This is an alternative approach for dd to create a disk image file for further forensic analysis.
dcfldd is a modified version of GNU originally created by Nicholas Harbour from the DoD
Computer Forensics Laboratory (DCFL). It supports hashing, fast disk wiping (through patterns)
and status output
This command will do the same like in the last exercise, but will also automatically create a md5 hash file
dcfldd if=/dev/sdc hash=md5,sha256 md5log=md5.log sha256log=sha.log
If we compare the md5 sum with the evidence.img file from the last exercise, I’ll get the same value
There are some other cool stuff we can do, like splitting the disk image file into different parts
dcfldd if=/dev/sdc hash=md5,sha256 md5log=md5.log split=64M splitformat=000 sha256log=sha.log of=evidence_3.img
As we can see, this give us 4 parts of a 256MB disk file.
This approach can help while imaging a large evidence disk. The smaller parts of the image can be then sent over the internet or carried on relatively smaller portable storage device
If we choose that option, the analyst needs to know how he can set the splittet parts together. Let’s use the following command
cat evidence_3.img.0* > evidence4.img
As we can see, the checksum is still the same 😎