1dcfldd(1)      enhanced version of dd for forensics and security     dcfldd(1)
2
3
4

NAME

6       dcfldd - enhanced version of dd for forensics and security
7

SYNOPSIS

9       dcfldd [OPTION]...
10
11

DESCRIPTION

13       Copy a file, converting and formatting according to the options.
14
15       dcfldd was initially developed at Department of Defense Computer Foren‐
16       sics Lab (DCFL). This tool is based on the dd program with the  follow‐
17       ing additional features:
18
19       •  Hashing  on-the-fly:  dcfldd  can hash the input data as it is being
20          transferred, helping to ensure data integrity.
21
22       •  Status output: dcfldd can update the user of its progress  in  terms
23          of the amount of data transferred and how much longer operation will
24          take.
25
26       •  Flexible disk wipes: dcfldd can be used to wipe  disks  quickly  and
27          with a known pattern if desired.
28
29       •  Image/wipe  verify:  dcfldd can verify that a target drive is a bit-
30          for-bit match of the specified input file or pattern.
31
32       •  Multiple outputs: dcfldd can output to multiple files  or  disks  at
33          the same time.
34
35       •  Split  output:  dcfldd  can split output to multiple files with more
36          configurability than the split command.
37
38       •  Piped output and logs: dcfldd can send all its log data  and  output
39          to commands as well as files natively.
40
41       •  When  dd  uses  a  default  block  size (bs, ibs, obs) of 512 bytes,
42          dcfldd uses 32768 bytes (32 KiB) which is HUGELY more efficient.
43
44       •  The following options are present in dcfldd but  not  in  dd:  ALGO‐
45          RITHMlog:,  errlog,  hash,  hashconv, hashformat, hashlog, hashlog:,
46          hashwindow, limit, of:, pattern, sizeprobe, split, splitformat, sta‐
47          tusinterval,  textpattern,  totalhashformat,  verifylog, verifylog:,
48          vf.
49
50       dcfldd supports the following letters to specify amount of data: k  for
51       kilo,  M for Mega, G for Giga, T for Tera, P for Peta, E for Exa, Z for
52       Zetta and Y for Yotta. E.g. 10M is equal to 10 MiB. See the BLOCKS  AND
53       BYTES section to get other possibilities.
54

OPTIONS

56       bs=BYTES
57              Force  ibs=BYTES  and obs=BYTES. Default value is 32768 (32KiB).
58              See BLOCKS AND BYTES section. Warning: the block  size  will  be
59              created  in  RAM.  Make  sure you have sufficient amount of free
60              memory.
61
62       cbs=BYTES
63              Convert BYTES bytes at a time. (see BLOCKS AND BYTES section)
64
65       conv=KEYWORDS
66              Convert the file as per the comma separated keyword list.
67
68       count=BLOCKS
69              Copy only BLOCKS input blocks. (see BLOCKS AND BYTES section)
70
71       limit=BYTES
72              Similar to count but using BYTES instead of BLOCKS. (see  BLOCKS
73              AND BYTES section)
74
75       ibs=BYTES
76              Read BYTES bytes at a time. (see BLOCKS AND BYTES section)
77
78       if=FILE
79              Read from FILE instead of stdin. (see BLOCKS AND BYTES section)
80
81       obs=BYTES
82              Write BYTES bytes at a time. (see BLOCKS AND BYTES section)
83
84       of=FILE
85              Write  to FILE instead of stdout. NOTE: of=FILE may be used sev‐
86              eral times to write output to multiple files simultaneously.
87
88       of:=COMMAND
89              Exec and write output to process COMMAND.
90
91       seek=BLOCKS
92              Skip BLOCKS obs-sized blocks at start of output. (see BLOCKS AND
93              BYTES section)
94
95       skip=BLOCKS
96              Skip  BLOCKS ibs-sized blocks at start of input. (see BLOCKS AND
97              BYTES section)
98
99       pattern=HEX
100              Use the specified binary pattern as input. You can  use  a  byte
101              only.
102
103       textpattern=TEXT
104              Use repeating TEXT as input. You can use a character only.
105
106       errlog=FILE
107              Send error messages to FILE as well as stderr.
108
109       hash=NAME
110              Do  hash  calculation  in parallel with the disk reading. Either
111              md5, sha1, sha256, sha384 or sha512 can be used.  Default  algo‐
112              rithm  is  md5.  To select multiple algorithms to run simultane‐
113              ously enter the names in a comma separated list.
114
115       hashlog=FILE
116              Send hash output to FILE instead of stderr.  If  you  are  using
117              multiple  hash  algorithms  you can send each to a separate file
118              using   the   convention    ALGORITHMlog=FILE,    for    example
119              md5log=FILE1, sha1log=FILE2, etc.
120
121       hashwindow=BYTES
122              Perform  a  hash  on every BYTES amount of data. The partial re‐
123              sults will be shown in screen. The default hash is md5  but  you
124              can use hash= option to choose other.
125
126       hashlog:=COMMAND
127              Exec and write hashlog to process COMMAND.
128
129       ALGORITHMlog:=COMMAND
130              Also works in the same fashion of hashlog:=COMMAND.
131
132       hashconv=[before|after]
133              Perform the hashing before or after the conversions.
134
135       hashformat=FORMAT
136              Display  each  hashwindow  according  to  FORMAT the hash format
137              mini-language is described below.
138
139       totalhashformat=FORMAT
140              Display the total hash value according to FORMAT the hash format
141              mini-language is described below.
142
143       status=[on|off]
144              Display  a  continual status message on stderr. Default state is
145              "on".
146
147       statusinterval=N
148              Update the status message every N blocks. Default value is 256.
149
150       sizeprobe=[if|of|BYTES]
151              Determine the size of the input or output file or an  amount  of
152              BYTES for use with status messages. This option gives you a per‐
153              centage indicator around the sizeprobe value.  WARNING:  do  not
154              use  this  option  against  a tape device. (see BLOCKS AND BYTES
155              section)
156
157       split=BYTES
158              Write every BYTES amount of data to a new file.  This  operation
159              applies  to  any of=FILE that follows (split= must be put before
160              of=). (see BLOCKS AND BYTES section)
161
162       splitformat=[TEXT|MAC|WIN]
163              The file extension format for split operation. You may  use  "a"
164              for  letters  and "n" for numbers. If you use annn, an extension
165              started as a000 will be appended; the  last  possible  extension
166              for  this  format will be z999.  splitformat=an will provide a0,
167              a1, a2, a3, a4, a5, a6, a7, a8, a9, b0, b1, b2, b3... If nothing
168              is  specified  the  default format is "nnn". NOTE: the split and
169              splitformat options take effect only for  output  files  (option
170              of=)  specified  AFTER  these options appear in the command line
171              (e.g. split=50M splitformat=annn  of=/tmp/test.iso).   Likewise,
172              you  may  specify  it  several  times for different output files
173              within the same command line. You may use as many digits in  any
174              combination  you  would like. E.g. "anaannnaana" would be valid,
175              but a quite insane (see BLOCKS AND BYTES section).  Other possi‐
176              ble  approach is MAC. If "MAC" is used, a suffix dmg and several
177              dmgpart will be appended. In other words,  it  will  generate  a
178              partial  disk image file, used by the Mac OS X operating system.
179              dmgpart files are usually  provided  with  a  corresponding  dmg
180              file, which is the master file for the split archive.  If dmg is
181              opened in Mac OS X, all dmgpart will be read too. The  last  op‐
182              tion  is  WIN,  which  will  automatically output file naming of
183              foo.001, foo.002, ..., foo.999, foo.1000, ....
184
185       vf=FILE
186              Verify that FILE matches the specified input.
187
188       verifylog=FILE
189              Send verify results to FILE instead of stderr.
190
191       verifylog:=COMMAND
192              Exec and write verify results to process COMMAND.
193
194       --help Display a help page and exit.
195
196       --version
197              Output version information and exit.
198

BLOCKS AND BYTES

200       BLOCKS and BYTES may be followed by the following  multiplicative  suf‐
201       fixes:  xM  M,  c  1,  w  2,  b  512,  kD 1000, k 1024, MD 1,000,000, M
202       1,048,576, GD 1,000,000,000, G 1,073,741,824, and so on for T, P, E, Z,
203       Y.
204

KEYWORDS

206       Each KEYWORD may be:
207
208       ascii  From EBCDIC to ASCII.
209
210       ebcdic From ASCII to EBCDIC.
211
212       ibm    From ASCII to alternated EBCDIC.
213
214       block  Pad newline-terminated records with spaces to cbs-size.
215
216       unblock
217              Replace trailing spaces in cbs-size records with newline.
218
219       lcase  Change upper case to lower case.
220
221       notrunc
222              Do not truncate the output file.
223
224       ucase  Change lower case to upper case.
225
226       swab   Swap every pair of input bytes.
227
228       noerror
229              Continue after read errors.
230
231       sync   Pad  every  input  block  with  NULs to ibs-size. When used with
232              block or unblock, pad with spaces rather than NULs.
233

FORMAT

235       The structure of FORMAT may contain any valid text  and  special  vari‐
236       ables.   The  built-in  variables  are  the  following  format:  #vari‐
237       able_name#. To pass FORMAT strings to the program from a command  line,
238       it may be
239
240       necessary to surround your FORMAT strings with "quotes."
241              The built-in variables are listed below:
242
243       window_start
244              The beginning byte offset of the hashwindow.
245
246       window_end
247              The ending byte offset of the hashwindow.
248
249       block_start
250              The beginning block (by input blocksize) of the window.
251
252       block_end
253              The ending block (by input blocksize) of the hash window.
254
255       hash   The hash value.
256
257       algorithm
258              The name of the hash algorithm.
259
260       For example, the default FORMAT for hashformat and totalhashformat are:
261
262           hashformat="#window_start# - #window_end#: #hash#" totalhashformat="Total (#algorithm#): #hash#"
263
264       The FORMAT structure accepts the following escape codes:
265
266       \n     Newline
267
268       \t     Tab
269
270       \r     Carriage return
271
272       \      Insert the '\' character
273
274       ##     Insert the '#' character as text, not a variable
275

EXAMPLES

277       Each following line will create a 100 MiB file containing zeros:
278
279           $ dcfldd if=/dev/zero of=test bs=1M count=100
280           $ dcfldd if=/dev/zero of=test bs=100M count=1
281           $ dcfldd if=/dev/zero of=test bs=50M count=2
282           $ dcfldd if=/dev/zero of=test limit=100M
283
284       To create a copy (forensics image) from a disk called /dev/sdb inside a
285       file, using input/output blocks of 4096 bytes (4 KiB) instead of 32 KiB
286       (default):
287
288           $ dcfldd if=/dev/sdb bs=4096 of=sdb.img
289
290       As  the  last  example, plus calculating MD5 and SHA256 hashes, putting
291       the results inside sdb.md5 and sdb.sha256. It is very useful for foren‐
292       sics  works because the hashes will be processed in real time, avoiding
293       a waste of time to make something as 'dd + md5 +  sha256'.  Considering
294       that  I/O  disk  is  very slow and RAM is very fast, the hashes will be
295       calculated, bit per bit in memory, when the next portion of the disk is
296       read. When all disk was read, all hashes are now ready.
297
298           $ dcfldd if=/dev/sdb bs=4096 hash=md5,sha256 md5log=sdb.md5 sha256log=sdb.sha256 of=sdb.img
299
300       To validate the image file against the original source:
301
302           $ dcfldd if=/dev/sdb vf=sdb.img
303
304       Splitting  the  image in 500 MiB slices, using the default bs value (32
305       KiB). Note that split= must be put before of= to work:
306
307           $ dcfldd if=/dev/sdb split=500M of=sdb.img
308
309       At the last example, using from a0000 up to z9999 as  suffix  for  each
310       split file:
311
312           $ dcfldd if=/dev/sdb split=500M splitformat=annnn of=sdb.img
313
314       Now,  dcfldd  will  work  byte  per byte (bs=1) and will hop 1056087439
315       bytes. After this, dcfldd will collect 200000 bytes and write  the  re‐
316       sults to a file called airplane.jpg.
317
318           $ dcfldd if=/dev/sda3 bs=1 skip=1056087439 count=200000 of=airplane.jpg
319
320       In  the  last  example, the same result could be obtained using "limit"
321       instead of "count". The main difference is that  count  uses  200000*bs
322       and limit uses 200000 bytes (regardless of the value declared in bs op‐
323       tion):
324
325           $ dcfldd if=/dev/sda3 bs=1 skip=1056087439 limit=200000 of=airplane.jpg
326
327       To write something inside a file, you can use seek. Suppose you want to
328       write  a  message  from  a file called message.txt inside a file called
329       target.iso, hopping 200000 bytes from start of file:
330
331           $ dcfldd if=message.txt bs=1 seek=200000 of=target.iso
332
333       dcfldd also can send a result to be processed by an external command:
334
335           $ dcfldd if=text.txt  of:="cat | sort -u"
336
337       To convert a file from ASCII to EBCDIC:
338
339           $ dcfldd if=text.asc conv=ebcdic of=text.ebcdic
340
341       To convert a file from EBCDIC to ASCII:
342
343           $ dcfldd if=text.ebcdic conv=ascii of=text.asc
344
345

SEE ALSO

347       dd(1)
348

REPORTING BUGS

350       Report     bugs     at     https://github.com/resurrecting-open-source-
351       projects/dcfldd/issues
352

AUTHORS

354       dcfldd  was  originally written by Nicholas Harbour. Currently is main‐
355       tained by some volunteers.
356
357       GNU dd was written by Paul Rubin, David MacKenzie and Stuart Kemp.
358
359       This manpage was written by dd authors, Nicholas Harbour, Joao Eriberto
360       Mota Filho and others.
361
362
363
364dcfldd-1.7                        02 Feb 2020                        dcfldd(1)
Impressum