Practical Forensic Imaging by Bruce Nikkel

Author:Bruce Nikkel
Language: eng
Format: epub, mobi, pdf
Publisher: No Starch Press, Inc.
Published: 2016-10-11T04:00:00+00:00

The dcfldd and dc3dd Tools

Two popular dd derivatives, dcfldd and dc3dd, were independently developed specifically for use in a forensic context.

Because dcfldd and dc3dd originate from GNU dd, they use a similar command syntax. Neither tool has built-in support for writing to forensic formats (FTK, EnCase, AFF), compression, or image encryption. But you can achieve these functions through the use of command piping, which I’ll demonstrate in subsequent sections.

The following example uses dcfldd to image a disk, ensuring blocks containing unreadable sectors are padded and don’t cause an abort:

# dcfldd if=/dev/sde of=image.raw conv=noerror,sync errlog=error.log

241664 blocks (7552Mb) written.

241664+0 records in

241664+0 records out

Errors are written to a separate error log file. The dcfldd tool does not use conv=noerror,sync by default; you must add it manually.

A similar imaging command for dc3dd is shown in the next example. By default, dc3dd does a good job of managing errors during acquisition. No conv=noerror,sync flag is needed because it’s built in. The output is well documented, both to stdout and to the log file. Here is a simple example acquisition:

# dc3dd if=/dev/sde of=image.raw log=error.log

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.