dcfldd is an enhanced version of dd developed by the U.S. Department of Defense Computer Forensics Lab. It has some useful features for forensic investigators such as:

  • On-the-fly hashing of the transmitted data.

  • Progress bar of how much data has already been sent.

  • Wiping of disks with known patterns.

  • Verification that the image is identical to the original drive, bit-for-bit.

  • Simultaneous output to more than one file/disk is possible.

  • The output can be split into multiple files.

  • Logs and data can be piped into external applications.

The program only produces raw image files.



dcfldd [OPTION]...


  bs=BYTES                 force ibs=BYTES and obs=BYTES dcfldd 
  cbs=BYTES                convert BYTES bytes at a time
  conv=KEYWORDS            convert the file as per the comma separated keyword list
  count=BLOCKS             copy only BLOCKS input blocks
  ibs=BYTES                read BYTES bytes at a time
  if=FILE                  read from FILE instead of stdin
  obs=BYTES                write BYTES bytes at a time
  of=FILE                  write to FILE instead of stdout
                            NOTE: of=FILE may be used several times to write
                                  output to multiple files simultaneously
  of:=COMMAND              exec and write output to process COMMAND dcfldd 
  seek=BLOCKS              skip BLOCKS obs-sized blocks at start of output
  skip=BLOCKS              skip BLOCKS ibs-sized blocks at start of input
  pattern=HEX              use the specified binary pattern as input
  textpattern=TEXT         use repeating TEXT as input
  errlog=FILE              send error messages to FILE as well as stderr dcfldd 
  hashwindow=BYTES         perform a hash on every BYTES amount of data
  hash=NAME                either md5, sha1, sha256, sha384 or sha512
                             default algorithm is md5. To select multiple
                             algorithms to run simultaneously enter the names
                             in a comma separated list
  hashlog=FILE             send MD5 hash output to FILE instead of stderr
                             if you are using multiple hash algorithms you
                             can send each to a separate file using the
                             convention ALGORITHMlog=FILE, for example
                             md5log=FILE1, sha1log=FILE2, etc.
  hashlog:=COMMAND         exec and write hashlog to process COMMAND
                             ALGORITHMlog:=COMMAND also works in the same fashion
  hashconv=[before|after]  perform the hashing before or after the conversions
  hashformat=FORMAT        display each hashwindow according to FORMAT
                             the hash format mini-language is described below
  totalhashformat=FORMAT   display the total hash value according to FORMAT
  status=[on|off]          display a continual status message on stderr
                             default state is "on"
  statusinterval=N         update the status message every N blocks
                             default value is 256 dcfldd 
  sizeprobe=[if|of]        determine the size of the input or output file
                             for use with status messages. (this option
                             gives you a percentage indicator)
                             WARNING: do not use this option against a
                                      tape device.
  split=BYTES              write every BYTES amount of data to a new file
                             This operation applies to any of=FILE that follows
  splitformat=TEXT         the file extension format for split operation.
                             you may use any number of 'a' or 'n' in any combo
                             the default format is "nnn"
                             NOTE: The split and splitformat options take effect
                                  only for output files specified AFTER these
                                  options appear in the command line.  Likewise,
                                  you may specify these several times for
                                  for different output files within the same
                                  command line. you may use as many digits in
                                  any combination you would like. dcfldd 
                                  (e.g. "anaannnaana" would be valid, but
                                  quite insane)
  vf=FILE                  verify that FILE matches the specified input
  verifylog=FILE           send verify results to FILE instead of stderr
  verifylog:=COMMAND       exec and write verify results to process COMMAND


cyborg@cyborg:~$ sudo dcfldd if=/dev/sda1 hash=md5 of=Desktop/image.dd

input results for device `/dev/sda1':
   204800 sectors in
   0 bad sectors replaced by zeros
   f21ff21d9f01d169e6d6ac90971495aa (md5)

output results for file `Desktop/image.dd':
   204800 sectors out


Leave a reply


We're are building as a community and a team. Be a part of it.


©2018 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?