Using DC3DD in Kali Linux

DC3DD was developed by the Department of Defense Cyber Crime Center and is updated whenever DD updates. DC3DD offers the best of DD with more features, including:

  • On-the-fly hashing using more algorithm choices (MD5, SHA-1, SHA-256, and SHA-512)
  • A meter to monitor progress and acquisition time
  • Writing of errors to a file
  • Splitting of output files
  • Verification of files
  • Wiping of output files (pattern wiping)
Although we'll only be looking at DD and DC3DD, there is also another tool called DCFLDD, which can be installed on Linux-based systems. DCFLDD is an enhanced version of DD and is maintained and supported by the Defense Computer Forensics Labs (DCFL) with its own release schedule, unlike DC3DD which updates synchronized with DD.

DC3DD is a CLI and can be easily run in Kali Linux by first opening a Terminal and typing dc3dd. To start with, I recommend using the dc3dd --help command, which lists the available parameters used with dc3dd:

As seen in the previous screenshot using the dc3dd --help command, typical usage of the DC3DD command looks like this:

dc3dd [option 1] [option 2] ... [option n]

In our previous example, I've used the following options:

dc3dd if=/dev/sdb hash=md5 log=dc3ddusb of=test_usb.dd
  • if: Specifies the input file, which is the device we will be imaging.
  • hash: Specifies the type of hash algorithm we will be using for integrity verification. In this case, I have used the older MD5 hash.
  • log: Specifies the name of the log file that logs the details of the device and the acquisition, including errors.
  • of: Specifies the output file name of the forensic image created by DC3DD. Although a .dd image file type was specified in this example, other formats are recognized by DC3DD including .img as seen in a later example.

The device size (in sector and bytes) should be noted and later compared to the output results for device field.

The last line also displays the progress and status of the acquisition process, showing the amount of data copied, elapsed time in seconds, and the speed of the imaging process in Mbps:

The larger the drive or file to be acquired, the lengthier the time taken to do so. Might I suggest you get yourself a cup of coffee or refreshing beverage, or even have a look at some other wonderful titles available from Packt at https://www.packtpub.com/.

Once the acquisition process has been completed, the input and output results are displayed:

Analyzing the results, we can see that the same amount of sectors (3913664) have been imaged, with no bad sectors being replaced by zeros. We can also see that the exact MD5 hash was created for the image, assuring us that an exact copy was created without modification.

In the Terminal, we can also use the ls command to list the directory contents to ensure the DC3DD output file (test_usb.dd) and log (dc3ddusb) have been created:

To access our forensic image and log file, we can go to our /home directory by clicking on places (top left corner) and then Home.

Within my Home folder, the first file, 2GBdcedd.dd, is the output image created by DC3DD using the of=test_usb.dd command. The last file, dc3ddusb, is the log file, created when we used the log=dc3ddusb command:

It's important to keep this log file to have a record of the acquisition process and its results, which were displayed on screen upon completion:

In future chapters, we will be analyzing acquired forensic images using various tools; however, the image can also be copied or directly cloned to another device if the investigator so wishes.

As an example, we could clone the forensic image acquired previously (test_usb.dd) onto a new drive recognized as sdc. The command used to perform this task would be:

dc3dd if=test_usb.dd of=/dev/sdc log=drivecopy.log
When copying an image to a drive, the destination drive size should be of equal size or larger than the image file.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset