Disk acquisition with dcfldd

1. Introduction

This is an alternative approach for dd to create a disk image file for further forensic analysis.

dcfldd is a modified version of GNU originally created by Nicholas Harbour from the DoD Computer Forensics Laboratory (DCFL). It supports hashing, fast disk wiping (through patterns) and status output

2. Image creation with dcfldd

This command will do the same like in the last exercise, but will also automatically create a md5 hash file

dcfldd if=/dev/sdc hash=md5,sha256 md5log=md5.log sha256log=sha.log of=evidence2.img

If we compare the md5 sum with the evidence.img file from the last exercise, I’ll get the same value:

3. Split disk image

There are some other cool stuff we can do, like splitting the disk image file into different parts

dcfldd if=/dev/sdc hash=md5,sha256 md5log=md5.log split=64M splitformat=000 sha256log=sha.log of=evidence_3.img

As we can see, this give us 4 parts of a 256MB disk file.

This approach can help while imaging a large evidence disk. The smaller parts of the image can be then sent over the internet or carried on relatively smaller portable storage device

If we choose that option, the analyst needs to know how he can set the splittet parts together. Let’s use the following command

cat evidence_3.img.0* > evidence4.img

4. Summary