November 25th, 2008 by ahoogdfcldd is “an enhanced version of GNU dd with features useful for forensics and security. Based on the dd program found in the package, dcfldd has the following additional features.”
- Hashing on-the-fly – dcfldd can hash the input data as it is being transferred, helping to ensure data integrity.
- Status output – dcfldd can update the user of its progress in terms of the amount of data transferred and how much longer operation will take.
- Flexible disk wipes – dcfldd can be used to wipe disks quickly and with a known pattern if desired.
- Image/wipe Verify – dcfldd can verify that a target drive is a bit-for-bit match of the specified input file or pattern.
- Multiple outputs – dcfldd can output to multiple files or disks at the same time.
- Split output – dcfldd can split output to multiple files with more configurability than the split command.
- Piped output and logs – dcfldd can send all its log data and output to commands as well as files natively.
An example of this command which was used to acquire a USB drive to a Linux forensic workstation is:
dcfldd if=/dev/sdc of=/home/ahoog/slucs/sdb-img.dd conv=noerror,sync hashwindow=0 hashlog=/home/ahoog/slucs/sdb-img.md5 hash=md5
See also dc3dd.
