Simple Forensics imaging with dd, dc3dd & dcfldd

Quick guide to create a forensics image of a drive using dd, dc3dd and dcfldd.

See also this post:

dd

Brief description of the tool from wiki:

dd is a command-line utility for Unix and Unix-like operating systems, the primary purpose of which is to convert and copy files.

$ dd if=/dev/sdb1 of=/evidence/image.dd bs=4096
 conv=sync,noerror

Command explanation:

if=/dev/sdb1 is the source in this case is sdb1

of=/evidence/image.dd is where the output file is saved

bs=4096 is the block size (default is 512kb),

conv= sync, noerror conversion will continue even with read errors, if there is an error, null fill the rest of the block.

dc3dd

If you are interest in a complete drive acquisition guide, you can also refer to this article: drive acquisition using dc3dd

Brief description from the official website:

A patch to the GNU dd program, this version has several features intended for forensic acquisition of data. Highlights include hashing on-the-fly, split output files, pattern writing, a progress meter, and file verification.

$ dc3dd if=/dev/sdb1 of=/evidence/image.dd bs=4k hash=sha256 hashlog=hash.log log=image.log progress=on

Command explanation:

if=/dev/sdb1 is the source in this case is sdb1

of=/evidence/image.dd is where the output file is saved

bs=4k is the block size

hash=sha256 on the fly hashing algorithm

log=image.log is the output path for the log

hashlog=hash.log save hash output to hash.log instead of stderr

progress=on display a progress meter

dcfldd

Brief description from the official website:

dcfldd is an enhanced version of GNU dd with features useful for forensics and security. Based on the dd program found in the GNU Coreutils package, dcfldd has the following additional features:

  • Hashing on-the-fly – dcfldd can hash the input data as it is being transferred, helping to ensure data integrity.
  • Status output – dcfldd can update the user of its progress in terms of the amount of data transferred and how much longer operation will take.
  • Flexible disk wipes – dcfldd can be used to wipe disks quickly and with a known pattern if desired.
  • Image/wipe Verify – dcfldd can verify that a target drive is a bit-for-bit match of the specified input file or pattern.
  • Multiple outputs – dcfldd can output to multiple files or disks at the same time.
  • Split output – dcfldd can split output to multiple files with more configurability than the split command.
  • Piped output and logs – dcfldd can send all its log data and output to commands as well as files natively.
$ dcfldd if=/dev/sdb1 conv=sync,noerror hash=sha256 hashlog=hash.log of=/evidence/image.dd

Command explanation:

if=/dev/sdb1 is the source in this case is sdb1

of=/evidence/image.dd

conv= sync, noerror conversion will continue even with read errors, if there is an error, null fill the rest of the block.

of=/evidence/image.dd is where the output file is saved

hash=sha256 on the fly hashing algorithm

hashlog=hash.log save hash output to hash.log instead of stderr

Dump an Android Partition for forensic analysis

In this guide we will dump a memory partition from an Android device to do some forensic activities on it.

Prerequisites:

  • Android rooted device
  • A forensic workstation with adb (Android Dubug Bridge)
  • busybox installed on the android device

First of all, we connect the Android device to our forensic workstation through USB, then we open a terminal.

To ensure that the device is properly connected and ADB is working, we try to use this command:

$ adb devices

Then we should see something like this as output, that is the list of the connected devices:

adb devices command output

Now that we are sure that the device is connected, we need to start an adb shell with this command:

$ adb shell

And then we become root with this command:

$ su -

Now we can list all the mounting points with their familiar names on the device with this other command:

# ls -al /dev/block/platform/msm_sdcc.1/by-name 

** Please note that you need to check if on your device the directory name is msm_sdcc.1, if it isn’t please change with yours.

After we see all the mounting points with their familiar names (boot, cache, userdata…. ) something like the following output will appear.

After this we can choose which of those blocks we want to dump, then we can use dd (data dump) command to create a bit-for-bit image. For transferring the file we use netcat.

First of all we open a new terminal screen, and we forward the port tcp 8888 as following: (Basically it means that the requests on port 8888 on the host will be forwarded to port 8888 on the device. Where the first port is the host and the second one is the device port)

$ adb forward tcp:8888 tcp:8888

Now we open an adb shell and become root as we did before:

$ adb shell

$ su -

Now we start our data dumping and we append the output to an open port through busybox netcat (we will open the port 8888 for listening, the one that we enable to forwarding before), and we will receive the dump on another terminal:

# dd if=/dev/block/mmcblk0p23 | busybox nc -l -p 8888

Now immediately open on a new terminal on the forensics workstation with a netcat for retrieving the data:

$ nc 127.0.0.1 8888 > userdata_dump.img

When the dd finish, “userdata_dump.img” will be ready to be analyzed! Enjoy!