Acquiring Disk Image with dd and dcfldd

使用dd和dcfldd获取磁盘镜像

When to Use

适用场景

When you need to create a forensic copy of a suspect drive for investigation
During incident response when preserving volatile disk evidence before analysis
When law enforcement or legal proceedings require a verified bit-for-bit copy
Before performing any destructive analysis on a storage device
When acquiring images from physical drives, USB devices, or memory cards

当你需要为调查创建可疑驱动器的取证副本时
事件响应期间，在分析前保存易失性磁盘证据时
执法或法律程序需要经过验证的逐位副本时
对存储设备执行任何破坏性分析之前
从物理驱动器、USB设备或存储卡获取镜像时

Prerequisites

前置条件

Linux-based forensic workstation (SIFT, Kali, or any Linux distro)
```
dd
```
(pre-installed on all Linux systems) or
```
dcfldd
```
(enhanced forensic version)
Write-blocker hardware or software write-blocking configured
Destination drive with sufficient storage (larger than source)
Root/sudo privileges on the forensic workstation
SHA-256 or MD5 hashing utilities (
```
sha256sum
```
,
```
md5sum
```
)

基于Linux的取证工作站（SIFT、Kali或任何Linux发行版）
```
dd
```
（所有Linux系统预装）或
```
dcfldd
```
（增强版取证工具）
写保护硬件或已配置的软件写保护
有足够存储空间的目标驱动器（比源驱动器大）
取证工作站的Root/sudo权限
SHA-256或MD5哈希工具（
```
sha256sum
```
、
```
md5sum
```
）

Workflow

工作流程

Step 1: Identify the Target Device and Enable Write Protection

步骤1：识别目标设备并启用写保护

bash

undefined

bash

undefined

List all connected block devices to identify the target

lsblk -o NAME,SIZE,TYPE,MOUNTPOINT,MODEL

Verify the device details

fdisk -l /dev/sdb

Enable software write-blocking (if no hardware blocker)

blockdev --setro /dev/sdb

Verify read-only status

blockdev --getro /dev/sdb

Output: 1 (means read-only is enabled)

Alternatively, use udev rules for persistent write-blocking

echo 'SUBSYSTEM=="block", ATTRS{serial}=="WD-WCAV5H861234", ATTR{ro}="1"' > /etc/udev/rules.d/99-writeblock.rules udevadm control --reload-rules

undefined

echo 'SUBSYSTEM=="block", ATTRS{serial}=="WD-WCAV5H861234", ATTR{ro}="1"' > /etc/udev/rules.d/99-writeblock.rules udevadm control --reload-rules

undefined

Step 2: Prepare the Destination and Document the Source

步骤2：准备目标位置并记录源设备信息

bash

undefined

bash

undefined

Create case directory structure

mkdir -p /cases/case-2024-001/{images,hashes,logs,notes}

Document source drive information

hdparm -I /dev/sdb > /cases/case-2024-001/notes/source_drive_info.txt

Record the serial number and model

smartctl -i /dev/sdb >> /cases/case-2024-001/notes/source_drive_info.txt

Pre-hash the source device

sha256sum /dev/sdb | tee /cases/case-2024-001/hashes/source_hash_before.txt

undefined

sha256sum /dev/sdb | tee /cases/case-2024-001/hashes/source_hash_before.txt

undefined

Step 3: Acquire the Image Using dd

步骤3：使用dd获取镜像

bash

undefined

bash

undefined

Basic dd acquisition with progress and error handling

dd if=/dev/sdb of=/cases/case-2024-001/images/evidence.dd
bs=4096
conv=noerror,sync
status=progress 2>&1 | tee /cases/case-2024-001/logs/dd_acquisition.log

For compressed images to save space

dd if=/dev/sdb bs=4096 conv=noerror,sync status=progress |
gzip -c > /cases/case-2024-001/images/evidence.dd.gz

Using dd with a specific count for partial acquisition

dd if=/dev/sdb of=/cases/case-2024-001/images/first_1gb.dd
bs=1M count=1024 status=progress

undefined

dd if=/dev/sdb of=/cases/case-2024-001/images/first_1gb.dd
bs=1M count=1024 status=progress

undefined

Step 4: Acquire Using dcfldd (Preferred Forensic Method)

步骤4：使用dcfldd获取镜像（推荐取证方法）

bash

undefined

bash

undefined

Install dcfldd if not present

apt-get install dcfldd

Acquire image with built-in hashing and split output

dcfldd if=/dev/sdb
of=/cases/case-2024-001/images/evidence.dd
hash=sha256,md5
hashwindow=1G
hashlog=/cases/case-2024-001/hashes/acquisition_hashes.txt
bs=4096
conv=noerror,sync
errlog=/cases/case-2024-001/logs/dcfldd_errors.log

Split large images into manageable segments

dcfldd if=/dev/sdb
of=/cases/case-2024-001/images/evidence.dd
hash=sha256
hashlog=/cases/case-2024-001/hashes/split_hashes.txt
bs=4096
split=2G
splitformat=aa

Acquire with verification pass

dcfldd if=/dev/sdb
of=/cases/case-2024-001/images/evidence.dd
hash=sha256
hashlog=/cases/case-2024-001/hashes/verification.txt
vf=/cases/case-2024-001/images/evidence.dd
verifylog=/cases/case-2024-001/logs/verify.log

undefined

dcfldd if=/dev/sdb
of=/cases/case-2024-001/images/evidence.dd
hash=sha256
hashlog=/cases/case-2024-001/hashes/verification.txt
vf=/cases/case-2024-001/images/evidence.dd
verifylog=/cases/case-2024-001/logs/verify.log

undefined

Step 5: Verify Image Integrity

步骤5：验证镜像完整性

bash

undefined

bash

undefined

Hash the acquired image

sha256sum /cases/case-2024-001/images/evidence.dd |
tee /cases/case-2024-001/hashes/image_hash.txt

Compare source and image hashes

diff <(sha256sum /dev/sdb | awk '{print $1}')
<(sha256sum /cases/case-2024-001/images/evidence.dd | awk '{print $1}')

If using split images, verify each segment

sha256sum /cases/case-2024-001/images/evidence.dd.* |
tee /cases/case-2024-001/hashes/split_image_hashes.txt

Re-hash source to confirm no changes occurred

sha256sum /dev/sdb | tee /cases/case-2024-001/hashes/source_hash_after.txt diff /cases/case-2024-001/hashes/source_hash_before.txt
/cases/case-2024-001/hashes/source_hash_after.txt

undefined

sha256sum /dev/sdb | tee /cases/case-2024-001/hashes/source_hash_after.txt diff /cases/case-2024-001/hashes/source_hash_before.txt
/cases/case-2024-001/hashes/source_hash_after.txt

undefined

Step 6: Document the Acquisition Process

步骤6：记录取证过程

bash

undefined

bash

undefined

Generate acquisition report

cat << 'EOF' > /cases/case-2024-001/notes/acquisition_report.txt DISK IMAGE ACQUISITION REPORT

Case Number: 2024-001 Date/Time: $(date -u +"%Y-%m-%d %H:%M:%S UTC") Examiner: [Name]

Source Device: /dev/sdb Model: [from hdparm output] Serial: [from hdparm output] Size: [from fdisk output]

Acquisition Tool: dcfldd v1.9.1 Block Size: 4096 Write Blocker: [Hardware/Software model]

Image File: evidence.dd Image Hash (SHA-256): [from hash file] Source Hash (SHA-256): [from hash file] Hash Match: YES/NO

Errors During Acquisition: [from error log] EOF

cat << 'EOF' > /cases/case-2024-001/notes/acquisition_report.txt DISK IMAGE ACQUISITION REPORT

Case Number: 2024-001 Date/Time: $(date -u +"%Y-%m-%d %H:%M:%S UTC") Examiner: [Name]

Source Device: /dev/sdb Model: [from hdparm output] Serial: [from hdparm output] Size: [from fdisk output]

Acquisition Tool: dcfldd v1.9.1 Block Size: 4096 Write Blocker: [Hardware/Software model]

Image File: evidence.dd Image Hash (SHA-256): [from hash file] Source Hash (SHA-256): [from hash file] Hash Match: YES/NO

Errors During Acquisition: [from error log] EOF

Compress logs for archival

tar -czf /cases/case-2024-001/acquisition_package.tar.gz
/cases/case-2024-001/hashes/
/cases/case-2024-001/logs/
/cases/case-2024-001/notes/

undefined

tar -czf /cases/case-2024-001/acquisition_package.tar.gz
/cases/case-2024-001/hashes/
/cases/case-2024-001/logs/
/cases/case-2024-001/notes/

undefined

Key Concepts

核心概念

Concept	Description
Bit-for-bit copy	Exact replica of source including unallocated space and slack space
Write blocker	Hardware or software mechanism preventing writes to evidence media
Hash verification	Cryptographic hash comparing source and image to prove integrity
Block size (bs)	Transfer chunk size affecting speed; 4096 or 64K typical for forensics
conv=noerror,sync	Continue on read errors and pad with zeros to maintain offset alignment
Chain of custody	Documented trail proving evidence has not been tampered with
Split imaging	Breaking large images into smaller files for storage and transport
Raw/dd format	Bit-for-bit image format without metadata container overhead

概念	描述
逐位副本	源设备的精确复制，包括未分配空间和 slack space
写保护	防止向证据介质写入数据的硬件或软件机制
哈希校验	通过加密哈希对比源设备和镜像，证明完整性
块大小(bs)	影响传输速度的传输块大小；取证中典型值为4096或64K
conv=noerror,sync	读取错误时继续执行，并用零填充以保持偏移对齐
监管链	记录证据未被篡改的文档追踪路径
拆分镜像	将大型镜像拆分为较小文件，便于存储和传输
原始/dd格式	无元数据容器开销的逐位镜像格式

Tools & Systems

工具与系统

Tool	Purpose
dd	Standard Unix disk duplication utility for raw imaging
dcfldd	DoD Computer Forensics Laboratory enhanced version of dd with hashing
dc3dd	Another forensic dd variant from the DoD Cyber Crime Center
sha256sum	SHA-256 hash calculation for integrity verification
blockdev	Linux command to set block device read-only mode
hdparm	Drive identification and parameter reporting
smartctl	S.M.A.R.T. data retrieval for drive health and identification
lsblk	Block device enumeration and identification

工具	用途
dd	用于原始镜像的标准Unix磁盘复制工具
dcfldd	美国国防部计算机取证实验室开发的增强版dd，自带哈希功能
dc3dd	美国国防部网络犯罪中心开发的另一种取证版dd变体
sha256sum	用于完整性验证的SHA-256哈希计算工具
blockdev	设置块设备只读模式的Linux命令
hdparm	驱动器识别和参数报告工具
smartctl	用于获取驱动器健康状态和识别信息的S.M.A.R.T.数据检索工具
lsblk	块设备枚举和识别工具

Common Scenarios

常见场景

Scenario 1: Acquiring a Suspect Laptop Hard Drive Connect the drive via a Tableau T35u hardware write-blocker, identify as

/dev/sdb

, use dcfldd with SHA-256 hashing, split into 4GB segments for DVD archival, verify hashes match, document in case notes.

Scenario 2: Imaging a USB Flash Drive from a Compromised Workstation Use software write-blocking with

blockdev --setro

, acquire with dcfldd including MD5 and SHA-256 dual hashing, image is small enough for single file, verify and store on encrypted case drive.

Scenario 3: Remote Acquisition Over Network Use dd piped through netcat or ssh for remote acquisition:

ssh root@remote "dd if=/dev/sda bs=4096" | dd of=remote_image.dd bs=4096

, hash both ends independently to verify transfer integrity.

Scenario 4: Acquiring from a Failing Drive Use

ddrescue

first to recover readable sectors, then use dd with

conv=noerror,sync

to fill gaps with zeros, document which sectors were unreadable in the error log.

场景1：获取可疑笔记本电脑硬盘 通过Tableau T35u硬件写保护设备连接驱动器，识别为

/dev/sdb

，使用带SHA-256哈希功能的dcfldd，拆分为4GB分段以便DVD归档，验证哈希匹配，记录到案件笔记中。

场景2：从受感染工作站获取USB闪存驱动器镜像 使用

blockdev --setro

启用软件写保护，使用带MD5和SHA-256双重哈希的dcfldd获取镜像，镜像文件较小可保存为单个文件，验证后存储在加密案件驱动器中。

场景3：通过网络远程获取镜像 使用dd通过netcat或ssh进行远程获取：

ssh root@remote "dd if=/dev/sda bs=4096" | dd of=remote_image.dd bs=4096

，在两端独立计算哈希以验证传输完整性。

场景4：从故障驱动器获取镜像 先使用

ddrescue

恢复可读扇区，再使用带

conv=noerror,sync

的dd用零填充间隙，在错误日志中记录不可读扇区信息。

Output Format

输出格式

Acquisition Summary:
  Source:       /dev/sdb (500GB Western Digital WD5000AAKX)
  Destination:  /cases/case-2024-001/images/evidence.dd
  Tool:         dcfldd 1.9.1
  Block Size:   4096 bytes
  Duration:     2h 15m 32s
  Bytes Copied: 500,107,862,016
  Errors:       0 bad sectors
  Source SHA-256:  a3f2b8c9d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1
  Image SHA-256:   a3f2b8c9d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1
  Verification:    PASSED - Hashes match

Acquisition Summary:
  Source:       /dev/sdb (500GB Western Digital WD5000AAKX)
  Destination:  /cases/case-2024-001/images/evidence.dd
  Tool:         dcfldd 1.9.1
  Block Size:   4096 bytes
  Duration:     2h 15m 32s
  Bytes Copied: 500,107,862,016
  Errors:       0 bad sectors
  Source SHA-256:  a3f2b8c9d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1
  Image SHA-256:   a3f2b8c9d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1
  Verification:    PASSED - Hashes match

acquiring-disk-image-with-dd-and-dcfldd

Original

Translation

Acquiring Disk Image with dd and dcfldd

使用dd和dcfldd获取磁盘镜像

When to Use

适用场景

Prerequisites

前置条件

Workflow

工作流程

Step 1: Identify the Target Device and Enable Write Protection

步骤1：识别目标设备并启用写保护

List all connected block devices to identify the target

List all connected block devices to identify the target

Verify the device details

Verify the device details

Enable software write-blocking (if no hardware blocker)

Enable software write-blocking (if no hardware blocker)

Verify read-only status

Verify read-only status

Output: 1 (means read-only is enabled)

Output: 1 (means read-only is enabled)

Alternatively, use udev rules for persistent write-blocking

Alternatively, use udev rules for persistent write-blocking

Step 2: Prepare the Destination and Document the Source

步骤2：准备目标位置并记录源设备信息

Create case directory structure

Create case directory structure

Document source drive information

Document source drive information

Record the serial number and model

Record the serial number and model

Pre-hash the source device

Pre-hash the source device

Step 3: Acquire the Image Using dd

步骤3：使用dd获取镜像

Basic dd acquisition with progress and error handling

Basic dd acquisition with progress and error handling

For compressed images to save space

For compressed images to save space

Using dd with a specific count for partial acquisition

Using dd with a specific count for partial acquisition

Step 4: Acquire Using dcfldd (Preferred Forensic Method)

步骤4：使用dcfldd获取镜像（推荐取证方法）

Install dcfldd if not present

Install dcfldd if not present

Acquire image with built-in hashing and split output

Acquire image with built-in hashing and split output

Split large images into manageable segments

Split large images into manageable segments

Acquire with verification pass

Acquire with verification pass

Step 5: Verify Image Integrity

步骤5：验证镜像完整性

Hash the acquired image

Hash the acquired image

Compare source and image hashes

Compare source and image hashes

If using split images, verify each segment

If using split images, verify each segment

Re-hash source to confirm no changes occurred

Re-hash source to confirm no changes occurred

Step 6: Document the Acquisition Process

步骤6：记录取证过程

Generate acquisition report

Generate acquisition report

cat << 'EOF' > /cases/case-2024-001/notes/acquisition_report.txt DISK IMAGE ACQUISITION REPORT

cat << 'EOF' > /cases/case-2024-001/notes/acquisition_report.txt DISK IMAGE ACQUISITION REPORT

Compress logs for archival

Compress logs for archival

Key Concepts

核心概念

Tools & Systems

工具与系统

Common Scenarios

常见场景

Output Format

输出格式