Simple Forensics imaging with dd, dc3dd & dcfldd

Quick guide to create a forensics image of a drive using dd, dc3dd and dcfldd.

See also this post:

dd

Brief description of the tool from wiki:

dd is a command-line utility for Unix and Unix-like operating systems, the primary purpose of which is to convert and copy files.

$ dd if=/dev/sdb1 of=/evidence/image.dd bs=4096
 conv=sync,noerror

Command explanation:

if=/dev/sdb1 is the source in this case is sdb1

of=/evidence/image.dd is where the output file is saved

bs=4096 is the block size (default is 512kb),

conv= sync, noerror conversion will continue even with read errors, if there is an error, null fill the rest of the block.

dc3dd

If you are interest in a complete drive acquisition guide, you can also refer to this article: drive acquisition using dc3dd

Brief description from the official website:

A patch to the GNU dd program, this version has several features intended for forensic acquisition of data. Highlights include hashing on-the-fly, split output files, pattern writing, a progress meter, and file verification.

$ dc3dd if=/dev/sdb1 of=/evidence/image.dd bs=4k hash=sha256 hashlog=hash.log log=image.log progress=on

Command explanation:

if=/dev/sdb1 is the source in this case is sdb1

of=/evidence/image.dd is where the output file is saved

bs=4k is the block size

hash=sha256 on the fly hashing algorithm

log=image.log is the output path for the log

hashlog=hash.log save hash output to hash.log instead of stderr

progress=on display a progress meter

dcfldd

Brief description from the official website:

dcfldd is an enhanced version of GNU dd with features useful for forensics and security. Based on the dd program found in the GNU Coreutils package, dcfldd has the following additional features:

  • Hashing on-the-fly – dcfldd can hash the input data as it is being transferred, helping to ensure data integrity.
  • Status output – dcfldd can update the user of its progress in terms of the amount of data transferred and how much longer operation will take.
  • Flexible disk wipes – dcfldd can be used to wipe disks quickly and with a known pattern if desired.
  • Image/wipe Verify – dcfldd can verify that a target drive is a bit-for-bit match of the specified input file or pattern.
  • Multiple outputs – dcfldd can output to multiple files or disks at the same time.
  • Split output – dcfldd can split output to multiple files with more configurability than the split command.
  • Piped output and logs – dcfldd can send all its log data and output to commands as well as files natively.
$ dcfldd if=/dev/sdb1 conv=sync,noerror hash=sha256 hashlog=hash.log of=/evidence/image.dd

Command explanation:

if=/dev/sdb1 is the source in this case is sdb1

of=/evidence/image.dd

conv= sync, noerror conversion will continue even with read errors, if there is an error, null fill the rest of the block.

of=/evidence/image.dd is where the output file is saved

hash=sha256 on the fly hashing algorithm

hashlog=hash.log save hash output to hash.log instead of stderr

[Note] Drive acquisition using dc3dd

In this quick tutorial we will use dc3dd in order to obtain a raw image of an hard drive. dc3dd was developed at the Departement of Defense’s Cyber Crime Center and it is a patched version of the GNU dd command with added features for computer forensics. One of the main characteristic of dc3dd is that its code come from a fork of dd and for this reason dc3dd will be updated every time that dd is updated.  dc3dd offers the possibility to make hashing on the fly with multiple algorithms (MD5, SHA-1, SHA-256, and SHA-512). First of all you need to find the hard drive from which you want to create a forensic image and you can do that with fdisk using this parameter:

sudo fdisk -l

The output will be similar to the one in the screenshot below:

Output of fdisk -l

The device that will be acquired is indicated with a yellow arrow  /dev/sdc1.

Finally we can run dc3dd, using these parameters:

sudo dc3dd if=/dev/sdc1 of=usb1_evidence_image.img hash=sha256 log=usb1_evidence.log

Explanation of the parameters:

if             => input file
/dev/sdc1      => source drive
of             => output file
hash           => On the fly hashing algorthm 
log            => Path of the log file

Then you will see the progress of dc3dd, like in the screenshot below:

dc3dd running output

After that, when dc3ddterminates, you will find the acquired image in the path that is indicated right after the parameter of= and you will also find the log file (that cointains the running output) in the path that is indicated right after the parameter log=. Furthermore, in the log file you will find the hash calculated for the image. An example of what is inside of the log file is showed in the screenshot below.

Log file of dc3dd