Man Linux: Main Page and Category List


       aimage - tool to create forensic copy of a device in aff format.


       aimage INPUT1 [OUTFILE1.aff] [INPUT2] [OUTPUT2.aff]


       aimage is a tool to create copies of devices in a forensic manner.  The
       resulting image can be in raw format, like a dd, or in aff format.  AFF
       stands  for  Advanced  Forensic  Format  which  is  an open format with
       multiple advantages:

       ·   It can store arbitrary metadata.

       ·   The image can be compressed with a high compression level.

       ·   The resulting image can be encrypted.

       ·   The resulting image can be sliced into smaller pieces to fit
           on medias or filesystems than cannot hold large files.


       INPUT1  device  name  or  a  file name that you want to create a
       forensic image from.

       OUTFILE1  a  filename  for  the  output  file. This parameter is
       mandatory unless you use the -o option.

       You can specify more than one input and output files.


       A  configuration  file  can  be  used to add metadata to the AFF
       file.  This configration file contains questions to ask  to  the
       user  of aimage just before the copy and the correspondig fields
       to store in AFF file.


       -q, --quiet No interactive statistics.

       -Y, --batch  Batch  output,  continuously  print  statistics  to
       standard ouput instead of a static screen.

       -Q, --silent No output at all except for errors.

       -R nnnn, --readsectors=nnnn set number of  sectors  to  read  at
       once (default 32768).

       -v, --version print version number and exit.

       -k nn[s], --skip=nn[s] skip nn  bytes  from  the  start  of  the
       input. Use nns to skip sectors instead of bytes.

       -B, --no_beeps Don’t beep when imaging is finished.

       -l LOGFILE, --logfile=LOGFILE Specify a  log  filename  (no  log
       file is written by default).

       -G, --logAFF Log AFF operations.

       -p, --preview view some of the data as it goes by.  This  option
       does not work when -q or -Y is specified.

       -b, --verify verify the input against the output file.

       -w, --wipe verify after imaging, and, if valid, wipe the source.

       -CCOMMAND, --execCOMMAND’ Execute the command COMMAND after
       imaging (before wiping). Use the ’%s’ variable for image name.

       -z, --zap Erase ouput file(s) before writing them.

       -o FILENAME, --outfile=FILENAME Specify the output file name  as

       -S nnnn, --image_pagesize=nnnn Specify the AFF page size as nnnn
       (default  to  16777216)  (number can be suffixed with b, k, m or

       -m, --make_config Make a sample config file if it doesn’t exist.
           Config file is aimage.cfg by default and can  be  overridden
           by  the  AIMAGE_CONFIG  enviroment  variable.  If the config
           file doesn’t exists, it’s created  and  the  programs  exits
           right  after.   If  the  config  file  exists,  the programs
           directly starts the copy." 4

       -D, --no_dmesg Do not put dmesg into the AFF file.

       -x, --no_compress Do not compress. Useful on slow machines.

       -Xn, --compression=n Set the compression level to n.

       -L, --lzma_compress Use LZMA compression (slow but better).

       -A, --auto_compress Write as fast as possible, with  compression
       if it helps. Sets compression level 1.

       -Mn, --maxsize=n Sets the maximum size of output file  to  be  n
       megabytes if no suffix is specified.
           self explanatory suffixes maybe ’g’, ’m’, ’k’ or ’b’.

       Replace n by :

       ´cd´ for a 650MB CD.

       ´bigcd´ for a 700MB CD.

       ´dvd´ for a DVD.

       ´dvddl´ for a DVD-DL.

       -g name=value, --setseg name=value
           Create segment ’name’ and give it ’value’.  The  purpose  of
           this  option  is to insert an arbitrary metadata into th AFF
           file.  This option may be repeated.

       -H,  --no_hash Do not calculate MD5, SHA1 and SHA256 of image.

       -e0, --error_mode=0 Standard error recovery:
            Read disk 256KiB at a time until there are 5  errors  in  a
           row, then go to the end of the disk and read backwards until
           there are 5 erros in a row. Then stop.

       -e1, --error=1 Stop reading at first error.

       -tnn, --retry=nn Change retry count from 5 to nn

       -V, --reverse Scan in reverse to the beginning.

       -c, --recover-scan Starting with  an  AFF  file  that  has  been
       partially  acquired,  try to read each page, 8 sectors at a time
       (implies --append).

       -h, --help Give an help message.

       -Z, --fast_quit When you hit ´^c´, just exit immediately.

       -E, --allow_regular Allow the imaging of a regular file  instead
       of a device.

       -T, --title=s Change title  to  s  (from  IMAGING)  and  disable

       -d n, --debug=n Set debug code n (-d0 for list).

       -y, --use_timers Use timers for compressing, reading  &  writing

       -i, --ident Just print  the  ident  information  and  exit  (for


   Create image.aff from /dev/sd0:
              aimage /dev/sd0 image.aff aimage -o image.aff /dev/sd0

   Create image0.aff from /dev/sd0 and image1 from /dev/sd1:
              aimage /dev/sd0 image0.aff /dev/sd1 /image1.aff


       This   manual   page   was   written   by   Christophe   Monniez
       <>  for the Debian project (but may be
       used by others).