Tutorial: How to use dcfldd instead of dd

Today I want to introduce to everyone an excellent command that works very much like dd but it’s just much better…

dcfldd is an enhanced version of dd developed by the U.S. Department of Defense Computer Forensics Lab.

 Department of Defense Cyber Crime Center

Department of Defense Cyber Crime Center

Features include:

  • Hashing on-the-fly, dcfldd can hash the input data as it is being transferred, helping to ensure data integrity. Supports multiple hashes at once
  • Progress bar of how much data has already been sent.
  • Flexible disk wipes, dcfldd can be used to wipe disks quickly and with a known pattern if desired
  • Verification that the image is identical to the original drive, bit-for-bit.
  • Split output, dcfldd can split output to multiple files with more configurability than the split command
  • Piped output and logs, dcfldd can send all its log data and output to commands as well as files natively
  • Verify capability

How to install in Ubuntu:

sudo apt-get install dcfldd

Here you can see a small summary of the most common commands:

if = Input File (device or file you want to read)
of = Output File (device or file you want to copy the data to)
hash = md5, sha1, sha256, sha384 or sha512 (hash type)
hashwindow= Size (in Bytes), about how often a hash calculation will happen
<hash>log = file that will contain the hash calculations log for each hash type (eg: sha1log=sha1.log)
hashconv = valid values: AFTER or BEFORE. It depends if you want to perform the hash after or before the conversion
bs = Byte Size (amount of bytes to read at once)
noerror (ignore read errors and continue) , sync (performs padding) are the 2 most common options here
split = breaks image file into multiple files
splitformat = the file extension format for split operation
conv = convert the file as per the comma separated keyword list (see following list):
ascii=from EBCDIC to ASCII
ebcdic=from ASCII to EBCDIC
ibm=from ASCII to alternated EBCDIC
block=pad newline-terminated records with spaces to cbs-size
unblock=replace trailing spaces in cbs-size records with newline
lcase=change upper case to lower case
notrunc=do not truncate the output file
ucase=change lower case to upper case
swab=swap every pair of input bytes
noerror=continue after read errors
sync=pad every input block with NULs to ibs-size; when used with block or unblock, pad with spaces rather than NULs

 

Example

dcfldd if=/dev/source hash=md5,sha512 hashwindow=1G md5log=md5.txt sha512log=sha512.txt \
hashconv=after bs=512 conv=noerror,sync split=1G splitformat=aa of=image.dd

This command will read one Gb from the source drive and write that to a file called image.dd.aa. It will also calculate the MD5 hash and the sha512 hash of each Gigabyte read.

It will then read the next Gb and name that image.dd.ab. The md5 hashes will be stored in a file called md5.txt and the sha512 hashes will be stored in a file called sha512.txt. The block size for transferring has been set to 512 bytes, and in the event of read errors, dcfldd will write zeros.

Incoming search terms:

  • dcfldd
  • dcfldd example
  • bash: dcfldd: command not found
  • https://stefanoprenna com/blog/2014/03/02/tutorial-how-to-use-dcfldd-instead-of-dd/
  • dcfldd command
  • dcfldd faster than dd
  • replace dd with dcfldd
  • Usage: dcfldd

There are 2 comments left Go To Comment

  1. Calvin Klein Ropa Interior Hombre /

    Valuable information. Lucky me I discovered your website by chance, and I’m surprised why this twist of fate did not happened earlier! I bookmarked it.

  2. Calzoncillos Calvin Klein /

    Valuable information. Fortunate me I found your web site by accident, and I am stunned why this twist of fate didn’t came about earlier! I bookmarked it.

Leave a Reply