Skip to content

AI Forensic Triage V1.1.1 — Broad Evidence Format Support

Choose a tag to compare

View all tags
@FlipForensics FlipForensics released this 20 Feb 16:28
· 42 commits to main since this release
v1.1.1
1e12d6b

AI Forensic Triage V1.1.1 — Broad Evidence Format Support

What's New

Full Dissect evidence format coverage. AIFT now accepts every evidence type supported by the Dissect framework — from traditional forensic images to virtual machine disks, backup archives, and triage output directories.

Supported Evidence Formats

Category Formats Notes
EnCase (EWF) .E01, .Ex01, .S01, .L01 Split segments (.E02, .E03, …) auto-discovered in the same directory
Raw / DD .dd, .img, .raw, .bin, .iso Bit-for-bit disk images
Split Raw .000, .001, … Segmented raw images — pass the first segment
VMware .vmdk, .vmx, .vmwarevm Virtual disk and VM config (auto-loads associated disks)
Hyper-V .vhd, .vhdx, .vmcx Legacy and modern formats
VirtualBox .vdi, .vbox Disk and VM config
QEMU .qcow2, .utm Copy-On-Write and UTM bundles
Parallels .hdd, .hds, .pvm, .pvs Parallels Desktop images
OVA / OVF .ova, .ovf Open Virtualization Format
XenServer .xva, .vma Xen and Proxmox exports
Backup .vbk Veeam Backup files
Dissect Native .asdf, .asif Dissect acquire output
FTK / AccessData .ad1 Logical images
Archives .zip, .7z, .tar, .tar.gz Extracted and scanned for nested evidence files

Evidence can also be provided as a directory path — useful for KAPE, Velociraptor, or UAC triage output.

Bug Fixes & Testing

  • Fixed several parsing and pipeline bugs identified during testing.
  • Expanded test coverage across artifact parsers and API endpoints.
Assets 2
Loading