Forensicsforensicsimaginghashingdisk-wipedata-integritydd

dcfldd

Enhanced version of dd for forensics and security with features like on-the-fly hashing, status output, and flexible disk wiping. It provides improved efficiency and additional capabilities for data acquisition and verification.

Description

dcfldd was initially developed at Department of Defense Computer Forensics Lab (DCFL). This tool is based on the dd program with additional features tailored for forensic and security use cases. It supports hashing on-the-fly to ensure data integrity during transfers, flexible disk wiping with known patterns, and verification that target drives match input files bit-for-bit.

Key use cases include forensic imaging where data integrity must be verified through hashing, secure disk wiping operations, and splitting large outputs across multiple files with greater configurability than standard tools. dcfldd can output to multiple files or disks simultaneously and send logs to both files and commands natively.

Unlike dd's default 512-byte block size, dcfldd uses 32768 bytes (32 KiB) by default, making it significantly more efficient for large-scale data operations.

How It Works

dcfldd operates as an enhanced data duplication tool that reads from input sources (files or devices) and writes to output destinations while performing on-the-fly cryptographic hashing of transferred data. It supports multiple simultaneous outputs, split files with configurable formatting, and progress status updates. The tool verifies image integrity by comparing hashes or bit-for-bit matching against specified patterns or files. Additional logging capabilities pipe output and status information to both files and external commands.

Installation

bash

sudo apt install dcfldd

Flags

bs=BYTESforce ibs=BYTES and obs=BYTES (default=32768)

cbs=BYTESconvert BYTES bytes at a time

conv=KEYWORDSconvert the file as per the comma separated keyword list

count=BLOCKScopy only BLOCKS input blocks

limit=BYTESsimilar to count but using BYTES instead of BLOCKS

ibs=BYTESread BYTES bytes at a time

if=FILEread from FILE instead of stdin

obs=BYTESwrite BYTES bytes at a time

--helpdisplay this help and exit

--versionoutput version information and exit

Examples

Create forensic image of /dev/sda with SHA256 hashing and log hashes to file

dcfldd if=/dev/sda of=image.dd hash=sha256 hashlog=hash.log

Wipe disk /dev/sdb with 0xFF pattern using /dev/zero as input

dcfldd if=/dev/zero of=/dev/sdb pattern=0xFF

Verify that /dev/sdc is bit-for-bit match of image.dd

dcfldd if=image.dd of=/dev/sdc vf=image.dd

Write input from /dev/sda to two output files simultaneously with MD5 hashing

dcfldd if=/dev/sda of=image1.dd of=image2.dd hash=md5

Split disk image into 100MB files with numbered format

dcfldd if=/dev/sda split=100M splitformat=image_%02d.img

Image disk with status updates every 10MB

dcfldd if=/dev/sda of=image.dd statusinterval=10m

Verify image integrity by hashing 1MB windows while outputting to null

dcfldd if=image.dd of=/dev/null hash=sha256 hashwindow=1M

Updated 2026-04-16kali.org ↗