AFF4 support
Closed this issue · 1 comments
It would be great to have aff4 support again, for logical file/folders aquisition.
One question about c-aff4, when aquiring files, they have the date of creation/modification changed to the aquisition time. As a forensic image, shouldnt it keep the original date?
Thank you.
This will probably not happen as we use Velociraptor now to do acquisition (of many other things than just memory). Probably the best advantage of aff4 was to allow collecting of logical evidence in addition to memory but this is better done in Velociraptor using regular zip files. Velociraptor also allows collecting many other things which are not files and do not fit nicely into the aff4 data model (like WMI, event logs, process state and many many other things including initial triage processing etc).
It is better to keep the Winpmem user space code simple and quick and allow other tools to do more complex things.