This page maintains versions of the sfsimage script to manage squashfs forensic evidence containers.

This script uses the squashfs read-only compressed filesystem as a digital forensic evidence container. Taking forensic images of drives continues to be a challenge partly due to the increasing sizes of drives and also due to the increasing number of drives involved in forensic investigations. Commercial forensic formats such as EnCase Expert Witness and FTK SMART, and the open AFFlib format all offer built-in seekable compression. Raw disk images compressed with gzip or other common compression tools do not support seeking by regular tools. This script provides an alternative method to compress raw disk images in a seekable way without the need for a specialized forensic format or compatible tools. The squashfs filesystem has a number of properties that make it suitable for use as a forensic evidence container. This simple and practical technique can be used when other more advanced forensic tools and formats are unavailable or incompatible.

2016-07-12, initial release: sfsimage-0.9.tar

