1dcfldd(1)      enhanced version of dd for forensics and security     dcfldd(1)
2
3
4

NAME

6       dcfldd - enhanced version of dd for forensics and security
7

SYNOPSIS

9       dcfldd [OPTION]...
10
11

DESCRIPTION

13       Copy a file, converting and formatting according to the options.
14
15       dcfldd was initially developed at Department of Defense Computer Foren‐
16       sics Lab (DCFL). This tool is based on the dd program with the  follow‐
17       ing additional features:
18
19       •  Hashing  on-the-fly:  dcfldd  can hash the input data as it is being
20          transferred, helping to ensure data integrity.
21
22       •  Status output: dcfldd can update the user of its progress  in  terms
23          of the amount of data transferred and how much longer operation will
24          take.
25
26       •  Flexible disk wipes: dcfldd can be used to wipe  disks  quickly  and
27          with a known pattern if desired.
28
29       •  Image/wipe  verify:  dcfldd can verify that a target drive is a bit-
30          for-bit match of the specified input file or pattern.
31
32       •  Multiple outputs: dcfldd can output to multiple files  or  disks  at
33          the same time.
34
35       •  Split  output:  dcfldd  can split output to multiple files with more
36          configurability than the split command.
37
38       •  Piped output and logs: dcfldd can send all its log data  and  output
39          to commands as well as files natively.
40
41       •  When  dd  uses  a  default  block  size (bs, ibs, obs) of 512 bytes,
42          dcfldd uses 32768 bytes (32 KiB) which is HUGELY more efficient.
43
44       •  The following options are present in dcfldd but  not  in  dd:  ALGO‐
45          RITHMlog:,  errlog,  hash,  hashconv, hashformat, hashlog, hashlog:,
46          hashwindow, limit, of:, pattern, sizeprobe, split, splitformat, sta‐
47          tusinterval,  textpattern,  totalhashformat,  verifylog, verifylog:,
48          vf.
49
50       dcfldd supports the following letters to specify amount of data: k  for
51       kilo,  M for Mega, G for Giga, T for Tera, P for Peta, E for Exa, Z for
52       Zetta and Y for Yotta. E.g. 10M is equal to 10 MiB. See the BLOCKS  AND
53       BYTES section to get other possibilities.
54

OPTIONS

56       bs=BYTES
57              Force  ibs=BYTES  and obs=BYTES. Default value is 32768 (32KiB).
58              See BLOCKS AND BYTES section. Warning: the block  size  will  be
59              created  in  RAM.  Make  sure you have sufficient amount of free
60              memory.
61
62       cbs=BYTES
63              Convert BYTES bytes at a time. (see BLOCKS AND BYTES section)
64
65       conv=KEYWORDS
66              Convert the file as per the comma separated keyword list.
67
68       count=BLOCKS
69              Copy only BLOCKS input blocks. (see BLOCKS AND BYTES section)
70
71       limit=BYTES
72              Similar to count but using BYTES instead of BLOCKS. (see  BLOCKS
73              AND BYTES section)
74
75       ibs=BYTES
76              Read BYTES bytes at a time. (see BLOCKS AND BYTES section)
77
78       if=FILE
79              Read from FILE instead of stdin. (see BLOCKS AND BYTES section)
80
81       obs=BYTES
82              Write BYTES bytes at a time. (see BLOCKS AND BYTES section)
83
84       of=FILE
85              Write  to FILE instead of stdout. NOTE: of=FILE may be used sev‐
86              eral times to write output to multiple files simultaneously.
87
88       of:=COMMAND
89              Exec and write output to process COMMAND.
90
91       seek=BLOCKS
92              Skip BLOCKS obs-sized blocks at start of output. (see BLOCKS AND
93              BYTES section)
94
95       skip=BLOCKS
96              Skip  BLOCKS ibs-sized blocks at start of input. (see BLOCKS AND
97              BYTES section)
98
99       pattern=HEX
100              Use the specified binary pattern as input. You can  use  a  byte
101              only.
102
103       textpattern=TEXT
104              Use repeating TEXT as input. You can use a character only.
105
106       errlog=FILE
107              Send error messages to FILE as well as stderr.
108
109       hash=NAME
110              Do  hash  calculation  in parallel with the disk reading. Either
111              md5, sha1, sha256, sha384 or sha512 can be used.  Default  algo‐
112              rithm  is  md5.  To select multiple algorithms to run simultane‐
113              ously enter the names in a comma separated list.
114
115       hashlog=FILE
116              Send hash output to FILE instead of stderr.  If  you  are  using
117              multiple  hash  algorithms  you can send each to a separate file
118              using   the   convention    ALGORITHMlog=FILE,    for    example
119              md5log=FILE1, sha1log=FILE2, etc.
120
121       hashwindow=BYTES
122              Perform  a  hash  on every BYTES amount of data. The partial re‐
123              sults will be shown in screen. The default hash is md5  but  you
124              can use hash= option to choose other.
125
126       hashlog:=COMMAND
127              Exec and write hashlog to process COMMAND.
128
129       ALGORITHMlog:=COMMAND
130              Also works in the same fashion of hashlog:=COMMAND.
131
132       hashconv=[before|after]
133              Perform the hashing before or after the conversions.
134
135       hashformat=FORMAT
136              Display  each  hashwindow  according  to  FORMAT the hash format
137              mini-language is described below.
138
139       totalhashformat=FORMAT
140              Display the total hash value according to FORMAT the hash format
141              mini-language is described below.
142
143       status=[on|off]
144              Display  a  continual status message on stderr. Default state is
145              "on".
146
147       statusinterval=N
148              Update the status message every N blocks. Default value is 256.
149
150       sizeprobe=[if|of|BYTES]
151              Determine the size of the input or output file or an  amount  of
152              BYTES for use with status messages. This option gives you a per‐
153              centage indicator around the sizeprobe value.  WARNING:  do  not
154              use  this  option  against  a tape device. (see BLOCKS AND BYTES
155              section)
156
157       split=BYTES
158              Write every BYTES amount of data to a new file.  This  operation
159              applies  to  any of=FILE that follows (split= must be put before
160              of=). (see BLOCKS AND BYTES section)
161
162       splitformat=[TEXT|MAC|WIN]
163              The file extension format for split operation. You may  use  "a"
164              for  letters  and "n" for numbers. If you use annn, an extension
165              started as a000 will be appended; the  last  possible  extension
166              for  this  format will be z999.  splitformat=an will provide a0,
167              a1, a2, a3, a4, a5, a6, a7, a8, a9, b0, b1, b2, b3... If nothing
168              is  specified  the  default format is "nnn". NOTE: the split and
169              splitformat options take effect only for  output  files  (option
170              of=)  specified  AFTER  these options appear in the command line
171              (e.g. split=50M splitformat=annn  of=/tmp/test.iso).   Likewise,
172              you  may  specify  it  several  times for different output files
173              within the same command line. You may use as many digits in  any
174              combination  you  would like. E.g. "anaannnaana" would be valid,
175              but a quite insane (see BLOCKS AND BYTES section).  Other possi‐
176              ble  approach is MAC. If "MAC" is used, a suffix dmg and several
177              dmgpart will be appended. In other words,  it  will  generate  a
178              partial  disk image file, used by the Mac OS X operating system.
179              dmgpart files are usually  provided  with  a  corresponding  dmg
180              file, which is the master file for the split archive.  If dmg is
181              opened in Mac OS X, all dmgpart will be read too. The  last  op‐
182              tion  is  WIN,  which  will  automatically output file naming of
183              foo.001, foo.002, ..., foo.999, foo.1000, ....
184
185       vf=FILE
186              Verify that FILE matches the specified input.
187
188       verifylog=FILE
189              Send verify results to FILE instead of stderr.
190
191       verifylog:=COMMAND
192              Exec and write verify results to process COMMAND.
193
194       diffwr=[on|off]
195              Only write to output if destination block content differs.  This
196              operation  applies  to any of=FILE that follows (diffwr= must be
197              put before any of=).
198
199       --help Display a help page and exit.
200
201       --version
202              Output version information and exit.
203

BLOCKS AND BYTES

205       BLOCKS and BYTES may be followed by the following  multiplicative  suf‐
206       fixes:  xM  M,  c  1,  w  2,  b  512,  kD 1000, k 1024, MD 1,000,000, M
207       1,048,576, GD 1,000,000,000, G 1,073,741,824, and so on for T, P, E, Z,
208       Y.
209

KEYWORDS

211       Each KEYWORD may be:
212
213       ascii  From EBCDIC to ASCII.
214
215       ebcdic From ASCII to EBCDIC.
216
217       ibm    From ASCII to alternated EBCDIC.
218
219       block  Pad newline-terminated records with spaces to cbs-size.
220
221       unblock
222              Replace trailing spaces in cbs-size records with newline.
223
224       lcase  Change upper case to lower case.
225
226       notrunc
227              Do not truncate the output file.
228
229       ucase  Change lower case to upper case.
230
231       swab   Swap every pair of input bytes.
232
233       noerror
234              Continue after read errors.
235
236       sync   Pad  every  input  block  with  NULs to ibs-size. When used with
237              block or unblock, pad with spaces rather than NULs.
238

FORMAT

240       The structure of FORMAT may contain any valid text  and  special  vari‐
241       ables.   The  built-in  variables  are  the  following  format:  #vari‐
242       able_name#. To pass FORMAT strings to the program from a command  line,
243       it may be
244
245       necessary to surround your FORMAT strings with "quotes."
246              The built-in variables are listed below:
247
248       window_start
249              The beginning byte offset of the hashwindow.
250
251       window_end
252              The ending byte offset of the hashwindow.
253
254       block_start
255              The beginning block (by input blocksize) of the window.
256
257       block_end
258              The ending block (by input blocksize) of the hash window.
259
260       hash   The hash value.
261
262       algorithm
263              The name of the hash algorithm.
264
265       For example, the default FORMAT for hashformat and totalhashformat are:
266
267           hashformat="#window_start# - #window_end#: #hash#" totalhashformat="Total (#algorithm#): #hash#"
268
269       The FORMAT structure accepts the following escape codes:
270
271       \n     Newline
272
273       \t     Tab
274
275       \r     Carriage return
276
277       \      Insert the '\' character
278
279       ##     Insert the '#' character as text, not a variable
280

EXAMPLES

282       Each following line will create a 100 MiB file containing zeros:
283
284           $ dcfldd if=/dev/zero of=test bs=1M count=100
285           $ dcfldd if=/dev/zero of=test bs=100M count=1
286           $ dcfldd if=/dev/zero of=test bs=50M count=2
287           $ dcfldd if=/dev/zero of=test limit=100M
288
289       To create a copy (forensics image) from a disk called /dev/sdb inside a
290       file, using input/output blocks of 4096 bytes (4 KiB) instead of 32 KiB
291       (default):
292
293           $ dcfldd if=/dev/sdb bs=4096 of=sdb.img
294
295       As  the  last  example, plus calculating MD5 and SHA256 hashes, putting
296       the results inside sdb.md5 and sdb.sha256. It is very useful for foren‐
297       sics  works because the hashes will be processed in real time, avoiding
298       a waste of time to make something as 'dd + md5 +  sha256'.  Considering
299       that  I/O  disk  is  very slow and RAM is very fast, the hashes will be
300       calculated, bit per bit in memory, when the next portion of the disk is
301       read. When all disk was read, all hashes are now ready.
302
303           $ dcfldd if=/dev/sdb bs=4096 hash=md5,sha256 md5log=sdb.md5 sha256log=sdb.sha256 of=sdb.img
304
305       To validate the image file against the original source:
306
307           $ dcfldd if=/dev/sdb vf=sdb.img
308
309       Splitting  the  image in 500 MiB slices, using the default bs value (32
310       KiB). Note that split= must be put before of= to work:
311
312           $ dcfldd if=/dev/sdb split=500M of=sdb.img
313
314       At the last example, using from a0000 up to z9999 as  suffix  for  each
315       split file:
316
317           $ dcfldd if=/dev/sdb split=500M splitformat=annnn of=sdb.img
318
319       Now,  dcfldd  will  work  byte  per byte (bs=1) and will hop 1056087439
320       bytes. After this, dcfldd will collect 200000 bytes and write  the  re‐
321       sults to a file called airplane.jpg.
322
323           $ dcfldd if=/dev/sda3 bs=1 skip=1056087439 count=200000 of=airplane.jpg
324
325       In  the  last  example, the same result could be obtained using "limit"
326       instead of "count". The main difference is that  count  uses  200000*bs
327       and limit uses 200000 bytes (regardless of the value declared in bs op‐
328       tion):
329
330           $ dcfldd if=/dev/sda3 bs=1 skip=1056087439 limit=200000 of=airplane.jpg
331
332       To write something inside a file, you can use seek. Suppose you want to
333       write  a  message  from  a file called message.txt inside a file called
334       target.iso, hopping 200000 bytes from start of file:
335
336           $ dcfldd if=message.txt bs=1 seek=200000 of=target.iso
337
338       dcfldd also can send a result to be processed by an external command:
339
340           $ dcfldd if=text.txt  of:="cat | sort -u"
341
342       To convert a file from ASCII to EBCDIC:
343
344           $ dcfldd if=text.asc conv=ebcdic of=text.ebcdic
345
346       To convert a file from EBCDIC to ASCII:
347
348           $ dcfldd if=text.ebcdic conv=ascii of=text.asc
349
350

SEE ALSO

352       dd(1)
353

REPORTING BUGS

355       Report     bugs     at     https://github.com/resurrecting-open-source-
356       projects/dcfldd/issues
357

AUTHORS

359       dcfldd  was  originally written by Nicholas Harbour. Currently is main‐
360       tained by some volunteers.
361
362       GNU dd was written by Paul Rubin, David MacKenzie and Stuart Kemp.
363
364       This manpage was written by dd authors, Nicholas Harbour, Joao Eriberto
365       Mota Filho and others.
366
367
368
369dcfldd-1.9                        08 Feb 2023                        dcfldd(1)
Impressum