Week-2 Lab - Data Acquisition and Duplication
(Extra) Part-3: Acquiring a Forensic Image with dd and dcfldd (Linux)
Goals
- Deploy and run a Linux virtual machine for forensic imaging.
- Identify the correct source device safely.
- Acquire a bit-for-bit image using
ddanddcfldd. - Capture basic metadata and maintain forensic integrity.
- More infro about dd can be found here.
Deploy Your Linux VM
Before we begin, ensure you have a working Linux Virtual Machine.
You may use Ubuntu, Kali Linux, Debian, or any distribution of your choice.
- Open your virtualisation software (VirtualBox, VMware, or Parallels).
- Create or start a Linux VM (you can reuse the one from previous labs).
- Ensure the VM has:
- sudo privileges (you can use the
rootaccount orsudo).
- Access to a USB drive or secondary virtual disk to act as the suspect device.
- sudo privileges (you can use the
- Once the VM is running, open a Terminal window - we will perform all commands from there.
You can also use a pre-deployed VM image you have.
Step 1 - Identify the Source Device
- Open termial
- List disks to find the suspect device path (e.g.,
/dev/sdb).
sudo lsblk -o NAME,MODEL,SIZE,TYPE,MOUNTPOINT
sudo fdisk -l
Record the model, size, and device node.
Double-check you’re not imaging your system disk (/dev/sda).
Step 2 - Set Device Read-Only (if needed)
If you don’t have a hardware write-blocker, set the device as read-only (demo only):
sudo blockdev --setro /dev/sdb
sudo blockdev --getro /dev/sdb # should output 1
Step 3 - Acquire the Forensic Image
Use dd to create a raw bit-for-bit image.
sudo dd if=/dev/sdb of=usb_image.dd bs=4M conv=noerror,sync status=progress
sync
if=→ input file (your evidence drive)of=→ output file (your forensic image)bs=4M→ read/write block sizeconv=noerror,sync→ continue on read errors and maintain alignment
Example output will show progress in bytes and percentage.
Step 4 - Record Metadata
Document your image details.
stat usb_image.dd
file usb_image.dd
Optionally, check partition information inside the image:
fdisk -l usb_image.dd
Step 5 - Quick Read-Only Mount
Mount the image to verify the acquisition succeeded.
sudo losetup -fP -r --show usb_image.dd
lsblk /dev/loop0
sudo mkdir -p /mnt/usb_img
sudo mount -o ro /dev/loop0p1 /mnt/usb_img
ls /mnt/usb_img
Unmount and detach when finished:
sudo umount /mnt/usb_img
sudo losetup -d /dev/loop0
In digital forensics, imaging is about integrity and traceability - not just copying data.
Introduction to dcfldd
dcfldd is a forensic-enhanced version of the Linux dd command, developed by the U.S. Department of Defense Computer Forensics Lab (DCFL).
It performs bit-for-bit imaging like dd but adds forensic features such as real-time hashing, logging, and automatic verification.
Why Use dcfldd?
dcfldd improves forensic reliability by adding:
| Feature | Description |
|---|---|
hash= | Calculate MD5, SHA1, SHA256, etc., during imaging. |
hashlog= | Save hash results to a log file for later validation. |
hashwindow= | Hash data at regular intervals (e.g., every 1 GB). |
statusinterval= | Show progress updates periodically. |
vf= | Verify source and image match automatically. |
Example - Forensic Imaging with Hashing
sudo dcfldd if=/dev/sdb of=evidence.dd bs=4M conv=noerror,sync hash=sha256 hashlog=evidence_hash.txt statusinterval=30
Explanation:
if=/dev/sdb→ input (suspect drive)of=evidence.dd→ output forensic imagehash=sha256→ compute SHA-256 hash during imaginghashlog=→ write hash to a log filestatusinterval=30→ update progress every 30 seconds
Example - Verify Image After Acquisition
sudo dcfldd if=/dev/sdb of=evidence.dd vf=yes hash=sha256 hashlog=verify_log.txt
Performs read‑back verification to confirm bit‑level integrity.
dcflddis preferred in forensic imaging because it ensures integrity, transparency, and efficiency — all within a single acquisition step.
Best,
Ali.