← 返回命令列表

Linux command

dcfldd 命令

安全

权限或系统影响较大,执行前请核对目标。

常用示例

Create disk image

dcfldd if=[/dev/sda] of=[disk.img]

Create image with MD5 hash verification

dcfldd if=[/dev/sda] of=[disk.img] hash=md5 hashlog=[hash.txt]

Create image with multiple hashes

dcfldd if=[/dev/sda] of=[disk.img] hash=md5,sha256

Write to multiple outputs

dcfldd if=[/dev/sda] of=[disk1.img] of=[disk2.img]

Split output

dcfldd if=[/dev/sda] of=[disk.img] split=[1G] splitformat=aa

Wipe disk

dcfldd pattern=[00] of=[/dev/sda]

Verify image

dcfldd if=[/dev/sda] vf=[disk.img]

Show status

dcfldd if=[/dev/sda] of=[disk.img] statusinterval=[256]

说明

dcfldd is an enhanced version of GNU dd developed by the Department of Defense Computer Forensics Lab (DCFL). It adds features critical for forensic imaging, including on-the-fly hashing, status output, split output, and verification. The tool can compute multiple hash types (MD5, SHA1, SHA256, etc.) while copying, ensuring data integrity. It supports writing to multiple outputs simultaneously for creating duplicate forensic images. dcfldd provides progress output during copying, addressing one of dd's most common complaints. It's widely used in digital forensics, incident response, and data recovery operations.

参数

if= _file_
Input file or device.
of= _file_
Output file (can specify multiple).
vf= _file_
Verify file against input.
hash= _types_
Hash algorithm(s) (md5, sha1, sha256, sha384, sha512).
hashlog= _file_
Write hash to file.
hashwindow= _n_
Hash every n bytes.
pattern= _hex_
Fill pattern for wiping.
split= _size_
Split output at size intervals.
splitformat= _fmt_
Split file suffix format.
statusinterval= _n_
Show status every n blocks.
bs= _size_
Block size for read/write.
count= _n_
Copy only n blocks.
skip= _n_
Skip n blocks at start of input.
seek= _n_
Skip n blocks at start of output.
conv= _options_
Conversion options (noerror, sync, etc.).

FAQ

What is the dcfldd command used for?

dcfldd is an enhanced version of GNU dd developed by the Department of Defense Computer Forensics Lab (DCFL). It adds features critical for forensic imaging, including on-the-fly hashing, status output, split output, and verification. The tool can compute multiple hash types (MD5, SHA1, SHA256, etc.) while copying, ensuring data integrity. It supports writing to multiple outputs simultaneously for creating duplicate forensic images. dcfldd provides progress output during copying, addressing one of dd's most common complaints. It's widely used in digital forensics, incident response, and data recovery operations.

How do I run a basic dcfldd example?

Run `dcfldd if=[/dev/sda] of=[disk.img]` in a terminal, then adjust file names, paths, flags, or remote targets for your system.

What does if= _file_ do in dcfldd?

Input file or device.