NAMEaimage - tool to create forensic copy of a device in aff format.
SYNOPSISaimage INPUT1 [OUTFILE1.aff] [INPUT2] [OUTPUT2.aff]
DESCRIPTIONaimage is a tool to create copies of devices in a forensic manner. The resulting image can be in raw format, like a dd, or in aff format. AFF stands for Advanced Forensic Format which is an open format with multiple advantages: o It can store arbitrary metadata. o The image can be compressed with a high compression level. o The resulting image can be encrypted. o The resulting image can be sliced into smaller pieces to fit on medias or filesystems than cannot hold large files.
PARAMETERSINPUT1 device name or a file name that you want to create a forensic image from. OUTFILE1 a filename for the output file. This parameter is mandatory unless you use the -o option. You can specify more than one input and output files.
CONFIGURATION FILEA configuration file can be used to add metadata to the AFF file. This configration file contains questions to ask to the user of aimage just before the copy and the correspondig fields to store in AFF file.
OPTIONS-q, --quiet No interactive statistics. -Y, --batch Batch output, continuously print statistics to standard ouput instead of a static screen. -Q, --silent No output at all except for errors. -R nnnn, --readsectors=nnnn set number of sectors to read at once (default 32768). -v, --version print version number and exit. -k nn[s], --skip=nn[s] skip nn bytes from the start of the input. Use nns to skip sectors instead of bytes. -B, --no_beeps Don't beep when imaging is finished. -l LOGFILE, --logfile=LOGFILE Specify a log filename (no log file is written by default). -G, --logAFF Log AFF operations. -p, --preview view some of the data as it goes by. This option does not work when -q or -Y is specified. -b, --verify verify the input against the output file. -w, --wipe verify after imaging, and, if valid, wipe the source. BE CARREFUL. -C 'COMMAND', --exec 'COMMAND' Execute the command COMMAND after imaging (before wiping). Use the '%s' variable for image name. -z, --zap Erase ouput file(s) before writing them. -o FILENAME, --outfile=FILENAME Specify the output file name as FILENAME. -S nnnn, --image_pagesize=nnnn Specify the AFF page size as nnnn (default to 16777216) (number can be suffixed with b, k, m or g). -m, --make_config Make a sample config file if it doesn't exist. Config file is aimage.cfg by default and can be overridden by the AIMAGE_CONFIG enviroment variable. If the config file doesn't exists, it's created and the programs exits right after. If the config file exists, the programs directly starts the copy." 4 -D, --no_dmesg Do not put dmesg into the AFF file. -x, --no_compress Do not compress. Useful on slow machines. -Xn, --compression=n Set the compression level to n. -L, --lzma_compress Use LZMA compression (slow but better). -A, --auto_compress Write as fast as possible, with compression if it helps. Sets compression level 1. -Mn, --maxsize=n Sets the maximum size of output file to be n megabytes if no suffix is specified. self explanatory suffixes maybe 'g', 'm', 'k' or 'b'. Replace n by : 'cd' for a 650MB CD. 'bigcd' for a 700MB CD. 'dvd' for a DVD. 'dvddl' for a DVD-DL. -g name=value, --setseg name=value Create segment 'name' and give it 'value'. The purpose of this option is to insert an arbitrary metadata into th AFF file. This option may be repeated. -H, --no_hash Do not calculate MD5, SHA1 and SHA256 of image. -e0, --error_mode=0 Standard error recovery: Read disk 256KiB at a time until there are 5 errors in a row, then go to the end of the disk and read backwards until there are 5 erros in a row. Then stop. -e1, --error=1 Stop reading at first error. -tnn, --retry=nn Change retry count from 5 to nn -V, --reverse Scan in reverse to the beginning. -c, --recover-scan Starting with an AFF file that has been partially acquired, try to read each page, 8 sectors at a time (implies --append). -h, --help Give an help message. -Z, --fast_quit When you hit '^c', just exit immediately. -E, --allow_regular Allow the imaging of a regular file instead of a device. -T, --title=s Change title to s (from IMAGING) and disable blink. -d n, --debug=n Set debug code n (-d0 for list). -y, --use_timers Use timers for compressing, reading & writing times. -i, --ident Just print the ident information and exit (for testing).
EXAMPLESCreate image.aff from /dev/sd0: aimage /dev/sd0 image.aff aimage -o image.aff /dev/sd0 Create image0.aff from /dev/sd0 and image1 from /dev/sd1: aimage /dev/sd0 image0.aff /dev/sd1 /image1.aff
AUTHORThis manual page was written by Christophe Monniez <firstname.lastname@example.org> for the Debian project (but may be used by others). 2010-03-26 AIMAGE(1)