USING DCFLDD

The United States Department of Defense Computer Forensics Lab developed an enhanced version of dd known as dcfldd. This tool adds several forensics features to dd. One of the most important features is the ability to calculate hashes on the fly. The calculated hashes may be sent to a file, displayed in a terminal (default), or both.

In addition to calculating an overall hash, dcfldd can compute hashes for chunks of data (which it calls windows). As of this writing, dcfldd supports the following hash algorithms: MD5, SHA1, SHA256, SHA384, and SHA512. Multiple hash algorithms may be used simultaneously with hashes written to separate files.

The general format for using dcfldd to create an image with hashes in a separate file is dcfldd if= of= bs= hash=<algorithm> hashwindow= hashlog= conv=noerror,sync. For example, to create an image of the second hard drive on a system with SHA256 hashes calculated every 1GB the correct command would be dcfldd if=/dev/sdb of=sdb.img bs=8k hash=sha256 hashwindow=1G hashlog =sdb.hashes conv=noerror,sync. If you wanted to calculate both SHA256 and MD5 hashes for some reason the command would be dcfldd if=/dev/sdb of=sdb.img bs=8k hash=sha256,md5 hashwindow=1G sha256log=sdb.sha256hashes md5log=sdb.md5hashes conv=noerror,sync.