NAME
aimage - tool to create forensic copy of a device in aff format.
SYNOPSIS
aimage INPUT1 [OUTFILE1.aff] [INPUT2] [OUTPUT2.aff]
DESCRIPTION
aimage is a tool to create copies of devices in a forensic manner. The
resulting image can be in raw format, like a dd, or in aff format. AFF
stands for Advanced Forensic Format which is an open format with
multiple advantages:
· It can store arbitrary metadata.
· The image can be compressed with a high compression level.
· The resulting image can be encrypted.
· The resulting image can be sliced into smaller pieces to fit
on medias or filesystems than cannot hold large files.
PARAMETERS
INPUT1 device name or a file name that you want to create a
forensic image from.
OUTFILE1 a filename for the output file. This parameter is
mandatory unless you use the -o option.
You can specify more than one input and output files.
CONFIGURATION FILE
A configuration file can be used to add metadata to the AFF
file. This configration file contains questions to ask to the
user of aimage just before the copy and the correspondig fields
to store in AFF file.
OPTIONS
-q, --quiet No interactive statistics.
-Y, --batch Batch output, continuously print statistics to
standard ouput instead of a static screen.
-Q, --silent No output at all except for errors.
-R nnnn, --readsectors=nnnn set number of sectors to read at
once (default 32768).
-v, --version print version number and exit.
-k nn[s], --skip=nn[s] skip nn bytes from the start of the
input. Use nns to skip sectors instead of bytes.
-B, --no_beeps Don’t beep when imaging is finished.
-l LOGFILE, --logfile=LOGFILE Specify a log filename (no log
file is written by default).
-G, --logAFF Log AFF operations.
-p, --preview view some of the data as it goes by. This option
does not work when -q or -Y is specified.
-b, --verify verify the input against the output file.
-w, --wipe verify after imaging, and, if valid, wipe the source.
BE CARREFUL.
-C ’COMMAND’, --exec ’COMMAND’ Execute the command COMMAND after
imaging (before wiping). Use the ’%s’ variable for image name.
-z, --zap Erase ouput file(s) before writing them.
-o FILENAME, --outfile=FILENAME Specify the output file name as
FILENAME.
-S nnnn, --image_pagesize=nnnn Specify the AFF page size as nnnn
(default to 16777216) (number can be suffixed with b, k, m or
g).
-m, --make_config Make a sample config file if it doesn’t exist.
Config file is aimage.cfg by default and can be overridden
by the AIMAGE_CONFIG enviroment variable. If the config
file doesn’t exists, it’s created and the programs exits
right after. If the config file exists, the programs
directly starts the copy." 4
-D, --no_dmesg Do not put dmesg into the AFF file.
-x, --no_compress Do not compress. Useful on slow machines.
-Xn, --compression=n Set the compression level to n.
-L, --lzma_compress Use LZMA compression (slow but better).
-A, --auto_compress Write as fast as possible, with compression
if it helps. Sets compression level 1.
-Mn, --maxsize=n Sets the maximum size of output file to be n
megabytes if no suffix is specified.
self explanatory suffixes maybe ’g’, ’m’, ’k’ or ’b’.
Replace n by :
´cd´ for a 650MB CD.
´bigcd´ for a 700MB CD.
´dvd´ for a DVD.
´dvddl´ for a DVD-DL.
-g name=value, --setseg name=value
Create segment ’name’ and give it ’value’. The purpose of
this option is to insert an arbitrary metadata into th AFF
file. This option may be repeated.
-H, --no_hash Do not calculate MD5, SHA1 and SHA256 of image.
-e0, --error_mode=0 Standard error recovery:
Read disk 256KiB at a time until there are 5 errors in a
row, then go to the end of the disk and read backwards until
there are 5 erros in a row. Then stop.
-e1, --error=1 Stop reading at first error.
-tnn, --retry=nn Change retry count from 5 to nn
-V, --reverse Scan in reverse to the beginning.
-c, --recover-scan Starting with an AFF file that has been
partially acquired, try to read each page, 8 sectors at a time
(implies --append).
-h, --help Give an help message.
-Z, --fast_quit When you hit ´^c´, just exit immediately.
-E, --allow_regular Allow the imaging of a regular file instead
of a device.
-T, --title=s Change title to s (from IMAGING) and disable
blink.
-d n, --debug=n Set debug code n (-d0 for list).
-y, --use_timers Use timers for compressing, reading & writing
times.
-i, --ident Just print the ident information and exit (for
testing).
EXAMPLES
Create image.aff from /dev/sd0:
aimage /dev/sd0 image.aff aimage -o image.aff /dev/sd0
Create image0.aff from /dev/sd0 and image1 from /dev/sd1:
aimage /dev/sd0 image0.aff /dev/sd1 /image1.aff
AUTHOR
This manual page was written by Christophe Monniez
<christophe.monniez@fccu.be> for the Debian project (but may be
used by others).
2010-03-26