Imaging Using dcfldd

In this example, a 128MB USB thumb drive will be imaged on a Linux system using dcfldd onto a 1GB USB thumb drive.  dcfldd is an improved version of dd; most of the syntax is identical, just a few functions have been added.  It is important to locate the name that Linux uses to refer to both the USB drives that will be used in the imaging process.  This can be done by entering sudo fdisk –l in a terminal window.  This will list all the disks that Linux sees, as well as where in the /dev directory it is located.  In this example, the USB drive that will be imaged is located at /dev/sdb, and the drive that the image will be saved on is /dev/sdc.

Figure 1: Displaying disk names
Figure 1: Displaying disk names

It is important to write protect the drive to be imaged as soon as possible after it has been attached to the computer.  While a properly configured forensic Linux machine will not write to the evidence disk, it is good to take precautions to block write attempts, both from the system and the user.  Now that the drive’s location is known, the next step is the change the permissions.

The command ls –lha /dev | grep sd will list all the files in the /dev folder that contain the letters sd.  Since all the disks being used contain sd in the name, this will filter out all the devices that are not of interest.  This command allows the user to view the permissions of the drives; as it is now, both the owner of sdb and root can write to sdb.  To change this, use the chmod command.  Entering sudo chmod 440 /dev/sdb sets the permissions for the disk sdb so that root and the owner can both only read, not write.  Enter ls –lha /dev | grep sd again to view the new permissions and verify that this is the case.

Figure 2: Displaying permissions
Figure 2: Displaying permissions

The next step is to use the dcfldd utility to create a copy of the drive.  In this case, an image will be created of the first partition on the sdb device, so the source will be /dev/sdb1.  By invoking the mount command, it can be seen that the destination drive has been mounted as /media/disk.  The command to create the image is as follows (enter as one line):

dcfldd if=/dev/sdb1 of=/media/disk/test_image.dd hash=md5,sha1 hashlog=/media/disk/hashlog.txt

Next each of the options in this dcfldd command will be discussed.  The if parameter identifies the source of the data to be imaged, in this case, /dev/sdb1.  The of option directs dcfldd where to write the output of the data acquisition.  One nice feature about dcfldd is that multiple of paths can be specified, allowing for multiple copies of the image to be created simultaneously.  This is useful if the examiner wants to create a local copy of the image, and a remote backup or archival copy on a network file server or local tape drive.  Special caution should be used when specifying if and of.  If the write blocking fails or is not used at all, switching these two parameters will result in the blank destination drive being copied on top of and overwriting the evidence drive.  Because of the dire consequences of such a mix-up, the original dd was jokingly thought to stand for ‘data destroyer.’  The next parameters are what make dcfldd so much better for forensic purposes than dd.  The hash attribute allows the user to specify what kind of cryptographic hash algorithms will be applied to the data.  The default is MD5, but in this example both MD5 and SHA-1 will be used.  The final attribute, hashlog, specifies where the output of the hashing should be directed; in this case, it will be to a text file in the same directory as the disk image.

While the image is being created, dcfldd will display a line that shows how many blocks have been written, and how many megabytes that corresponds to.  Once the image process has completed, a message will appear indicating how many complete blocks were copied.  The block size can be specified as a flag in the dcfldd command by adding bs=[block_size]; the default is 512 bytes.  If the number of blocks is followed by a +0, then exactly that many complete blocks of data were written.  If the number is followed by a +1, that means that that many complete blocks of data were written, plus one partial block of data.

Once the image has been created, it is very important that it be verified that it is indeed an exact, bit-for-bit copy of the original data.  There are a few ways that this can be done.  One method is to use dcfldd again.  If the following command is run, it will hash both the source (specified with if) and the file given by vf and report if their hash values match.  If they are the same, it will report Match; if not, it will report Mismatch.

dcfldd if=/dev/sdb1 vf=/media/disk/test_image.dd verifylog=/media/disk/verifylog.txt

Another method to verify that the two are identical is to directly hash both files and compare.  The programs md5 and sha1 perform their respective hash function on the file specified.  Referring back to the file that was imaged earlier in this example, if the user were to enter sudo md5 /media/disk/test_image.dd  /dev/sdb1, and compare the two returned hash values, they should be the same.  Also, because the hash flag was set when dcfldd was run, the hashlog file has the calculated hash values already, so those may be referenced as well.   If the hashes match, the image creation process was successful.  Otherwise, the whole process can be repeated; sometimes errors in copying the data will cause verification to fail.  Note that, if even one bit of data has been altered, the two sets of data will have drastically different hash values.

Figure 3: Hashing and comparing values
Figure 3: Hashing and comparing values

Advertisements

5 thoughts on “Imaging Using dcfldd”

  1. Can I use this command on Windows platform too ? In MS Command Prompt?
    I need to image a 1GB thumb drive and also hash it, on a Windows platform.

    1. Thank you for your prompt reply.
      Yes, I have the FTK Imager tool. But in this exercise, I am not allowed to use a commercial tool, rather implement my own program to acquire and hash an image of a thumb drive. Hence, I want to learn on how to do it manually, using commands.

  2. DCFLDD has known issues/anomalies as reported by NIST. Research it and be aware of the problem to ensure it does not apply to the version/platform being used. This goes back to testing setups for forensic quality comments (https://shoestringforensics.wordpress.com/2009/09/11/imaging-using-ftk-imager/).

    Alternatively: Use Cygwin with its linux/debian “dd” package version (https://www.cygwin.com/), FTK Imager command line versions (http://www.accessdata.com/product-download), or DD for Windows (http://www.chrysocome.net/download). However, I recommend keeping a copy of DEFT Linux, Kali Linux, CAINE Live, or other similar platform on a bootable disk or virtual environment. Boot to the media and execute “dd” from terminal to perform your disk or file imaging, no further problems with finding the right utility and will work.

  3. If someone needs to do it manually using Windows command line interface (CLI) then “dir *.* /S > printoutname.txt” for all files in a directory. Specific files “dir *.* /C /S /T :W /4 > DRIVELETTER:\printoutnamehere.txt” were “:W” shows files last written date. Alternatively they can use “dir /?” for a list of available options.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s