Difference between revisions of "Dcfldd"

From ForensicsWiki
Jump to: navigation, search
m
m (typo in sourcedrive)
 
(5 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 
{{Infobox_Software |
 
{{Infobox_Software |
 
   name = dcfldd |
 
   name = dcfldd |
   maintainer = [[Nicholas Harbour]] |
+
   maintainer = [[Nick Harbour]] |
 
   os = {{Linux}}, {{Windows}} |
 
   os = {{Linux}}, {{Windows}} |
   genre = [[Category:Disk imaging]][[:Category:Disk imaging|Disk imaging]] |
+
   genre = {{Disk imaging}} |
   license = [[Category:GPL]][[:Category:GPL|GPL]] |
+
   license = {{GPL}} |
 
   website = [http://dcfldd.sourceforge.net/ dcfldd.sf.net] |
 
   website = [http://dcfldd.sourceforge.net/ dcfldd.sf.net] |
 
}}
 
}}
  
'''dcfldd''' is an enhanced version of [[GNU]] [[dd]]. It has some useful features for forensic [[investigator]]s:
+
'''dcfldd''' is an enhanced version of [[dd]] developed by the U.S. Department of [[Defense Computer Forensics Lab]]. It has some useful features for forensic [[investigator]]s such as:
  
 
* On-the-fly [[hash]]ing of the transmitted data.
 
* On-the-fly [[hash]]ing of the transmitted data.
Line 15: Line 15:
 
* Verification that the image is identical to the original drive, bit-for-bit.
 
* Verification that the image is identical to the original drive, bit-for-bit.
 
* Simultaneous output to more than one file/disk is possible.
 
* Simultaneous output to more than one file/disk is possible.
* The output can be splitted into multiple files.
+
* The output can be split into multiple files.
 
* Logs and data can be piped into external applications.
 
* Logs and data can be piped into external applications.
 +
 +
The program only produces [[raw image file|raw image files]].
 +
 +
==Example==
 +
'''Unix/Linux'''
 +
dcfldd if=/dev/sourcedrive hash=md5,sha256 hashwindow=10G md5log=md5.txt sha256log=sha256.txt \
 +
        hashconv=after bs=512 conv=noerror,sync split=10G splitformat=aa of=driveimage.dd
 +
This command will read ten Gigabytes from the source drive and write that to a file called driveimage.dd.aa.  It will also calculate the [[MD5]] hash and the sha256 hash of the ten Gigabyte chunk.  It will then read the next ten gigs and name that driveimage.dd.ab.  The md5 hashes will be stored in a file called md5.txt and the sha256 hashes will be stored in a file called sha256.txt.  The block size for transferring has been set to 512 bytes, and in the event of read errors, dcfldd will write zeros.

Latest revision as of 19:08, 19 June 2011

dcfldd
Maintainer: Nick Harbour
OS: Linux,Windows
Genre: Disk imaging
License: GPL
Website: dcfldd.sf.net

dcfldd is an enhanced version of dd developed by the U.S. Department of Defense Computer Forensics Lab. It has some useful features for forensic investigators such as:

  • On-the-fly hashing of the transmitted data.
  • Progress bar of how much data has already been sent.
  • Wiping of disks with known patterns.
  • Verification that the image is identical to the original drive, bit-for-bit.
  • Simultaneous output to more than one file/disk is possible.
  • The output can be split into multiple files.
  • Logs and data can be piped into external applications.

The program only produces raw image files.

Example

Unix/Linux

dcfldd if=/dev/sourcedrive hash=md5,sha256 hashwindow=10G md5log=md5.txt sha256log=sha256.txt \
       hashconv=after bs=512 conv=noerror,sync split=10G splitformat=aa of=driveimage.dd

This command will read ten Gigabytes from the source drive and write that to a file called driveimage.dd.aa. It will also calculate the MD5 hash and the sha256 hash of the ten Gigabyte chunk. It will then read the next ten gigs and name that driveimage.dd.ab. The md5 hashes will be stored in a file called md5.txt and the sha256 hashes will be stored in a file called sha256.txt. The block size for transferring has been set to 512 bytes, and in the event of read errors, dcfldd will write zeros.