Forensicsforensicsddhashingimagingwipingcopy

dc3dd

Patched version of GNU dd with forensic features including on-the-fly hashing, error logging, pattern wiping, progress reporting, and split output capabilities.

Description

dc3dd is a patched version of GNU dd with added features for computer forensics. It supports on-the-fly hashing (md5, sha-1, sha-256, sha-512), writing errors to a file, grouping errors in logs, pattern wiping, progress reports, and splitting output into multiple files. This tool is essential for creating forensic images of devices or files while maintaining chain of custody through hash verification.

Use cases include disk imaging for investigations, verifying data integrity during copies, wiping devices securely, and handling large datasets by splitting into manageable files. It provides detailed logging of I/O statistics, diagnostics, and hashes for both input and output, ensuring reproducibility and accuracy in forensic workflows.

The tool handles bad sectors by default writing zeros to outputs but can be configured to exit on errors. It supports multiple output destinations simultaneously and advanced options for skipping sectors, appending to files, and customizing buffer sizes for performance tuning.

How It Works

dc3dd operates like GNU dd by reading from input sources (files, devices, patterns) and writing to output destinations while computing hashes on-the-fly for specified algorithms. It processes data in sectors (default 512 bytes, configurable via ssz=), buffering reads/writes for efficiency (bufsz=). Hashes are calculated for inputs and verified against outputs when using hof=, hofs=, or fhod=. Errors are logged with options to group them; bad sectors trigger zero-filling by default (rec=off to exit). Multiple outputs can be specified for simultaneous writing, splitting via ofs=/hofs= with size limits (ofsz=). Patterns (pat=/tpat=) fill outputs repeatedly; wiping (wipe=/hwipe=) overwrites devices with patterns or zeros, optionally verifying post-write.

Installation

bash

sudo apt install dc3dd

Flags

if=DEVICE or FILERead input from a device or a file

ifs=BASE.FMTRead input from a set of files with base name BASE and sequential file name extensions conforming to FMT

of=FILE or DEVICEWrite output to a file or device. Can be used more than once for multiple outputs

hof=FILE or DEVICEWrite output to a file or device, hash the output bytes, and verify by comparing to input hash(es)

ofs=BASE.FMTWrite output to a set of files with base name BASE and sequential extensions from FMT. Use with ofsz= for max size

hofs=BASE.FMTWrite output to a set of files with base name BASE, hash and verify outputs against input hashes

ofsz=BYTESSet maximum size of each file in sets specified by ofs= or hofs=

hash=ALGORITHMCompute hash (md5, sha1, sha256, sha512) of input and specified outputs

log=FILELog I/O statistics, diagnostics, and total hashes to FILE

hlog=FILELog total and piecewise hashes to FILE

fhod=DEVICELike hof= but with additional hashing of entire output DEVICE

rec=offExit on bad sectors instead of writing zeros

wipe=DEVICEWipe DEVICE by writing zeros or pattern

hwipe=DEVICEWipe DEVICE and verify by hashing and comparing to input hashes

pat=HEXUse HEX pattern as input, writing to every byte of output

tpat=TEXTUse text pattern TEXT repeatedly as input

cnt=SECTORSRead only SECTORS input sectors

iskip=SECTORSSkip SECTORS sectors at start of input

oskip=SECTORSSkip SECTORS sectors at start of output file

app=onAppend to existing output file instead of overwriting

ssz=BYTESSet sector size to BYTES

bufsz=BYTESSet internal buffer size to BYTES

verb=onActivate verbose reporting

nwspc=onActivate compact reporting without whitespace sections

b10=onUse base 10 bytes reporting (1000 bytes = 1 KB)

corruptoutput=onCorrupt output with extra bytes for testing hash mismatch

--helpDisplay this help and exit

--versionOutput version information and exit

--flagsDisplay compile-time flags and exit

Examples

Write a binary image from /var/log/messages to /tmp/dc3dd and calculate SHA512 hash

dc3dd if=/var/log/messages of=/tmp/dc3dd hash=sha512

Image a device to output.img with SHA256 hashing and log I/O statistics

dc3dd if=DEVICE of=output.img hash=sha256 log=imaging.log

Copy input.img to verified.img, hash output, and verify against input MD5

dc3dd if=input.img hof=verified.img hash=md5

Wipe device /dev/sdb by writing hex pattern 00 to every byte

dc3dd wipe=/dev/sdb pat=00

Wipe device /dev/sdc with zeros and verify by comparing SHA512 hash

dc3dd hwipe=/dev/sdc hash=sha512

Image /dev/sda to multiple output files image.001 and image.002 with SHA1 hashing

dc3dd if=/dev/sda of=image.001 of=image.002 hash=sha1

Write repeating hex pattern DEADBEEF for 1,000,000 sectors to patternfile.img

dc3dd pat=DEADBEEF cnt=1000000 of=patternfile.img

Updated 2026-04-16kali.org ↗