This tutorial steps you through accessing the contents of an AFF4 image, directly from your tool of choice, using the Evimetry Filesystem Bridge.
Open filesystem bridge applet
The Filesystem Bridge is accessible via the icon tray in Windows.
1. Left click on the Evimetry Filesystem Bridge icon in the icon tray.
2. Click on "View Mounts"
Choose the storage location to mount within the bridge
The filesystem bridge is able to mount any folder into the bridge. Typical use cases include temporarily mounting a USB connected evidence drive, or permanently mounting a local case folder hierarchy.
1. Click on the "+" button to add a mount.
2. Select the folder to mount.
The full path of the mounted folder (including the drive name) is used as the basis of an easily distinguished mount point in the filesystem bridge virtual filesystem.
Access the image content via virtual filesystem
Within the virtual filesystem, AFF4 images containers are presented as virtual folders.
1. Navigate to the W: drive.
2. Open the mount point folder.
3. Navigate to the image virtual folder.
The Image is presented as a virtual raw file under the virtual raw folder.
4. Open the virtual raw file in your preferred forensic tool.