Acquiring Data with dd, dcfldd, dc3dd

Acquiring Data with dd in Linux

dd stands for “data dump” and is available on all UNIX and Linux distributions. dd can create a bit-by-bit copy of a physical drive without mounting the drive first. This RAW image ca be read by most of the forensics tools currently on the market. A few shortcomings of the dd command are: no support of decompression, no additional metadata can be saved.

An example of the dd command is shown here:

dd if=/dev/sdb of=sdb_image.img bs=65536 conv=noerror,sync

Explanation of the parameters:

if             => input file
/dev/sdb       => source /suspect drive (whole disk)
of             => output file
sdb_image.img  => name of the image file
bs             => block size (default is 512)
65536          => 64k
conv           => conversion
noerror        => will continue even with read errors
sync           => if there is an error, null fill the rest of the
                  block.

Additional infos:

  • Using a bigger block size might be more efficient, but if the block size is too big and you face a read error in the first sector, dd will null fit the entire MB.
  • Don’t go below 4KB as a block size, you can run into performance issues. 64k is a pretty solid value, but it always depends on hardware, interface, OS, etc.
  • dd does not create an MD5 hash.
  • Don’t reverse if with of. You might lose all the data on the suspect drive!

Split image files in smaller chunks with dd

Combine the dd command with the split command to create smaller segments of your image file to fit it on a CD or DVD. An example:

dd if=/dev/sdb bs=65536 conv=sync,noerror | split -d -b 650m - sdb_image.

You can change the value of the -b switch to whatever you like. Recommended is not go over 2000m because FAT32 file size limits. The -d switch is used to split the files into a numeric order e.g. image.01, image.02, image.03. If you don’t use this switch, it will be in an alphabetical order e.g. image.aa, image.ab, image.ac and so on.

Create MD5 hash while imaging with dd

If you would like to create an MD5 hash on the fly while imaging with dd, use the following command:

dd if=/dev/sdb bs=65536 conv=sync,noerror | tee sdb_image.img | md5sum > sdb_image.md5

or create an MD5 hash before and after the acquisition process:

Create MD5 hash of original drive before acquisition:
md5sum /dev/sdb > /tmp/original-md5

Create MD5 hash of image file after the acquisition:
md5sum /tmp/sdb_image.img> /tmp/image-md5

The same works with sha1sum.

Validation of image chunks with the source file

If you split the image file into smaller chunks but you still would like to compare the entire image with the source file for validation purposes, use this command:

cat sdb_image.* | md5sum >> md5_sdb.txt

By using the cat command with an asterisk (*), all segmented volumes are read sequentially as one big contiguous file, as though they were the original source. The | forwards the output of the cat command to the md5sum command. The result will be stored in a file called md5_sdb.txt.

Acquiring Data with dcfldd in Linux

dd in general is a data management tool and was not particularly built for forensics purposes. Therefore it has its shortcomings.

Nicholas Harbour of the Defense Computer Forensics Laboratory (DCFL) developed a tool  that works very similar than dd but adds many features to support forensics data acquisition. dcfldd offers the following options:

  • Log errors to an output file for analysis and review
  • Various hashing options MD5, SHA-1, SHA-256, etc
  • Indicating the acquisition progress
  • Split image file into segmented volumes
  • Verify acquired data with the original source

An example of the dcfldd command is shown here:

dcfldd if=/dev/sdb of=sdb_image.img

Explanation of the parameters:

if             => input file
/dev/sdb       => source /suspect drive (whole disk)
of             => output file
sdb_image.img  => name of the image file

If you need to split the image file in smaller chunks and hash the image at the and:

dcfldd if=/dev/sdb split=2M of=sdb_image.img hash=md5

A more advanced dcfldd command could look like:

dcfldd if=/dev/sdb hash=md5,sha256 hashwindow=2G md5log=md5.txt sha256log=sha256.txt \ hashconv=after bs=4k conv=noerror,sync split=2G splitformat=aa of=sdb_image.img

Explanation of the parameters:

if             => input file
/dev/sdb       => source /suspect drive (whole disk)
hash           => Definition of hash algorithms
hashwindows    => Will hash data chunks of 2 GB
md5log         => Saves all md5 hashes in a file called md5.txt
sha256log      => Saves all sha hashes in a file called sha256.txt
hashconv       => Hashing AFTER or BEFORE the conversion
bs             => block size (default is 512)
4k             => block size of 4 kilobyte
conv           => conversion
noerror        => will continue even with read errors
sync           => if there is an error, NULL fill the rest of the
                  block
split          => Split image file in chunks of 2 GB
splitformat    => the file extension format for split operation
of             => output file sdb_image.img => name of the image 
                  file

If you would like to validate  the image file with the original source, you can use the “vf” switch:

dcfldd if=/dev/sdb vf=sdb_image.img

This works only if you haven’t split the image file. If you have a segmented image files, use the validation command described above in the “dd” section.

You can download dcfldd here: http://dcfldd.sourceforge.net or install it using apt-get:

sudo apt-get install dcfldd

Cautions, this tool is not suitable for imaging faulty drives:

  • dcfldd is based on an extremely old version of dd: it’s known that dcfldd will misalign the data in the image after a faulty sector is encountered on the source drive (see the NIST report), and this kind of bug (wrong offset calculation when seeking over a bad block) was fixed for dd in 2003 (see the fix in the mailing list);
  • similarly, dcfldd can enter an infinite loop when a faulty sector is encountered on the source drive, thus writing to the image over and over again until there is no free space left (source: forensicswiki).

Acquiring Data with dc3dd in Linux

dc3dd was developed at the DoD Cyber Crime Center and is a patched version of the GNU dd command. There are strong similarities between dcfldd and dc3dd but the two commands are based on slightly different codes and therefore have not exactly the same feature set. dc3dd will be updated every time GNU dd is updated und is therefore not affected by any bugs of an old dd version.

An example of a dc3dd command is shown here:

dc3dd if=/dev/sdb of=sdb_image.img bs=4k hash=md5 log=dc3dd.log progress=on split=2G splitformat=000

Explanation of the parameters:

if             => input file
/dev/sdb       => source /suspect drive (whole disk)
of             => output file
bs             => blocksize of 4 kb
sdb_image.img  => name of the image file
hash           => Definition of hash algorithms
log            => Path of the log file
progress       => on; see progress of acquisition
split          => Split image file in chunks of 2 GB
splitformat    => Will append a number or letter at the end of the
                  image file name

 

HowTo Knowledgebase No comments

Related posts

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: 

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

I am real - CAPTCHA verification * Time limit is exhausted. Please reload CAPTCHA.

CAPTCHA

*