Revisiting logical image formats for future digital forensics: A comprehensive analysis on L01 and AFF4-L

Abstract

As the capacity of storage devices continues to increase significantly and cloud environments emerge, there is a need to perform logical imaging to selectively collect specific data relevant to a case. However, there is currently insufficient research addressing the appropriateness and usability of logical image file formats, which could potentially raise issues in terms of the originality and integrity of digital evidence. This study performs a comprehensive analysis of the internal structures and metadata of existing proprietary and open-source logical image file formats, with a particular focus on the L01 and AFF4-L. Furthermore, this study reveals several limitations of each file format and the supporting tools through practical experiments including metadata manipulation and stress tests. More specifically, the potential for loss of originality and metadata manipulation during and after logical imaging underscores the necessity for the development and standardization of more advanced logical image file formats to systematically manage different types of digital evidence from different sources. The findings of this research also demonstrate the necessity of collective efforts from the community for the continuous improvement of logical image file formats.