dc3dd is a forensically-expanded version of dd. It should not be used to recover data from damaged drives, ddrescue should be used instead. dc3dd has expanded features which include the following according to the Kali Linux Tools Webpage:
This guide directly uses information from the dc3dd manual, to find the manual, install dc3dd using your favorite package manager and check the manual.
sudo apt install dc3dd man dc3dd
1: In-program hashing support for md5, sha-1, sha-256, and sha-512 algorithms. 2: can split output into multiple files. 3: can wipe a device according to a certain pattern. 4: write errors to a file.
Additionally, dc3dd can be used to write data to standard output use a string of text as input.
Much like dd, you should be careful while using dc3dd, dc3dd posesses the ability to delete all of your data and does not have safety parameters in place to prevent it if a command is mistypes or misunderstood. dc3dd is a motorcycle with extra mirrors, wear a helmet and train in your local parking-lot before diving in head first.
▶[https://www.kali.org/tools/dc3dd/] ◉───╡ dc3dd kali tools description page. left4code's dd webpage ◉───╡ left4code dd page.
For the initial purposes of this section, I will create a simple test file to show the hashing and logging functionality of dc3dd. dc3dd does not have the 'bs=' and 'count=' parameters like dd, so I will use that.
dd if=/dev/random of=out.dd bs=1024 count=4
dc3dd is able to directly calculate the hashes during program execution. An example of this is the following:
sudo dc3dd if=out.dd of=dc3dd_test.dc3 hash=sha256
if you run this command, you will notice that the hash dc3dd produces will only be sent to standard output and will not be actually saved to a file. dc3dd's 'log=' option can be used to save the hash along with all other information that was outputted to standard output.
sudo dc3dd if=out.dd of=dc3dd_test.dc3 hash=sha256 log=dc3dd_test.log
Additionally, there is functionality for logging output of the hashes generated from files and can be specified with the 'hlog=' parameter. This parameter can be used for multiple files.
sudo dc3dd if=out.dd of=dc3dd_test.dc3 hash=sha256 hlog=dc3_test.hlog
The 'hofs=' and BASE.FMT parameters will be used and explained in a little more detail in the section after this one, if you want to log the hash of each output file make from the 'hofs=' parameter, use the following command:
sudo dc3dd if=out.dd hofs=test.00 hash=sha256 hlog=dc3_test.hlog
dc3dd has more unique command parameters that are used for more advanced usage of the program.
Without practically testing out how the "BASE.FMT" format specifier works, it can be quite confusing to read note #5 of the manual for the first time. I will try to explain how the format specifier works in detail because it is required for the 'ifs=','ofs=', and 'hofs=' parameters.
"4. FMT is a pattern for a sequence of file extensions that can be numerical starting at zero, numerical starting at one, or alphabetical. Specify FMT by using a series of zeros, ones, or a's, respectively. The number of characters used indicates the desired length of the extensions. For example, a FMT specifier of 0000 indicates four character numerical extensions starting with 0000."
"BASE.FMT" Is essentially "FILENAME.INDEX". Where BASE represents the filename of the file and FMT represents the index type of the file. Which as the outline says, is either "zeros, ones, or a's"
Below shows the specifier, a parameter example, and the resulting output of the index as it would show up after using ls in the working directory of dc3dd's output.
"zeros" (File.00) = 00,01,02,03,04..99 "ones" (File.11) = 11,12,13,14..99 "a's" (File.aa) = aa,ab,ac,ad..zz
As shown from the output, "a's" does not mean hexadecimal (0-9,a-f) as some might assume.
Unfortunately, output types do not seem to be combinable and you can not specify 'File.0a' for example. For naming files in this manner, you would need to use external programs. A way this could be done is to use that standard 'File.0' parameter and then write a script to change the end of the filename.
The amount of zeros, ones, or a's is able to be changed. The manual explains that 0000 means a format specifier of 4 digit spaces starting at 0000 for the filename.
dc3dd is able to take multiple input files and combine them into a single output file. This would be useful when you receive a file from someone else that is split, either using the 'split' command or the 'ofs=' parameter in dc3dd.
dc3dd ifs=tf.00 of=tf_combined.dc3
dc3dd is also able to take a single input file and split it into multiple output files.
dc3dd if=test.dd ofs=tf.00 ofsz=500
'ofsz=' means "output file size", which is a value you can specify in bytes that will determine the size of each output file fragment.
dc3dd can be used to overwrite devices with data using different patterns or text some examples of this use are shown below:
'tpat=' parameter and string "L4C". sudo dc3dd wipe=/dev/<drive> tpat=L4C
Additionally, if you want to write a certain hexadecimal value to the drive when wiping, you can use the 'pat=' parameter followed by your hex values
'pat=' parameter and HEX value 2B.sudo dc3dd wipe=/dev/<drive> pat=2B
dc3dd is also able to use hashing to verify if a drive is wiped (by comparing the input and output hashes after the wipe is completed).
'pat=' parameter and HEX value 2C. Uses 'hwipe=' to verify wipe.sudo dc3dd hwipe=/dev/<drive> hash=sha256 pat=2C
the same log parameters can also be appended to this command which will save the output of the hash to a file. Additionally in the output of the command when using hwipe, the input and output will be checked against eachother and if all bytes were copied from the input to the output sucessfully, dc3dd will give an '[ok]' in its output.
This concludes the main usage for dc3dd in most forensic situations. There are however some things that I did not got over in this guide and it is recommended that you check the manual to see if a specific parameter not mentioned here is functionally available in dc3dd.