This tutorial steps you through accessing the contents of an AFF4 image, directly from your tool of choice, using the Evimetry Filesystem Bridge.
Open filesystem bridge applet
The Filesystem Bridge is accessible via the icon tray in Windows.
1. Left click on the Evimetry Filesystem Bridge icon in the icon tray.
2. Click on "View Mounts"
Choose the storage location to mount within the bridge
The filesystem bridge is able to mount any folder into the bridge. Typical use cases include temporarily mounting a USB connected evidence drive, or permanently mounting a local case folder hierarchy.
1. Click on the "+" button to add a mount.
2. Select the folder to mount.
The full path of the mounted folder (including the drive name) is used as the basis of an easily distinguished mount point in the filesystem bridge virtual filesystem.
Access the image content via virtual filesystem
Within the virtual filesystem, AFF4 images containers are presented as virtual folders.
1. Navigate to the W: drive.
2. Open the mount point folder.
3. Navigate to the image virtual folder.
The Image is presented as a virtual raw file under the virtual raw folder.
4. Open the virtual raw file in your preferred forensic tool.
Tune the Filesystem Bridge
The Evimetry Filesystem bridge provides high speed access to AFF4 images from your current tools, and is installed along with the Controller. To aceive optimal speeds, it stores some information persistently on your system. It is highly recommended that this data is stored on a relatively un-contended SSD or NVMe drive.
1. Right click on the Filesystem Bridge icon in the task bar.
Autorun issue On Windows 10, the filesystem bridge may need to be manually started. Simply run the Evimetry Filesystem Bridge Applet
2. Select configuration.
3. Change the Index Cache Base Path to a path on an SSD or NVMe drive for best performance.