#forensics #acquisition #security #command-line-tool #file-format #file

app zffacquire

A command line utility for acquiring data into the forensic format Zff

5 releases (1 stable)

2.0.0-beta.0 Dec 28, 2023
1.0.1 Sep 15, 2022
1.0.0 Jul 24, 2022
1.0.0-beta.1 Mar 31, 2022
0.10.0 Nov 6, 2021

#1363 in Command line utilities

MIT/Apache and maybe LGPL-2.1

646 lines


zffacquire is a command line utility for acquiring images and/or logical file/folder structures into the forensic format Zff.



First, you need to install rust and cargo to build or install zffacquire.

After that you still need the gcc, which you can install as follows (depends on the distribution):

$ sudo apt-get install gcc
$ sudo dnf install gcc

Then you can easily build this tool yourself by using cargo:

[/home/ph0llux/projects/zffacquire] $ cargo build --release

Or you can install the tool directly from crates.io:

$ cargo install zffacquire


To create an image with the default parameters, the following command is just enough:

zffacquire physical -i /dev/sda -o /media/usb-hdd/my_zff_container

You can also dump a logical folder structure into a logical zff container:

zffacquire logical -i /home/ph0llux/pictures -o /media/usb-hdd/my_zff_container

And you can extend an zff container by adding additional containers:

zffacquire physical -i /dev/sda -o /media/usb-hdd/my_zff_container
zffacquire extend logical -i /home/ph0llux/pictures -a /media/usb-hdd/my_zff_container.z01
zffacquire extend physical -i /dev/sdb -a /media/usb-hdd/my_zff_container.z01

The complete feature set of zffacquire can be shown using zffacquire -h.


~432K SLoC