dcfldd
Enhanced version of dd for forensics and security with features like on-the-fly hashing, status output, and flexible disk wiping. It provides improved efficiency and additional capabilities for data acquisition and verification.
Description
dcfldd was initially developed at Department of Defense Computer Forensics Lab (DCFL). This tool is based on the dd program with additional features tailored for forensic and security use cases. It supports hashing on-the-fly to ensure data integrity during transfers, flexible disk wiping with known patterns, and verification that target drives match input files bit-for-bit.
Key use cases include forensic imaging where data integrity must be verified through hashing, secure disk wiping operations, and splitting large outputs across multiple files with greater configurability than standard tools. dcfldd can output to multiple files or disks simultaneously and send logs to both files and commands natively.
Unlike dd's default 512-byte block size, dcfldd uses 32768 bytes (32 KiB) by default, making it significantly more efficient for large-scale data operations.
How It Works
dcfldd operates as an enhanced data duplication tool that reads from input sources (files or devices) and writes to output destinations while performing on-the-fly cryptographic hashing of transferred data. It supports multiple simultaneous outputs, split files with configurable formatting, and progress status updates. The tool verifies image integrity by comparing hashes or bit-for-bit matching against specified patterns or files. Additional logging capabilities pipe output and status information to both files and external commands.
Installation
sudo apt install dcflddFlags
Examples
dcfldd if=/dev/sda of=image.dd hash=sha256 hashlog=hash.logdcfldd if=/dev/zero of=/dev/sdb pattern=0xFFdcfldd if=image.dd of=/dev/sdc vf=image.dddcfldd if=/dev/sda of=image1.dd of=image2.dd hash=md5dcfldd if=/dev/sda split=100M splitformat=image_%02d.imgdcfldd if=/dev/sda of=image.dd statusinterval=10mdcfldd if=image.dd of=/dev/null hash=sha256 hashwindow=1M