DC3DD

Description

DC3DD is a patch to the GNU dd program, this version has several features intended for forensic acquisition of data. Highlights include hashing on-the-fly, split output files, pattern writing, a progress meter, and file verification.

Usage

Syntax

dc3dd [OPTION 1] [OPTION 2] ... [OPTION N]

		*or*

	dc3dd [HELP OPTION]

	where each OPTION is selected from the basic or advanced
	options listed below, or HELP OPTION is selected from the
	help options listed below.

Options

--------------
basic options:
--------------

	if=DEVICE or FILE    Read input from a device or a file (see note #1
	                     below for how to read from standard input). This
	                     option can only be used once and cannot be
	                     combined with ifs=, pat=, or tpat=. DC3DD 
	ifs=BASE.FMT         Read input from a set of files with base name
	                     BASE and sequential file name extensions
	                     conforming to the format specifier FMT (see note
	                     #4 below for how to specify FMT). This option
	                     can only be used once and cannot be combined with
	                     if=, pat=, or tpat=. DC3DD 
	of=FILE or DEVICE    Write output to a file or device (see note #2
	                     below for how to write to standard output). This
	                     option can be used more than once (see note #3
	                     below for how to generate multiple outputs).
	hof=FILE or DEVICE   Write output to a file or device, hash the
	                     output file or device, and verify by comparing
	                     the output hash(es) to the input hash(es). This
	                     option can be used more than once (see note #3
	                     below for how to generate multiple outputs).
	ofs=BASE.FMT         Write output to a set of files with base name BASE
	                     and sequential file name extensions generated from
	                     the format specifier FMT (see note #4 below for
	                     how to specify FMT). This option can be used more
	                     than once (see note #3 below for how to generate
	                     multiple outputs). Specify the maximum size of
	                     each file in the set using ofsz=. DC3DD 
	hofs=BASE.FMT        Write output to a set of files with base name BASE
	                     and sequential file name extensions generated from
	                     the format specifier FMT (see note #4 below for
	                     how to specify FMT). Hash the output files and
	                     verify by comparing the output hash(es) to the
	                     input hash(es). This option can be used more than
	                     once (see note #3 below for how to generate
	                     multiple outputs). Specify the maximum size of
	                     each file in the set using ofsz=. DC3DD 
	ofsz=BYTES           Set the maximum size of each file in the sets of
	                     files specified using ofs= or hofs= to
	                     BYTES (see note #5 below). A default value for
	                     this option may be set at compile time using
	                     -DDEFAULT_OUTPUT_FILE_SIZE followed by the desired
	                     value in BYTES.
	hash=ALGORITHM       Compute an ALGORITHM hash of the input and also
	                     of any outputs specified using hof=, hofs=, phod=,
	                     or fhod=, where ALGORITHM is one of md5, sha1,
	                     sha256, or sha512. This option may be used once
	                     for each supported ALGORITHM. Alternatively,
	                     hashing can be activated at compile time using one
	                     or more of -DDEFAULT_HASH_MD5,-DDEFAULT_HASH_SHA1,
	                     -DDEFAULT_HASH_SHA256, and -DDEFAULT_HASH_SHA512.
	log=FILE             Log I/O statistcs, diagnostics, and total hashes
	                     of input and output to FILE. If hlog= is not
	                     specified, piecewise hashes of multiple file
	                     input and output are also logged to FILE. This
	                     option can be used more than once to generate
	                     multiple logs.
	hlog=FILE            Log total hashes and piecewise hashes to FILE.
	                     This option can be used more than once to generate
	                     multiple logs.

-----------------
advanced options:
-----------------

	phod=DEVICE          The same as hof=DEVICE, except only the bytes
	                     written to DEVICE by dc3dd are verified. This
	                     option can be used more than once (see note
	                     #3 below for how to generate multiple outputs).
	fhod=DEVICE          The same as phod=DEVICE, with additional
	                     hashing of the entire output DEVICE. This option
	                     can be used more than once (see note #3 below
	                     for how to generate multiple outputs).
	rec=off              By default, zeros are written to the output(s) in
	                     place of bad sectors when the input is a device.
	                     Use this option to cause the program to instead
	                     exit when a bad sector is encountered.
	wipe=DEVICE          Wipe DEVICE by writing zeros (default) or a
	                     pattern specified by pat= or tpat=.
	hwipe=DEVICE         Wipe DEVICE by writing zeros (default) or a
	                     pattern specified by pat= or tpat=. Verify
	                     DEVICE after writing it by hashing it and
	                     comparing the hash(es) to the input hash(es).
	pat=HEX              Use pattern as input, writing HEX to every byte
	                     of the output. This option can only be used once
	                     and cannot be combined with if=, ifs=, or
	                     tpat=.
	tpat=TEXT            Use text pattern as input, writing the string TEXT
	                     repeatedly to the output. This option can only be
	                     used once and cannot be combined with if=, ifs=,
	                     or pat=.
	cnt=SECTORS          Read only SECTORS input sectors. Must be used
	                     with pat= or tpat= if not using the pattern with
	                     wipe= or hwipe= to wipe a device.
	iskip=SECTORS        Skip SECTORS sectors at start of the input device
	                     or file.
	oskip=SECTORS        Skip SECTORS sectors at start of the output
	                     file. Specifying oskip= automatically 
	                     sets app=on.
	app=on               Do not overwrite an output file specified with
	                     of= if it already exists, appending output instead.
	ssz=BYTES            Unconditionally use BYTES (see note #5 below) bytes
	                     for sector size. If ssz= is not specified,
	                     sector size is determined by probing the device;
	                     if the probe fails or the target is not a device,
	                     a sector size of 512 bytes is assumed.
	bufsz=BYTES          Set the size of the internal byte buffers to BYTES
	                     (see note #5 below). This effectively sets the
	                     maximum number of bytes that may be read at a time
	                     from the input. BYTES must be a multiple of sector
	                     size. Use this option to fine-tune performance.
	verb=on              Activate verbose reporting, where sectors in/out
	                     are reported for each file in sets of files
	                     specified using ifs=, ofs=, or hofs=.
	                     Alternatively, verbose reporting may be activated
	                     at compile time using -DDEFAULT_VERBOSE_REPORTING.
	nwspc=on             Activate compact reporting, where the use
	                     of white space to divide log output into
	                     logical sections is suppressed. Alternatively,
	                     compact reporting may be activated at compile
	                     time using -DDEFAULT_COMPACT_REPORTING.
	b10=on               Activate base 10 bytes reporting, where the
	                     progress display reports 1000 bytes instead
	                     of 1024 bytes as 1 KB. Alternatively, base 10
	                     bytes reporting may be activated at compile
	                     time using -DDEFAULT_BASE_TEN_BYTES_REPORTING.
	corruptoutput=on     For verification testing and demonstration
	                     purposes, corrupt the output file(s) with extra
	                     bytes so a hash mismatch is guaranteed.

Example

cyborg@cyborg:~$ sudo dc3dd if=/dev/sda1 of=Desktop/copyOfDrive

dc3dd 7.1.614 started at 2015-10-20 12:10:50 +0530
compiled options:
command line: dc3dd if=/dev/sda1 of=Desktop/copyOfDrive
device size: 204800 sectors (probed)
sector size: 512 bytes (probed)
104857600 bytes (100 M) copied (100%), 3.10969 s, 32 M/s                      

input results for device `/dev/sda1':
   204800 sectors in
   0 bad sectors replaced by zeros

output results for file `Desktop/copyOfDrive':
   204800 sectors out

dc3dd completed at 2015-10-20 12:10:53 +0530

cyborg@cyborg:~$ cd Desktop/
cyborg@cyborg:~/Desktop$ ls
copyOfDrive
cyborg@cyborg:~/Desktop$ cd /media/
cyborg@cyborg:/media$ sudo mkdir forensics
cyborg@cyborg:/media$ sudo mount -t ntfs /home/cyborg/Desktop/copyOfDrive forensics/
cyborg@cyborg:/media$ cd forensics/
cyborg@cyborg:/media/forensics$ ls
Boot  bootmgr  BOOTSECT.BAK  hzdp.ld  System Volume Information  XTQMC
0 Comments

Leave a reply

CONTACT US

We're are building as a community and a team. Be a part of it.

Sending

©2017 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?