Skip to content
/ zffacquire Public

Tool to acquire entire disks or logical files/folders into the forensic format Zff.

License

GPL-3.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

zff-team/zffacquire

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

99 Commits
.github
.github
 
 
snap
snap
 
 
src/bin
src/bin
 
 
.gitignore
.gitignore
 
 
Cargo.toml
Cargo.toml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

zffacquire

zffacquire is a command line utility for acquiring images and/or logical file/folder structures into the forensic format Zff.

Installation

Build from source (Linux)

Prerequisites

First, you need to install rust and cargo to build or install zffacquire.

After that you still need the gcc, which you can install as follows (depends on the distribution):

Debian/Ubuntu
$ sudo apt-get install gcc
Fedora
$ sudo dnf install gcc

Then you can easily build this tool yourself by using cargo:

[/home/ph0llux/projects/zffacquire] $ cargo build --release

Cross-compile for Windows

You need a cross-compiler and should use the target x86_64-pc-windows-gnu for Windows x86 or aarch64-pc-windows-msvc for Windows on arm64.
It is necessary to use a nightly compiler, stable Rust is currently not supported for Windows targets (by the underlying zff-library).

cargo +nightly build --release --target=x86_64-pc-windows-gnu # for x86 targets
cargo +nightly build --release --target=aarch64-pc-windows-msvc # for arm64 targets

Install via cargo

Or you can install the tool directly from crates.io:
```bash
$ cargo install zffacquire

Usage

Example for Linux systems

To create an image with the default parameters, the following command is just enough:

zffacquire physical -i /dev/sda -o /media/usb-hdd/my_zff_container

You can also dump a logical folder structure into a logical zff container:

zffacquire logical -i /home/ph0llux/pictures -o /media/usb-hdd/my_zff_container

And you can extend an zff container by adding additional containers:

zffacquire physical -i /dev/sda -o /media/usb-hdd/my_zff_container
zffacquire extend logical -i /home/ph0llux/pictures -a /media/usb-hdd/my_zff_container.z01
zffacquire extend physical -i /dev/sdb -a /media/usb-hdd/my_zff_container.z01

The complete feature set of zffacquire can be shown using zffacquire -h.

Example for Windows systems

On Windows, you can list the dumpable physical targets with the list-devices subcommand.

zffacquire list-devices

If you want to dump a full physical device, you can choose the appropriate device from the printed table (by using the command above).

zffacquire physical -i "\\?\PhysicalDrive2" -o my_physical_drive

You can also dump just a single volume (e.g. the volume which is mounted at drive D:\):

zffacquire physical -i "\Device\HarddriveVolume2" -o my_volume_d

In both cases, you have to use the quotation marks as shown or to escape the \ characters.

The complete feature set of zffacquire can be shown using zffacquire -h.

About

Tool to acquire entire disks or logical files/folders into the forensic format Zff.

Topics

rust security forensics acquisition zff

Resources

Readme

License

GPL-3.0 license
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 6

1.0.1 Latest
Sep 15, 2022
+ 5 releases

Packages

No packages published

Languages