Michael and I have recently extended and refined the container format to support describing the provenance of information and data, and more accurate description of evidence characteristics. A paper describing this work, titled “Refining the AFF4 evidence container for provenance and accurate data representation”, has been accepted for presentation at the 6th Annual IFIP WG 11.9 conference on Digital Forensics.
The abstract follows:
It is well acknowledged that there is a pressing need for a general solution to the problem of storage of digital evidence, both in terms of copied bit-stream images and general information which describes the images and surrounding context of the case. In a prior paper, the authors introduced the AFF4 evidence container format, focusing in particular on the description of the efficient and layered bitstream storage architecture, a general approach to representing arbitrary information, and a compositional approach to managing and sharing evidence. In this paper we describe our work refining the representation schemes embodied in the new format, addressing the accurate representation of discontiguous data and description of the provenance of both data and information.