and leverages signals from both on-premises Active Directory and cloud identities to help you better identify, detect, and investigate advanced threats directed at your organization.
NTFS Timestamp Distinctions
The $SI (Standard Information) timestamps are user-modifiable and updated by file access, while $FN (File Name) timestamps are kernel-modifiable and are only updated during file creation, renaming, or moving operations. This distinction becomes important when investigating timestamp manipulation attempts.
Windows Registry Forensics
Understanding the Registry
The Windows Registry is a structured database inside Windows that stores configuration settings for the operating system, hardware, software, and user preferences. It acts like the brain of Windows, telling the system how to behave, what to load, and how applications should function. Every change you make in Windows, from display settings to installed programs, leaves traces in the registry. Because of this, it becomes a critical source of evidence in digital forensics.
You can access the Windows Registry by opening the Run dialog with Win+R, typing regedit, and pressing Enter. This launches the Registry Editor, which lets you browse and view the hierarchical structure of keys and values. It should only be accessed in read-only mode during investigations to avoid altering evidence. For deep forensic analysis, investigators usually parse registry hive files offline using specialized tools rather than interacting with a live system.
Registry Hive Files
Registry hive files are the physical files on disk that store portions of the registry. They represent different categories of system and user configuration. The most important ones are SYSTEM, which controls hardware and OS configuration, SOFTWARE, which stores installed programs and system-wide settings, SAM, which contains hashed user credentials, SECURITY, which keeps local security policies, DEFAULT, which contains default user settings, and NTUSER.DAT and USRCLASS.DAT, which store per-user activity, preferences, and application traces.
Each hive is stored as a file under locations such as C:\Windows\System32\Config or within user profiles, and forensic investigators analyze them to uncover login history, USB usage, program execution, network activity, and user behavior. Because these hives persist even after reboots and logouts, they are extremely valuable in reconstructing timelines and actions taken on a system.
Registry Keys and Values
A registry key is like a folder within the registry hierarchy. It organizes settings and holds subkeys or values. Keys help structure the registry into logical components, such as configuration areas for hardware, software, user sessions, or system behavior. Investigators explore keys to navigate to specific artifacts such as autostart entries, recent files, and USB history.
A registry value is an individual setting stored inside a key. It contains data in different formats, such as strings, numbers, timestamps, or binary blobs. Values store the actual information Windows and applications use when making decisions. In forensic work, values often reveal evidence such as the last time a program was run, connected devices, saved networks, browser traces, or user actions.
Key Forensic Registry Locations
The most important registry areas for forensic investigation include the keys responsible for tracking program execution, user activity, network connections, autostart entries, USB and peripheral usage, and MRU (Most Recently Used) lists. Areas such as the Run keys, ShimCache, Amcache, UserAssist, RecentDocs, MountedDevices, and USBSTOR frequently provide visibility into what happened on a system, when it happened, and who performed the actions. These registry artifacts allow investigators to build timelines, identify suspicious behavior, and validate events across multiple hive sources.
Eric Zimmerman Tools for Rapid Triage
Rapid triage relies on a collection of specialized forensic tools created by Eric Zimmerman, which are designed to quickly extract meaningful evidence from digital devices. These tools cover a wide range of artifacts including logs, registry data, $MFT records, browser activity, and more, making them valuable for fast, accurate incident response.
After downloading the toolset from Eric Zimmerman's official repository at https://ericzimmerman.github.io/#!index.md, you can run it by executing .\Get-ZimmermanTools.ps1 inside the unzipped folder, since PowerShell scripts use the .ps1 extension to store command sequences. If PowerShell blocks the script from running, temporarily setting the execution policy with Set-ExecutionPolicy RemoteSigned -Scope Process allows you to execute the script safely for that session.
Categories of Digital Artifacts
Runtime or Memory Artifacts
Runtime or memory artifacts come from RAM and reveal running processes, open sockets, loaded credentials, and in-memory malware. This data is extremely volatile and can expose active attacker activity. Examples include process information for lsass.exe with its PID, established socket connections showing source and destination IPs with ports, handles pointing to device paths and loaded DLLs, and credentials with token types and user information showing delegation privileges.
Host Storage Artifacts
Host storage artifacts come from disks, SSDs, and USBs and include disk images, MFT/USN entries, Prefetch, Amcache, and registry hives. These provide persistent historical evidence about what executed, when, and from where. Analysis might reveal MFT entries with record numbers pointing to specific files showing creation timestamps, USN records indicating file creation reasons, Prefetch data showing how many times executables ran with last run timestamps, and registry run keys showing autostart entries pointing to executable paths.
System and Application Logs
System and application logs capture authentication events, system errors, service actions, and application behavior across Windows and Linux. These logs help reconstruct timelines and identify abnormal or malicious activity. Windows EVTX logs might show EventID 4624 for successful logons with user names, logon types, and source IP addresses. Linux /var/log/auth.log files record failed password attempts showing timestamps and source addresses. Web application logs capture HTTP requests with timestamps, methods, response codes, and authenticated users.
Network Telemetry
Network telemetry includes NetFlow, PCAP, firewall, proxy, DNS, and VPN logs that reveal flows, sessions, and anomalous connections. These artifacts show lateral movement, C2 traffic, or exfiltration. NetFlow data captures start times, source and destination addresses, and byte counts for network flows. Firewall logs show actions taken on connections with source and destination details including ports. DNS queries reveal domain lookups with timestamps and client IP addresses that might indicate communication with malicious infrastructure.
Cloud and SaaS Audit Artifacts
Cloud and SaaS audit artifacts track admin actions, API calls, mailbox access, file sharing, and user activity across AWS, Azure, GCP, M365, and Google Workspace. These logs reveal cloud-based attacks and misuse. AWS CloudTrail logs capture console login events showing user names, MFA usage status, and source IP addresses. Azure Activity logs record operations like adding users showing the actor and target accounts. M365 Audit logs track file access events showing which users accessed specific files in shared locations.
Identity and Mobile Artifacts
Identity and mobile artifacts come from identity providers like Okta or Entra, MDM systems, and handset extractions, showing authentication events, policy changes, app installs, and keychain secrets. Okta logs capture session start events with user email addresses and IP addresses. MDM logs show device compliance status and last check-in times. Mobile extractions reveal keychain entries containing application tokens and stored credentials.
Master File Table Analysis
The MFT records every file's metadata and history, making it a key source for reconstructing file activity and detecting manipulation. Using the tool, you execute MFTECmd.exe pointing to the $MFT file with output directed to CSV format for analysis. The output shows record numbers, file names like update.exe, timestamps for creation, modification, and record changes, along with parent paths indicating where files were located in the directory structure.
.\MFTECmd.exe -f '..\..\Massar Labs\$MFT' --csv 'C:\Users\semo\Desktop\Massar Labs' --csvf j01.csvExample output includes RecordNumber 4921 for a file named update.exe with creation timestamp 2025-11-29 04:11:22, modified timestamp 2025-11-29 04:12:10, RecordChanged timestamp 2025-11-29 04:12:10, and ParentPath showing \Users\Alice.
USN Journal Analysis
The USN Journal tracks file system changes in real time, helping analysts identify file creation, deletion, renames, and edits. The same tool MFTECmd.exe can parse the $J journal file to extract these change records. Each entry includes a USN number, timestamp, reason for the change such as FileCreate, and the full path to the affected file.
.\MFTECmd.exe -f "..\..\Massar Labs\$J" --csv "C:\Users\semo\Desktop\Massar Labs" --csvf j01.csvExample output shows USN 354023488 with timestamp 2025-11-29 04:12:01, reason FileCreate, and path \Users\Alice\update.exe.
Prefetch Analysis
Prefetch shows which applications ran and when, revealing execution evidence even if attackers delete the program. Using PECmd.exe against the Prefetch directory generates CSV output showing execution history. The data reveals executable names, last run timestamps, run counts indicating how many times the program executed, and volume information including serial numbers.
PECmd.exe -f C:\Windows\Prefetch\*.pf --csv PF_Out
Example output shows Executable UPDATE.EXE with LastRun 2025-11-29 04:10:55, RunCount of 4 executions, and Volume C:\ with Serial number 92F3-11C3.
Amcache Analysis
Amcache records program installation and execution traces, providing strong evidence of what ran and from which path. AmcacheParser.exe processes the Amcache.hve file to extract this information into CSV format. Results include entry types, program names, full paths to executables, first run timestamps, and SHA1 hashes for file identification.
AmcacheParser.exe -f C:\Windows\AppCompat\Programs\Amcache.hve --csv AMC_Out
Example output shows EntryType Program, Name update.exe, Path C:\Users\Alice\update.exe, FirstRun 2025-11-29T04:10:45, and SHA1 hash beginning with 7A3F5E9C63A.
ShimCache Analysis
ShimCache shows historical evidence of program execution based on application compatibility data, even if the file no longer exists on disk. AppCompatCacheParser.exe processes the SYSTEM registry hive to extract ShimCache entries. The output shows executable paths, last modified timestamps, execution flags indicating whether the file was run, and path present flags showing if the file still exists.
AppCompatCacheParser.exe -f C:\Windows\System32\config\SYSTEM --csv Shim_Out
Example output shows Executable C:\Users\Admin\Downloads\malware.exe with LastModified 2025-11-28 23:44:10, ExecutionFlag True indicating it ran, and PathPresent False showing the file was deleted.
Registry Hive Analysis
Registry hives store persistent configuration, autoruns, recently opened items, and user/system activity. RECmd.exe can process various hive files including SOFTWARE, NTUSER.DAT, SYSTEM, and SAM to extract forensic artifacts. The output reveals registry keys, values pointing to executables or configuration data, and timestamps showing when entries were created or modified.
RECmd.exe -f SOFTWARE --csv REG_Out
Example output shows Key HKLM\Software\Microsoft\Windows\CurrentVersion\Run with Value "Updater" pointing to C:\Users\Alice\update.exe and Timestamp 2025-11-29 04:08:33.
For more detailed information about disk forensics techniques, reference the comprehensive guide available at https://sameerfakhoury.com/blog-posts/unveiling-the-secrets-a-brief-dive-into-disk-forensics-in-cyber-security
RAID Configuration Challenges
RAID (Redundant Array of Independent Disks) is a storage configuration combining multiple physical disks for redundancy, performance, or both. RAID makes forensic imaging more complex because the data is striped or mirrored across drives, requiring reconstruction of the array before analysis. Investigators must understand the RAID level and configuration to properly image and analyze the combined storage.
System Boot Process
Firmware and ROM
Firmware is software embedded in a hardware device to control its basic functions, like startup and input/output tasks. ROM, or Read-Only Memory, is a type of non-volatile computer storage that holds permanent data, such as the startup instructions (firmware) for a computer.
BIOS or UEFI
BIOS (or UEFI) is like the computer's starter engine embedded in the motherboard inside the ROM. When you turn on the PC, it wakes up the hardware and looks for the disk to start loading the operating system.
MBR or GPT
MBR or GPT is like a map on the disk. It tells the computer where the partitions are and points to the bootloader so the system knows where to go next. The MBR (Master Boot Record) is not the file system itself but rather a small area at the very beginning of the disk that contains the partition table and the bootloader. It tells the system where partitions start and end, so the OS knows which part of the disk contains which file system.
Bootloader
The bootloader is a small program on the disk that knows how to load the kernel of the operating system into memory.
Kernel
The kernel is the heart of the operating system. It manages the CPU, memory, devices, and communication between software and hardware. The bootloader loads it into RAM so it can start working.
Operating System
Finally the operating system starts running, giving you the interface and environment to run programs, browse the web, and use your computer.
File System Organization
The file system is the way the operating system organizes and stores files on a disk. It defines folders, file names, metadata, and where data lives on the disk. Examples include NTFS, FAT32, and EXT4.
Disk Space Categories
Allocated vs Unallocated Space
Allocated vs Unallocated (Deleted/Free Space) refers to disk areas that are either actively used by the file system or marked as free after deletion. Even when a file is deleted, its data often remains in unallocated space until overwritten, making it recoverable in forensic investigations.
Slack Space
Slack space is created because disks store data in fixed-size units called clusters, and when a file doesn't completely fill its last cluster, the leftover space remains unused. For example, a 6 KB file on a 4 KB cluster disk uses two clusters, leaving 2 KB in the second cluster as slack. This leftover space can contain fragments of previously deleted files or random data. Forensic investigators examine slack space because it may hold hidden or recoverable information.
System Areas
System Areas include special parts of the disk like the $MFT mirror, pagefile, swap, or hibernation files. These areas can contain copies of metadata or memory contents, giving investigators access to sensitive or volatile information even after deletion.
Odd Places
Odd Places are unexpected storage locations such as browser caches, Windows thumbcaches, or shellbags. These locations often store traces of user activity or file usage that can help reconstruct timelines or confirm deleted activity.
Critical Principle
The implication is clear: Deleted does not equal Gone. Investigators need to widen their search across allocated, unallocated, slack, and system areas to uncover potential evidence.
Browser Forensics Example
The SQLite Database Browser application provides a graphical interface for managing SQLite database files and can be used to browse Firefox web history databases. For example, examining a file named moz_places located at C:/Documents and Settings/Sarah/My Documents/University shows how the moz_places table stores unique URLs accessed by the user. The data shown might include URLs related to music websites like 30 Seconds to Mars and Last.fm along with Google searches. The interface shows options to Browse Data, examine Database Structure, and Execute SQL queries for deeper analysis.
MAC(b) Timestamp Analysis
MAC(b) times in NTFS are timestamps that record key events for each file, helping investigators understand the chronological history of file activity. The acronym stands for Modified, Accessed, Changed, and Birth. Modified reflects the last content change to the file data. Accessed shows the last read or interaction with the file. Changed captures updates to the metadata of the file such as permission changes or renaming. Birth marks the original creation time of the file.
In NTFS, different operations affect timestamps differently. Creating a file updates all four timestamps. Modifying a file updates only the Modified timestamp. Copying a file updates Accessed and Birth while usually inheriting the Modified timestamp from the original. Simply accessing a file updates only the Accessed timestamp.
File Recovery and Carving
When a file is deleted, the file system usually only marks its metadata as free, meaning the actual data often remains on the disk until overwritten. Forensic investigators can recover such remnants using signature carving, which searches for known file headers of formats like JPG, ZIP, PDF, EXE, or DOCX to reconstruct files even if directory entries are gone.
Recovery Limitations
However, recovery has limits. Heavily fragmented files, files inside containers, or data that is compressed or encrypted may be incomplete or unrecoverable. To ensure recovered files are genuine, analysts validate them by checking magic bytes, opening the files to confirm readability, and verifying that the size and context make sense. Once validated, each recovered file is hashed and cataloged to preserve provenance, providing a reliable record for legal or investigative purposes.
Practical Example
Imagine a user deletes a photo.jpg from their computer. The file entry in the directory is removed, but the actual data remains on the disk. Using signature carving, a forensic tool scans the raw disk for the JPEG file header which always starts with FFD8 FF and the footer FFD9. Once it finds these markers, it can reconstruct the photo even though the file isn't listed in the file system.
However, there are limits. If the JPEG was fragmented across multiple clusters, the tool may only recover the first part, leaving a broken image. If the file was inside a ZIP archive or encrypted, signature carving might not detect the internal JPEG, making it impossible to fully recover without decrypting or unpacking the container first.
Forensic Image Formats
Raw/DD Format
Raw/DD (using extensions like .raw, .dd, or .img) is a plain, bit-for-bit copy of the source drive without compression or metadata. It's the simplest format, widely compatible, and easy to verify with hashes, but it takes up a lot of space and doesn't include built-in checksums or extra info.
E01 / EnCase Format
E01 / EnCase (using extensions .E01 or .Ex01) is a proprietary format used by EnCase. It includes compression, checksums, and metadata, which saves space and ensures integrity, but you usually need EnCase or compatible tools to open it.
SMART Format
SMART (using extensions .s01, .aa, or .ab) is similar to E01 but used by SMART and X-Ways. It also supports checksums and partial acquisition, making it flexible for incremental imaging, but again it's not open, so tool compatibility can be limited.
AFF Format
AFF (Advanced Forensic Format, using extensions .aff, .afd, or .afm) is an open format with compression, integrity verification, and partial acquisition support. Its openness makes it more flexible across tools compared to proprietary formats, and it includes metadata and built-in checksums, making it very reliable for forensic work.
Partial Acquisition Support
Partial acquisition support means that a forensic imaging format like AFF or SMART allows you to capture only part of a storage device rather than cloning the entire disk. This can include specific partitions, selected files, or even just unallocated space.