#forensics #security #acquisition #file-format #file


This crate is a library to interact with zff, a file format for forensic images

5 releases (1 stable)

2.0.1 Sep 15, 2022
2.0.0 Jul 21, 2022
2.0.0-beta.5 May 18, 2022
2.0.0-beta.1 Apr 20, 2022
0.1.0 Aug 10, 2021

#256 in Cryptography

Download history 18/week @ 2023-06-02 1/week @ 2023-06-09 49/week @ 2023-06-16 22/week @ 2023-06-23 39/week @ 2023-06-30 49/week @ 2023-07-07 13/week @ 2023-07-14 29/week @ 2023-07-21 20/week @ 2023-07-28 21/week @ 2023-08-04 16/week @ 2023-08-11 20/week @ 2023-08-18 35/week @ 2023-08-25 14/week @ 2023-09-01 34/week @ 2023-09-08 18/week @ 2023-09-15

101 downloads per month
Used in 4 crates


7.5K SLoC


crate Docs Apache2/MIT licensed Rust Version website

Zff (Z forensic file format) is a completely new designed file format to store and handle the contents and structure of a partial or entire disk image, physical memory or logical file/folder structures. The focus of zff is on speed, security and modularity in concert with forensic requirements. The modular design promises high maintainability and scalability. Zff is an alternative to the ewf and aff file formats and is not compatible with them.

You can learn more about the file format and its specifications at https://zff.dev.

Features included in Zff(v2) (most of them are optional)

  • ⚡ modern, blazingly fast methods to compress the dumped data (like Zstd or Lz4) ⚡
  • 🔒 the data can optionally be stored encrypted. Strong AEAD and PBE algorithms are used. 🔒
  • ☄ The format is built to be streamable (e.g. you could stream a zff dump/container via HTTP). ☄
  • 🪂 Zff can handle both: logical dumps (like filesystem extractions) and physical dumps (like dd dumps). 🪂
  • 🤹 The format is built to be splitable in multiple files. 🤹
  • 🍱 You can store multiple dumps within one zff-container and extend an existing zff container with additional dumps. 🍱
  • 🛡 To prevent manipulation attacks, the data can be stored signed. 🛡
  • 🔗 Fast and modern hash algorithms are used to ensure the integrity of stored data. 🔗

Zff tools and libraries

There are several tools (and this library) to work with zff containers (or acquire them). All tools and libraries are written in pure Rust.

Name Type Description Crates.io MRSV
zff library Library to handle the zff format crates.io 1.58.1
zffacquire binary Tool to acquire disk images in zff format crates.io 1.58.1
zffanalyze binary Tool to get information about a zff container crates.io 1.58.1
zffmount binary Tool to mount a zff container with FUSE (similar to xmount) crates.io 1.58.1


The following benchmarks were all run on a notebook, which has the following specifications:

  • Dell XPS 13 9310 2-in-1
  • 11th Gen Intel(R) Core(TM) i7-1165G7 @ 2.80GHz
  • 32GB LPDDR4x 4267 Mhz
    The installed operating system was Gentoo Linux.
    Input and output storage device was the internal NVMe.

The following benchmark was created for a ~20GB prebuilt image, which was generated using this script.

Acquisition time
¹Using Guymager 0.8.12, with the default guymager.cfg, MD5 hash calculation, without "HashVerifyDest".
²Using Guymager 0.8.12, with enabled Aff support and Aff compression level 1 in guymager.cfg, with MD5 hash calculation, without "HashVerifyDest".
³using zffacquire physical -i raw/example01.dd -o zff_lz4 -z lz4
⁴using zffacquire physical -i raw/example01.dd -o zff -S per_chunk_signatures
⁵using zffacquire physical -i raw/example01.dd -o zff -p 123
⁶using zffacquire physical -i raw/example01.dd -o zff
⁷using ewfacquire example01.dd -t example01_ewf -f encase7-v2 -b 64 -c fast -S 7.9EiB -u
⁸using ewfacquire example01.dd -t example01_ewf -b 64 -c fast -S 7.9EiB -u, using ewfacquire 20171104.
⁹using linpmem-3.3-rc1 -i example01.dd -o output.aff4
¹⁰using linpmem-3.3-rc1 -i example01.dd -o output.aff4 --threads 8
¹¹using linpmem-3.3-rc1 -i example01.dd -o output.aff4 -c snappy
¹²using linpmem-3.3-rc1 -i example01.dd -o output.aff4 -c snappy --threads 8
¹³using linpmem-3.3-rc1 -i example01.dd -o output.aff4 -c lz4\

As you can see, zffacquire is in most cases much faster than the other tools - even if you store the data encrypted. Using zffacquire with the default values gives no performance disadvantage. The situation is different, of course, with an additional signature operation (but the same would also apply to Guymager with "HashVerifyDest" and/or "HashVerifySrc" enabled).

zffacquire and linpmem produce very good benchmarks using lz4 (which just goes to show how much switching compression algorithms can do!).

Two of the acquired images (The Guymager-e01-image at number 1, acquired in the benchmark process above and the zff-z01-image acquired with the default options of zffacquire, see above at number 6), the acquired Ex01-image (number 7) and the acquired Aff-image (by Guymager, see number 2), were used as the basis for the read speed benchmark. For the benchmark, xmount and zffmount was used to FUSE mount the appropriate images. Next, dd was used to benchmark the read speed.

Unfortunately, I have not found an official reference tool that could have been used to FUSE mount aff4 images (neither on www.aff4.org nor on docs.aff4.org). If someone can tell me one, I will update the benchmarks appropriately.

Read speed
¹The following commands were used:

zffmount -i zff.z01 -m /tmp/zffmount
dd if=/tmp/zffmount/zff_image.dd of=/dev/null bs=1M

²The following commands were used:

affuse aff_image.aff /tmp/affmount
dd if=/tmp/affmount/aff_example01.aff.raw of=/dev/null bs=1M

³The following commands were used:

xmount --in aff aff_image.aff /tmp/affmount
dd if=/tmp/affmount/aff_image.dd of=/dev/null bs=1M

⁴The following commands were used:

xmount --in ewf ewfacquired.Ex01 /tmp/ewfmount
dd if=/tmp/ewfmount/ewfacquired.dd of=/dev/null bs=1M

⁵The following commands were used:

xmount --in ewf guymager.e01 /tmp/ewfmount
dd if=/tmp/ewfmount/guymager.dd of=/dev/null b=1M

Zff layout

See the website for further information.


Zff is open source and Apache 2.0 and MIT licensed. This should ensure compliance to use with both open source and commercial software.


Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.


~209K SLoC