Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
dcfldd(1)      enhanced	version	of dd for forensics and	security     dcfldd(1)

       dcfldd -	enhanced version of dd for forensics and security

       dcfldd [OPTION]...

       Copy a file, converting and formatting according	to the options.

       dcfldd was initially developed at Department of Defense Computer	Foren-
       sics Lab	(DCFL).	This tool is based on the dd program with the  follow-
       ing additional features:

       o  Hashing  on-the-fly:	dcfldd	can hash the input data	as it is being
	  transferred, helping to ensure data integrity.

       o  Status output: dcfldd	can update the user of its progress  in	 terms
	  of the amount	of data	transferred and	how much longer	operation will

       o  Flexible disk	wipes: dcfldd can be used to wipe  disks  quickly  and
	  with a known pattern if desired.

       o  Image/wipe  verify:  dcfldd can verify that a	target drive is	a bit-
	  for-bit match	of the specified input file or pattern.

       o  Multiple outputs: dcfldd can output to multiple files	 or  disks  at
	  the same time.

       o  Split	 output:  dcfldd  can split output to multiple files with more
	  configurability than the split command.

       o  Piped	output and logs: dcfldd	can send all its log data  and	output
	  to commands as well as files natively.

       o  When	dd  uses  a  default  block  size (bs, ibs, obs) of 512	bytes,
	  dcfldd uses 32768 bytes (32 KiB) which is HUGELY more	efficient.

       o  The following	options	are present in dcfldd but  not	in  dd:	 ALGO-
	  RITHMlog:,  errlog,  hash,  hashconv,	hashformat, hashlog, hashlog:,
	  hashwindow, limit, of:, pattern, sizeprobe, split, splitformat, sta-
	  tusinterval,	textpattern,  totalhashformat,	verifylog, verifylog:,

       dcfldd supports the following letters to	specify	amount of data:	k  for
       kilo,  M	for Mega, G for	Giga, T	for Tera, P for	Peta, E	for Exa, Z for
       Zetta and Y for Yotta. E.g. 10M is equal	to 10 MiB. See the BLOCKS  AND
       BYTES section to	get other possibilities.

	      Force  ibs=BYTES	and obs=BYTES. Default value is	32768 (32KiB).
	      See BLOCKS AND BYTES section. Warning: the block	size  will  be
	      created  in  RAM.	 Make  sure you	have sufficient	amount of free

	      Convert BYTES bytes at a time. (see BLOCKS AND BYTES section)

	      Convert the file as per the comma	separated keyword list.

	      Copy only	BLOCKS input blocks. (see BLOCKS AND BYTES section)

	      Similar to count but using BYTES instead of BLOCKS. (see	BLOCKS
	      AND BYTES	section)

	      Read BYTES bytes at a time. (see BLOCKS AND BYTES	section)

	      Read from	FILE instead of	stdin. (see BLOCKS AND BYTES section)

	      Write BYTES bytes	at a time. (see	BLOCKS AND BYTES section)

	      Write  to	FILE instead of	stdout.	NOTE: of=FILE may be used sev-
	      eral times to write output to multiple files simultaneously.

	      Exec and write output to process COMMAND.

	      Skip BLOCKS obs-sized blocks at start of output. (see BLOCKS AND
	      BYTES section)

	      Skip  BLOCKS ibs-sized blocks at start of	input. (see BLOCKS AND
	      BYTES section)

	      Use the specified	binary pattern as input. You can  use  a  byte

	      Use repeating TEXT as input. You can use a character only.

	      Send error messages to FILE as well as stderr.

	      Do  hash	calculation  in	parallel with the disk reading.	Either
	      md5, sha1, sha256, sha384	or sha512 can be used.	Default	 algo-
	      rithm  is	 md5.  To select multiple algorithms to	run simultane-
	      ously enter the names in a comma separated list.

	      Send hash	output to FILE instead of stderr.  If  you  are	 using
	      multiple	hash  algorithms  you can send each to a separate file
	      using   the   convention	  ALGORITHMlog=FILE,	for    example
	      md5log=FILE1, sha1log=FILE2, etc.

	      Perform  a  hash	on every BYTES amount of data. The partial re-
	      sults will be shown in screen. The default hash is md5  but  you
	      can use hash= option to choose other.

	      Exec and write hashlog to	process	COMMAND.

	      Also works in the	same fashion of	hashlog:=COMMAND.

	      Perform the hashing before or after the conversions.

	      Display  each  hashwindow	 according  to	FORMAT the hash	format
	      mini-language is described below.

	      Display the total	hash value according to	FORMAT the hash	format
	      mini-language is described below.

	      Display  a  continual status message on stderr. Default state is

	      Update the status	message	every N	blocks.	Default	value is 256.

	      Determine	the size of the	input or output	file or	an  amount  of
	      BYTES for	use with status	messages. This option gives you	a per-
	      centage indicator	around the sizeprobe value.  WARNING:  do  not
	      use  this	 option	 against  a tape device. (see BLOCKS AND BYTES

	      Write every BYTES	amount of data to a new	file.  This  operation
	      applies  to  any of=FILE that follows (split= must be put	before
	      of=). (see BLOCKS	AND BYTES section)

	      The file extension format	for split operation. You may  use  "a"
	      for  letters  and	"n" for	numbers. If you	use annn, an extension
	      started as a000 will be appended;	the  last  possible  extension
	      for  this	 format	will be	z999.  splitformat=an will provide a0,
	      a1, a2, a3, a4, a5, a6, a7, a8, a9, b0, b1, b2, b3... If nothing
	      is  specified  the  default format is "nnn". NOTE: the split and
	      splitformat options take effect only for	output	files  (option
	      of=)  specified  AFTER  these options appear in the command line
	      (e.g. split=50M splitformat=annn	of=/tmp/test.iso).   Likewise,
	      you  may	specify	 it  several  times for	different output files
	      within the same command line. You	may use	as many	digits in  any
	      combination  you	would like. E.g. "anaannnaana" would be	valid,
	      but a quite insane (see BLOCKS AND BYTES section).  Other	possi-
	      ble  approach is MAC. If "MAC" is	used, a	suffix dmg and several
	      dmgpart will be appended.	In other words,	 it  will  generate  a
	      partial  disk image file,	used by	the Mac	OS X operating system.
	      dmgpart files are	usually	 provided  with	 a  corresponding  dmg
	      file, which is the master	file for the split archive.  If	dmg is
	      opened in	Mac OS X, all dmgpart will be read too.	The  last  op-
	      tion  is	WIN,  which  will  automatically output	file naming of
	      foo.001, foo.002,	..., foo.999, foo.1000,	....

	      Verify that FILE matches the specified input.

	      Send verify results to FILE instead of stderr.

	      Exec and write verify results to process COMMAND.

       --help Display a	help page and exit.

	      Output version information and exit.

       BLOCKS and BYTES	may be followed	by the following  multiplicative  suf-
       fixes:  xM  M,  c  1,  w	 2,  b	512,  kD 1000, k 1024, MD 1,000,000, M
       1,048,576, GD 1,000,000,000, G 1,073,741,824, and so on for T, P, E, Z,

       Each KEYWORD may	be:

       ascii  From EBCDIC to ASCII.

       ebcdic From ASCII to EBCDIC.

       ibm    From ASCII to alternated EBCDIC.

       block  Pad newline-terminated records with spaces to cbs-size.

	      Replace trailing spaces in cbs-size records with newline.

       lcase  Change upper case	to lower case.

	      Do not truncate the output file.

       ucase  Change lower case	to upper case.

       swab   Swap every pair of input bytes.

	      Continue after read errors.

       sync   Pad  every  input	 block	with  NULs to ibs-size.	When used with
	      block or unblock,	pad with spaces	rather than NULs.

       The structure of	FORMAT may contain any valid text  and	special	 vari-
       ables.	The  built-in  variables  are  the  following  format:	#vari-
       able_name#. To pass FORMAT strings to the program from a	command	 line,
       it may be

       necessary to surround your FORMAT strings with "quotes."
	      The built-in variables are listed	below:

	      The beginning byte offset	of the hashwindow.

	      The ending byte offset of	the hashwindow.

	      The beginning block (by input blocksize) of the window.

	      The ending block (by input blocksize) of the hash	window.

       hash   The hash value.

	      The name of the hash algorithm.

       For example, the	default	FORMAT for hashformat and totalhashformat are:

	   hashformat="#window_start# -	#window_end#: #hash#" totalhashformat="Total (#algorithm#): #hash#"

       The FORMAT structure accepts the	following escape codes:

       \n     Newline

       \t     Tab

       \r     Carriage return

       \      Insert the '\' character

       ##     Insert the '#' character as text,	not a variable

       Each following line will	create a 100 MiB file containing zeros:

	   $ dcfldd if=/dev/zero of=test bs=1M count=100
	   $ dcfldd if=/dev/zero of=test bs=100M count=1
	   $ dcfldd if=/dev/zero of=test bs=50M	count=2
	   $ dcfldd if=/dev/zero of=test limit=100M

       To create a copy	(forensics image) from a disk called /dev/sdb inside a
       file, using input/output	blocks of 4096 bytes (4	KiB) instead of	32 KiB

	   $ dcfldd if=/dev/sdb	bs=4096	of=sdb.img

       As  the	last  example, plus calculating	MD5 and	SHA256 hashes, putting
       the results inside sdb.md5 and sdb.sha256. It is	very useful for	foren-
       sics  works because the hashes will be processed	in real	time, avoiding
       a waste of time to make something as 'dd	+ md5 +	 sha256'.  Considering
       that  I/O  disk	is  very slow and RAM is very fast, the	hashes will be
       calculated, bit per bit in memory, when the next	portion	of the disk is
       read. When all disk was read, all hashes	are now	ready.

	   $ dcfldd if=/dev/sdb	bs=4096	hash=md5,sha256	md5log=sdb.md5 sha256log=sdb.sha256 of=sdb.img

       To validate the image file against the original source:

	   $ dcfldd if=/dev/sdb	vf=sdb.img

       Splitting  the  image in	500 MiB	slices,	using the default bs value (32
       KiB). Note that split= must be put before of= to	work:

	   $ dcfldd if=/dev/sdb	split=500M of=sdb.img

       At the last example, using from a0000 up	to z9999 as  suffix  for  each
       split file:

	   $ dcfldd if=/dev/sdb	split=500M splitformat=annnn of=sdb.img

       Now,  dcfldd  will  work	 byte  per byte	(bs=1) and will	hop 1056087439
       bytes. After this, dcfldd will collect 200000 bytes and write  the  re-
       sults to	a file called airplane.jpg.

	   $ dcfldd if=/dev/sda3 bs=1 skip=1056087439 count=200000 of=airplane.jpg

       In  the	last  example, the same	result could be	obtained using "limit"
       instead of "count". The main difference is that	count  uses  200000*bs
       and limit uses 200000 bytes (regardless of the value declared in	bs op-

	   $ dcfldd if=/dev/sda3 bs=1 skip=1056087439 limit=200000 of=airplane.jpg

       To write	something inside a file, you can use seek. Suppose you want to
       write  a	 message  from	a file called message.txt inside a file	called
       target.iso, hopping 200000 bytes	from start of file:

	   $ dcfldd if=message.txt bs=1	seek=200000 of=target.iso

       dcfldd also can send a result to	be processed by	an external command:

	   $ dcfldd if=text.txt	 of:="cat | sort -u"

       To convert a file from ASCII to EBCDIC:

	   $ dcfldd if=text.asc	conv=ebcdic of=text.ebcdic

       To convert a file from EBCDIC to	ASCII:

	   $ dcfldd if=text.ebcdic conv=ascii of=text.asc


       Report	  bugs	   at

       dcfldd  was  originally written by Nicholas Harbour. Currently is main-
       tained by some volunteers.

       GNU dd was written by Paul Rubin, David MacKenzie and Stuart Kemp.

       This manpage was	written	by dd authors, Nicholas	Harbour, Joao Eriberto
       Mota Filho and others.

dcfldd-1.7			  02 Feb 2020			     dcfldd(1)


Want to link to this manual page? Use this URL:

home | help