Left4Code/left4code.neocities.org
1
0
Fork 0
mirror of https://git.qwik.space/left4code/left4code.neocities.org.git synced 2025-07-28 00:13:38 +05:30
Code Issues Packages Projects Releases Wiki Activity
Files
b1fb2f6dd4d5bccbe75fb0089d6d173d26efbd1c
left4code.neocities.org/courses/filesystem_imaging_forensics/dc3dd.html
Left4Code b1fb2f6dd4 filesystem additions
2025-06-09 15:12:38 -04:00

146 lines
11 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="description" content="dc3dd is a forensic variant of the dd software, it allows on the fly hashing as a feature and different options for output.">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="author" content="Left4Code">
<meta name="keywords" content="dc3dd, forensics, dc3dd forensics">
<link rel="icon" type="image/x-icon" href="../../favicon/favicon.ico">
<title>Left4Code - (Courses) - {dc3dd}</title>
<link rel="stylesheet" type="text/css" href='../../style.css'>
</head>
<body>
<header>
<span>Left4Code</span>
</header>
<nav>
<div>
<a href="../../index.html">Home</a>
<a href="../../blog.html">Blog</a>
</div>
</nav>
<div class="container">
<section>
<h1 class="blog-header">dc3dd</h1>
<h3>--| Posted: 06-01-25</h3>
<h4 class="blog-header">Table of Contents</h4>
<div id="toc_container">
<hr>
<ul class="toc_list">
<li><a href="#>~(1)">1. Background Information</a></li>
<ul>
<li><a href="#>~{1.1}">1.1 Warnings</a></li>
<li><a href="#>~{1.2}">1.2 Links Used on This Page</a></li>
</ul>
<li><a href="#>~(2)">2. Basic dc3dd Usage</a></li>
<li><a href="#>~(3)">3. Advanced (Specialized) dc3dd Usage</a></li>
<ul>
<li><a href="#>~{3.1}">3.1 Understanding the "BASE.FMT" format</a></li>
<li><a href="#>~{3.2}">3.2 Multi-Input dc3dd Parameters</a></li>
<li><a href="#>~{3.3}">3.3 Wiping Devices with dc3dd</a></li>
</ul>
<li><a href="#>~(4)">4. Conclusion</a></li>
</div>
<hr>
<h4 id=">~(1)" class="blog-header">1. Background Information</h4>
<p>dc3dd is a forensically-expanded version of dd. It should not be used to recover data from damaged drives, <a href="ddrescue.html">ddrescue</a> should be used instead. dc3dd has expanded features which include the following according to the <a href="https://www.kali.org/tools/dc3dd/">Kali Linux Tools Webpage</a>:</p>
<p>This guide directly uses information from the dc3dd manual, to find the manual, install dc3dd using your favorite package manager and check the manual.</p>
<pre class="preformatted">
sudo apt install dc3dd
man dc3dd</pre>
<pre class="preformatted">
1: In-program hashing support for md5, sha-1, sha-256, and sha-512 algorithms.
2: can split output into multiple files.
3: can wipe a device according to a certain pattern.
4: write errors to a file.</pre>
<p>Additionally, dc3dd can be used to write data to standard output use a string of text as input.</p>
<h4 id=">~{1.1}" class="blog-header">1.1 Warnings</h4>
<p>Much like <a href="dd.html">dd</a>, you should be careful while using dc3dd, dc3dd posesses the ability to delete all of your data and does not have safety parameters in place to prevent it if a command is mistypes or misunderstood. dc3dd is a motorcycle with extra mirrors, wear a helmet and train in your local parking-lot before diving in head first.</p>
<details>
<summary id=">~{1.2}" class="blog-header">1.2 Links Used on This Page</summary>
<pre class="preformatted">
<a href="https://www.kali.org/tools/dc3dd/">▶[https://www.kali.org/tools/dc3dd/]</a>
◉───╡ dc3dd kali tools description page.
<a href="dd.html">left4code's dd webpage</a>
◉───╡ left4code dd page.</pre>
</details>
<hr>
<h4 id=">~(2)" class="blog-header">2. Basic dc3dd Usage</h4>
<p>For the initial purposes of this section, I will create a simple test file to show the hashing and logging functionality of dc3dd. dc3dd does not have the <code>'bs='</code> and <code>'count='</code> parameters like dd, so I will use that.</p>
<h4 id=">~()">Creates file 'out.dd' from /dev/random input using dd</h4>
<pre class="preformatted">
dd if=/dev/random of=out.dd bs=1024 count=4 </pre>
<p>dc3dd is able to directly calculate the hashes during program execution. An example of this is the following: </p>
<h4 id=">~()">Creates file 'dc3dd_test.dc3' from 'out.dd', hashing with sha256</h4>
<pre class="preformatted">
sudo dc3dd if=out.dd of=dc3dd_test.dc3 hash=sha256 </pre>
<p>if you run this command, you will notice that the hash dc3dd produces will only be sent to standard output and will not be actually saved to a file. dc3dd's <code>'log='</code> option can be used to save the hash along with all other information that was outputted to standard output.</p>
<h4 id=">~()">Creates file 'dc3dd_test.dc3' from 'out.dd', hashing with sha256, saves output to 'dc3dd_test.log'</h4>
<pre class="preformatted">
sudo dc3dd if=out.dd of=dc3dd_test.dc3 hash=sha256 log=dc3dd_test.log </pre>
<p>Additionally, there is functionality for logging output of the hashes generated from files and can be specified with the <code>'hlog='</code> parameter. This parameter can be used for multiple files.</p>
<h4 id=">~()">Creates file 'dc3dd_test.dc3' from 'out.dd', hashing with sha256, saves output to 'dc3_test.hlog'</h4>
<pre class="preformatted">
sudo dc3dd if=out.dd of=dc3dd_test.dc3 hash=sha256 hlog=dc3_test.hlog </pre>
<p>The <code>'hofs='</code> and BASE.FMT parameters will be used and explained in a little more detail in the section after this one, if you want to log the hash of each output file make from the <code>'hofs='</code> parameter, use the following command:</p>
<pre class="preformatted">
sudo dc3dd if=out.dd hofs=test.00 hash=sha256 hlog=dc3_test.hlog </pre>
<h4 id=">~(3)" class="blog-header">3. Advanced (Specialized) dc3dd Usage</h4>
<p>dc3dd has more unique command parameters that are used for more advanced usage of the program.</p>
<h4 id=">~{3.1}" class="blog-header">3.1 Understanding the "BASE.FMT" format</h4>
<p>Without practically testing out how the "BASE.FMT" format specifier works, it can be quite confusing to read note #5 of the manual for the first time. I will try to explain how the format specifier works in detail because it is required for the <code>'ifs='</code>,<code>'ofs='</code>, and <code>'hofs='</code> parameters.</p>
<h4 id=">~()">Note #5 of the dc3dd Manual (BASE.FMT)</h4>
<p><code>"4. FMT is a pattern for a sequence of file extensions that can be numerical starting at zero, numerical starting at one, or alphabetical. Specify FMT by using a series of zeros, ones, or a's, respectively. The number of characters used indicates the desired length of the extensions. For example, a FMT specifier of 0000 indicates four character numerical extensions starting with 0000."</code></p>
<p>"BASE.FMT" Is essentially "FILENAME.INDEX". Where BASE represents the filename of the file and FMT represents the index type of the file. Which as the outline says, is either "zeros, ones, or a's"</p>
<h4 id=">~()">Verbose Understanding of FMT</h4>
<p>Below shows the specifier, a parameter example, and the resulting output of the index as it would show up after using <code>ls</code> in the working directory of dc3dd's output.</p>
<pre class="preformatted">
"zeros" (<code>File.00</code>) = 00,01,02,03,04..99
"ones" (<code>File.11</code>) = 11,12,13,14..99
"a's" (<code>File.aa</code>) = aa,ab,ac,ad..zz</pre>
<p>As shown from the output, "a's" does not mean hexadecimal (0-9,a-f) as some might assume.</p>
<p>Unfortunately, output types do not seem to be combinable and you can not specify 'File.0a' for example. For naming files in this manner, you would need to use external programs. A way this could be done is to use that standard 'File.0' parameter and then write a script to change the end of the filename. </p>
<p>The amount of zeros, ones, or a's is able to be changed. The manual explains that 0000 means a format specifier of 4 digit spaces starting at 0000 for the filename.</p>
<h4 id=">~{3.2}" class="blog-header">3.2 Multi-Input dc3dd Parameters</h4>
<p>dc3dd is able to take multiple input files and combine them into a single output file. This would be useful when you receive a file from someone else that is split, either using the <code>'split'</code> command or the <code>'ofs='</code> parameter in dc3dd.</p>
<h4 id=">~()">Creates file 'tf_combined.dc3' from 'tf.00' files.</h4>
<pre class="preformatted">
dc3dd ifs=tf.00 of=tf_combined.dc3 </pre>
<p>dc3dd is also able to take a single input file and split it into multiple output files.</p>
<h4 id=">~()">Creates files using 'tf.00' "BASE.FMT" parameter, uses "test.dd" as input, sets output size as 500 bytes</h4>
<pre class="preformatted">
dc3dd if=test.dd ofs=tf.00 ofsz=500 </pre>
<p><code>'ofsz='</code> means "output file size", which is a value you can specify in bytes that will determine the size of each output file fragment.</p>
<h4 id=">~{3.3}" class="blog-header">3.3 Wiping Devices with dc3dd</h4>
<p>dc3dd can be used to overwrite devices with data using different patterns or text some examples of this use are shown below:</p>
<h4 id=">~()">Overwrites device using <code>'tpat='</code> parameter and string "L4C". </h4>
<pre class="preformatted">
sudo dc3dd wipe=/dev/&lt;drive&gt; tpat=L4C </pre>
<p>Additionally, if you want to write a certain hexadecimal value to the drive when wiping, you can use the <code>'pat='</code> parameter followed by your hex values</p>
<h4 id=">~()">Overwrites device using <code>'pat='</code> parameter and HEX value 2B.</h4>
<pre class="preformatted">
sudo dc3dd wipe=/dev/&lt;drive&gt; pat=2B </pre>
<p>dc3dd is also able to use hashing to verify if a drive is wiped (by comparing the input and output hashes after the wipe is completed).</p>
<h4 id=">~()">Overwrites device using <code>'pat='</code> parameter and HEX value 2C. Uses <code>'hwipe='</code> to verify wipe.</h4>
<pre class="preformatted">
sudo dc3dd hwipe=/dev/&lt;drive&gt; hash=sha256 pat=2C </pre>
<p>the same log parameters can also be appended to this command which will save the output of the hash to a file. Additionally in the output of the command when using hwipe, the input and output will be checked against eachother and if all bytes were copied from the input to the output sucessfully, dc3dd will give an '[ok]' in its output.</p>
<h4 id=">~(4)" class="blog-header">4. Conclusion</h4>
<p>This concludes the main usage for dc3dd in most forensic situations. There are however some things that I did not got over in this guide and it is recommended that you check the manual to see if a specific parameter not mentioned here is functionally available in dc3dd.</p>
</section>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink