Analecta Cyber Company Blog: Imaging with dc3dd

2014-10-07

Imaging with dc3dd

Creating a forensic image of media is one of the fundamental capabilities of any forensic investigator. A great tool for accomplishing this is dc3dd - a version of the Unix/Linux dd program redesigned by the engineers at the DoD Cyber Crime Institute (DCCI).

Here's a procedure you may consider using for imaging media with dc3dd.


Capabilities


With these modifications dc3dd is able to create and process images with greater efficiency, creating forensic validation information with the spare CPU cores of the imaging platform. Additionally, features like media sanitization and hashing have been added to this beloved and classic tool.

Purpose

This procedure is to be used for acquiring a forensically sound image of a hard disk or other media using a dedicated forensic platform.

Note: If you have been properly trained in digital forensics and the collection of evidence and media, this procedure may be used and will correctly collect the media. If you have not been properly trained the resulting forensic image may not be admissible in a court.

Materials Required


  • Forensic Platform 
  • Source Media 
  • Write Blocker 
  • Target Media 

Procedure

Step 1: Prepare the Forensic System

Boot the forensic system.  Annotate any variances.

Step 2: Identify your Target Drive & Mount

Attach the target media to the system. Run fdisk to list all disks attached to the system.
# fdisk -l

Identify the target media and document its device assignment, i.e.: Target media attached to system as /dev/sdb (or /dev/sdc, etc.).

Mount the target drive:
# mkdir /mnt/target
# mount /dev/sdb1 /mnt/target

Step 3. Identify your Source Drive/Media

Run fdisk to list all disks attached to the system, identify the source drive. 
# fdisk -l

Step 4. Image the Source Drive/Media

Use dc3dd to create a forensically sound image on the target media: 
# dc3dd if=“/dev/sda” hash=“md5” hash=“sha1” ofsz=“1900M” hlog=“Item#_Description.dd.log” hofs=“Item#_Description.dd.000”

Step 5. Disconnect/Cleanup

After imaging has completed, use the command “sync” to ensure all disk contents have been flushed to disk and all IO has synchronized. Change the current working directory to root and unmount the target media. 
# sync
# cd /

# unmount /dev/sdb1

Disconnect the source drive from the forensic system.  If necessary or desired, shut the forensic system down.

Reference: