dcfldd is an enhanced version of dd developed by the U.S. Department of Defense Computer Forensics Lab. It has some useful features for forensic investigators such as:
On-the-fly hashing of the transmitted data.
Progress bar of how much data has already been sent.
Wiping of disks with known patterns.
Verification that the image is identical to the original drive, bit-for-bit.
Simultaneous output to more than one file/disk is possible.
The output can be split into multiple files.
Logs and data can be piped into external applications.
The program only produces raw image files.
bs=BYTES force ibs=BYTES and obs=BYTES dcfldd cbs=BYTES convert BYTES bytes at a time conv=KEYWORDS convert the file as per the comma separated keyword list count=BLOCKS copy only BLOCKS input blocks ibs=BYTES read BYTES bytes at a time if=FILE read from FILE instead of stdin obs=BYTES write BYTES bytes at a time of=FILE write to FILE instead of stdout NOTE: of=FILE may be used several times to write output to multiple files simultaneously of:=COMMAND exec and write output to process COMMAND dcfldd seek=BLOCKS skip BLOCKS obs-sized blocks at start of output skip=BLOCKS skip BLOCKS ibs-sized blocks at start of input pattern=HEX use the specified binary pattern as input textpattern=TEXT use repeating TEXT as input errlog=FILE send error messages to FILE as well as stderr dcfldd hashwindow=BYTES perform a hash on every BYTES amount of data hash=NAME either md5, sha1, sha256, sha384 or sha512 default algorithm is md5. To select multiple algorithms to run simultaneously enter the names in a comma separated list hashlog=FILE send MD5 hash output to FILE instead of stderr if you are using multiple hash algorithms you can send each to a separate file using the convention ALGORITHMlog=FILE, for example md5log=FILE1, sha1log=FILE2, etc. hashlog:=COMMAND exec and write hashlog to process COMMAND ALGORITHMlog:=COMMAND also works in the same fashion hashconv=[before|after] perform the hashing before or after the conversions hashformat=FORMAT display each hashwindow according to FORMAT the hash format mini-language is described below totalhashformat=FORMAT display the total hash value according to FORMAT status=[on|off] display a continual status message on stderr default state is "on" statusinterval=N update the status message every N blocks default value is 256 dcfldd sizeprobe=[if|of] determine the size of the input or output file for use with status messages. (this option gives you a percentage indicator) WARNING: do not use this option against a tape device. split=BYTES write every BYTES amount of data to a new file This operation applies to any of=FILE that follows splitformat=TEXT the file extension format for split operation. you may use any number of 'a' or 'n' in any combo the default format is "nnn" NOTE: The split and splitformat options take effect only for output files specified AFTER these options appear in the command line. Likewise, you may specify these several times for for different output files within the same command line. you may use as many digits in any combination you would like. dcfldd (e.g. "anaannnaana" would be valid, but quite insane) vf=FILE verify that FILE matches the specified input verifylog=FILE send verify results to FILE instead of stderr verifylog:=COMMAND exec and write verify results to process COMMAND
cyborg@cyborg:~$ sudo dcfldd if=/dev/sda1 hash=md5 of=Desktop/image.dd input results for device `/dev/sda1': 204800 sectors in 0 bad sectors replaced by zeros f21ff21d9f01d169e6d6ac90971495aa (md5) output results for file `Desktop/image.dd': 204800 sectors out