1dcfldd(1) enhanced version of dd for forensics and security dcfldd(1)
2
6 dcfldd - enhanced version of dd for forensics and security
7
9 dcfldd [OPTION]...
10
13 Copy a file, converting and formatting according to the options.
14 dcfldd was initially developed at Department of Defense Computer Foren‐
16 sics Lab (DCFL). This tool is based on the dd program with the follow‐
17 ing additional features:
18 • Hashing on-the-fly: dcfldd can hash the input data as it is being
20 transferred, helping to ensure data integrity.
21 • Status output: dcfldd can update the user of its progress in terms
23 of the amount of data transferred and how much longer operation will
24 take.
25 • Flexible disk wipes: dcfldd can be used to wipe disks quickly and
27 with a known pattern if desired.
28 • Image/wipe verify: dcfldd can verify that a target drive is a bit-
30 for-bit match of the specified input file or pattern.
31 • Multiple outputs: dcfldd can output to multiple files or disks at
33 the same time.
34 • Split output: dcfldd can split output to multiple files with more
36 configurability than the split command.
37 • Piped output and logs: dcfldd can send all its log data and output
39 to commands as well as files natively.
40 • When dd uses a default block size (bs, ibs, obs) of 512 bytes,
42 dcfldd uses 32768 bytes (32 KiB) which is HUGELY more efficient.
43 • The following options are present in dcfldd but not in dd: ALGO‐
45 RITHMlog:, errlog, hash, hashconv, hashformat, hashlog, hashlog:,
46 hashwindow, limit, of:, pattern, sizeprobe, split, splitformat, sta‐
47 tusinterval, textpattern, totalhashformat, verifylog, verifylog:,
48 vf.
49 dcfldd supports the following letters to specify amount of data: k for
51 kilo, M for Mega, G for Giga, T for Tera, P for Peta, E for Exa, Z for
52 Zetta and Y for Yotta. E.g. 10M is equal to 10 MiB. See the BLOCKS AND
53 BYTES section to get other possibilities.
54
56 bs=BYTES
57 Force ibs=BYTES and obs=BYTES. Default value is 32768 (32KiB).
58 See BLOCKS AND BYTES section. Warning: the block size will be
59 created in RAM. Make sure you have sufficient amount of free
60 memory.
61 cbs=BYTES
63 Convert BYTES bytes at a time. (see BLOCKS AND BYTES section)
64 conv=KEYWORDS
66 Convert the file as per the comma separated keyword list.
67 count=BLOCKS
69 Copy only BLOCKS input blocks. (see BLOCKS AND BYTES section)
70 limit=BYTES
72 Similar to count but using BYTES instead of BLOCKS. (see BLOCKS
73 AND BYTES section)
74 ibs=BYTES
76 Read BYTES bytes at a time. (see BLOCKS AND BYTES section)
77 if=FILE
79 Read from FILE instead of stdin. (see BLOCKS AND BYTES section)
80 obs=BYTES
82 Write BYTES bytes at a time. (see BLOCKS AND BYTES section)
83 of=FILE
85 Write to FILE instead of stdout. NOTE: of=FILE may be used sev‐
86 eral times to write output to multiple files simultaneously.
87 of:=COMMAND
89 Exec and write output to process COMMAND.
90 seek=BLOCKS
92 Skip BLOCKS obs-sized blocks at start of output. (see BLOCKS AND
93 BYTES section)
94 skip=BLOCKS
96 Skip BLOCKS ibs-sized blocks at start of input. (see BLOCKS AND
97 BYTES section)
98 pattern=HEX
100 Use the specified binary pattern as input. You can use a byte
101 only.
102 textpattern=TEXT
104 Use repeating TEXT as input. You can use a character only.
105 errlog=FILE
107 Send error messages to FILE as well as stderr.
108 hash=NAME
110 Do hash calculation in parallel with the disk reading. Either
111 md5, sha1, sha256, sha384 or sha512 can be used. Default algo‐
112 rithm is md5. To select multiple algorithms to run simultane‐
113 ously enter the names in a comma separated list.
114 hashlog=FILE
116 Send hash output to FILE instead of stderr. If you are using
117 multiple hash algorithms you can send each to a separate file
118 using the convention ALGORITHMlog=FILE, for example
119 md5log=FILE1, sha1log=FILE2, etc.
120 hashwindow=BYTES
122 Perform a hash on every BYTES amount of data. The partial re‐
123 sults will be shown in screen. The default hash is md5 but you
124 can use hash= option to choose other.
125 hashlog:=COMMAND
127 Exec and write hashlog to process COMMAND.
128 ALGORITHMlog:=COMMAND
130 Also works in the same fashion of hashlog:=COMMAND.
131 hashconv=[before|after]
133 Perform the hashing before or after the conversions.
134 hashformat=FORMAT
136 Display each hashwindow according to FORMAT the hash format
137 mini-language is described below.
138 totalhashformat=FORMAT
140 Display the total hash value according to FORMAT the hash format
141 mini-language is described below.
142 status=[on|off]
144 Display a continual status message on stderr. Default state is
145 "on".
146 statusinterval=N
148 Update the status message every N blocks. Default value is 256.
149 sizeprobe=[if|of|BYTES]
151 Determine the size of the input or output file or an amount of
152 BYTES for use with status messages. This option gives you a per‐
153 centage indicator around the sizeprobe value. WARNING: do not
154 use this option against a tape device. (see BLOCKS AND BYTES
155 section)
156 split=BYTES
158 Write every BYTES amount of data to a new file. This operation
159 applies to any of=FILE that follows (split= must be put before
160 of=). (see BLOCKS AND BYTES section)
161 splitformat=[TEXT|MAC|WIN]
163 The file extension format for split operation. You may use "a"
164 for letters and "n" for numbers. If you use annn, an extension
165 started as a000 will be appended; the last possible extension
166 for this format will be z999. splitformat=an will provide a0,
167 a1, a2, a3, a4, a5, a6, a7, a8, a9, b0, b1, b2, b3... If nothing
168 is specified the default format is "nnn". NOTE: the split and
169 splitformat options take effect only for output files (option
170 of=) specified AFTER these options appear in the command line
171 (e.g. split=50M splitformat=annn of=/tmp/test.iso). Likewise,
172 you may specify it several times for different output files
173 within the same command line. You may use as many digits in any
174 combination you would like. E.g. "anaannnaana" would be valid,
175 but a quite insane (see BLOCKS AND BYTES section). Other possi‐
176 ble approach is MAC. If "MAC" is used, a suffix dmg and several
177 dmgpart will be appended. In other words, it will generate a
178 partial disk image file, used by the Mac OS X operating system.
179 dmgpart files are usually provided with a corresponding dmg
180 file, which is the master file for the split archive. If dmg is
181 opened in Mac OS X, all dmgpart will be read too. The last op‐
182 tion is WIN, which will automatically output file naming of
183 foo.001, foo.002, ..., foo.999, foo.1000, ....
184 vf=FILE
186 Verify that FILE matches the specified input.
187 verifylog=FILE
189 Send verify results to FILE instead of stderr.
190 verifylog:=COMMAND
192 Exec and write verify results to process COMMAND.
193 diffwr=[on|off]
195 Only write to output if destination block content differs. This
196 operation applies to any of=FILE that follows (diffwr= must be
197 put before any of=).
198 --help Display a help page and exit.
200 --version
202 Output version information and exit.
203
205 BLOCKS and BYTES may be followed by the following multiplicative suf‐
206 fixes: xM M, c 1, w 2, b 512, kD 1000, k 1024, MD 1,000,000, M
207 1,048,576, GD 1,000,000,000, G 1,073,741,824, and so on for T, P, E, Z,
208 Y.
209
211 Each KEYWORD may be:
212 ascii From EBCDIC to ASCII.
214 ebcdic From ASCII to EBCDIC.
216 ibm From ASCII to alternated EBCDIC.
218 block Pad newline-terminated records with spaces to cbs-size.
220 unblock
222 Replace trailing spaces in cbs-size records with newline.
223 lcase Change upper case to lower case.
225 notrunc
227 Do not truncate the output file.
228 ucase Change lower case to upper case.
230 swab Swap every pair of input bytes.
232 noerror
234 Continue after read errors.
235 sync Pad every input block with NULs to ibs-size. When used with
237 block or unblock, pad with spaces rather than NULs.
238
240 The structure of FORMAT may contain any valid text and special vari‐
241 ables. The built-in variables are the following format: #vari‐
242 able_name#. To pass FORMAT strings to the program from a command line,
243 it may be
244 necessary to surround your FORMAT strings with "quotes."
246 The built-in variables are listed below:
247 window_start
249 The beginning byte offset of the hashwindow.
250 window_end
252 The ending byte offset of the hashwindow.
253 block_start
255 The beginning block (by input blocksize) of the window.
256 block_end
258 The ending block (by input blocksize) of the hash window.
259 hash The hash value.
261 algorithm
263 The name of the hash algorithm.
264 For example, the default FORMAT for hashformat and totalhashformat are:
266 hashformat="#window_start# - #window_end#: #hash#" totalhashformat="Total (#algorithm#): #hash#"
268 The FORMAT structure accepts the following escape codes:
270 \n Newline
272 \t Tab
274 \r Carriage return
276 \ Insert the '\' character
278 ## Insert the '#' character as text, not a variable
280
282 Each following line will create a 100 MiB file containing zeros:
283 $ dcfldd if=/dev/zero of=test bs=1M count=100
285 $ dcfldd if=/dev/zero of=test bs=100M count=1
286 $ dcfldd if=/dev/zero of=test bs=50M count=2
287 $ dcfldd if=/dev/zero of=test limit=100M
288 To create a copy (forensics image) from a disk called /dev/sdb inside a
290 file, using input/output blocks of 4096 bytes (4 KiB) instead of 32 KiB
291 (default):
292 $ dcfldd if=/dev/sdb bs=4096 of=sdb.img
294 As the last example, plus calculating MD5 and SHA256 hashes, putting
296 the results inside sdb.md5 and sdb.sha256. It is very useful for foren‐
297 sics works because the hashes will be processed in real time, avoiding
298 a waste of time to make something as 'dd + md5 + sha256'. Considering
299 that I/O disk is very slow and RAM is very fast, the hashes will be
300 calculated, bit per bit in memory, when the next portion of the disk is
301 read. When all disk was read, all hashes are now ready.
302 $ dcfldd if=/dev/sdb bs=4096 hash=md5,sha256 md5log=sdb.md5 sha256log=sdb.sha256 of=sdb.img
304 To validate the image file against the original source:
306 $ dcfldd if=/dev/sdb vf=sdb.img
308 Splitting the image in 500 MiB slices, using the default bs value (32
310 KiB). Note that split= must be put before of= to work:
311 $ dcfldd if=/dev/sdb split=500M of=sdb.img
313 At the last example, using from a0000 up to z9999 as suffix for each
315 split file:
316 $ dcfldd if=/dev/sdb split=500M splitformat=annnn of=sdb.img
318 Now, dcfldd will work byte per byte (bs=1) and will hop 1056087439
320 bytes. After this, dcfldd will collect 200000 bytes and write the re‐
321 sults to a file called airplane.jpg.
322 $ dcfldd if=/dev/sda3 bs=1 skip=1056087439 count=200000 of=airplane.jpg
324 In the last example, the same result could be obtained using "limit"
326 instead of "count". The main difference is that count uses 200000*bs
327 and limit uses 200000 bytes (regardless of the value declared in bs op‐
328 tion):
329 $ dcfldd if=/dev/sda3 bs=1 skip=1056087439 limit=200000 of=airplane.jpg
331 To write something inside a file, you can use seek. Suppose you want to
333 write a message from a file called message.txt inside a file called
334 target.iso, hopping 200000 bytes from start of file:
335 $ dcfldd if=message.txt bs=1 seek=200000 of=target.iso
337 dcfldd also can send a result to be processed by an external command:
339 $ dcfldd if=text.txt of:="cat | sort -u"
341 To convert a file from ASCII to EBCDIC:
343 $ dcfldd if=text.asc conv=ebcdic of=text.ebcdic
345 To convert a file from EBCDIC to ASCII:
347 $ dcfldd if=text.ebcdic conv=ascii of=text.asc
349
352 dd(1)
353
355 Report bugs at https://github.com/resurrecting-open-source-
356 projects/dcfldd/issues
357
359 dcfldd was originally written by Nicholas Harbour. Currently is main‐
360 tained by some volunteers.
361 GNU dd was written by Paul Rubin, David MacKenzie and Stuart Kemp.
363 This manpage was written by dd authors, Nicholas Harbour, Joao Eriberto
365 Mota Filho and others.
366dcfldd-1.9 08 Feb 2023 dcfldd(1)