Sunday, January 6, 2013

Backtrack Forensics: dcfldd


dcfldd is an enhanced version of the older dd imaging tool, and it has a couple of new features:
  • Hashing on-the-fly - dcfldd can hash the input data as it is being transferred, helping to ensure data integrity.
  • Status output - dcfldd can update the user of its progress in terms of the amount of data transferred and how much longer operation will take.
  • Flexible disk wipes - dcfldd can be used to wipe disks quickly and with a known pattern if desired.
  • Image/wipe Verify - dcfldd can verify that a target drive is a bit-for-bit match of the specified input file or pattern.
  • Multiple outputs - dcfldd can output to multiple files or disks at the same time.
  • Split output - dcfldd can split output to multiple files with more configurability than the split command.
  • Piped output and logs - dcfldd can send all its log data and output to commands as well as files natively.
Usage examples:

dcfldd if=/dev/sdb of=usb1G.dd - make an image file
dcfldd if=/dev/sdb of=usb1G.dd hash=md5,sha1 hashconv=after hashlog=hashlog.txt - calculate hash after imaging
dcfldd if=/dev/sdb splitformat=nn split=512M of=usb1G.dd - splitting the image to 512M chunks, with appending 2 numbers (counter) to each. Splitting has to be defined before the output file.

No comments: