explainx.ainewsletter3.4k
acquiring-disk-image-with-dd-and-dcfldd

acquiring-disk-image-with-dd-and-dcfldd

mukul975/Anthropic-Cybersecurity-Skills · updated May 25, 2026

MDX-style export adds YAML metadata + attribution linking explainx.ai and this canonical listing URL.

$npx skills install mukul975/Anthropic-Cybersecurity-Skills/acquiring-disk-image-with-dd-and-dcfldd
0 commentsdiscussion
summary

Create forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.

skill.md
name
acquiring-disk-image-with-dd-and-dcfldd
description
Create forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.
domain
cybersecurity
subdomain
digital-forensics
tags
- forensics - disk-imaging - evidence-acquisition - dd - dcfldd - hash-verification
version
'1.0'
author
mahipal
license
Apache-2.0
nist_csf
- RS.AN-01 - RS.AN-03 - DE.AE-02 - RS.MA-01

Acquiring Disk Image with dd and dcfldd

When to Use

  • When you need to create a forensic copy of a suspect drive for investigation
  • During incident response when preserving volatile disk evidence before analysis
  • When law enforcement or legal proceedings require a verified bit-for-bit copy
  • Before performing any destructive analysis on a storage device
  • When acquiring images from physical drives, USB devices, or memory cards

Prerequisites

  • Linux-based forensic workstation (SIFT, Kali, or any Linux distro)
  • dd (pre-installed on all Linux systems) or dcfldd (enhanced forensic version)
  • Write-blocker hardware or software write-blocking configured
  • Destination drive with sufficient storage (larger than source)
  • Root/sudo privileges on the forensic workstation
  • SHA-256 or MD5 hashing utilities (sha256sum, md5sum)

Workflow

Step 1: Identify the Target Device and Enable Write Protection

# List all connected block devices to identify the target
lsblk -o NAME,SIZE,TYPE,MOUNTPOINT,MODEL

# Verify the device details
fdisk -l /dev/sdb

# Enable software write-blocking (if no hardware blocker)
blockdev --setro /dev/sdb

# Verify read-only status
blockdev --getro /dev/sdb
# Output: 1 (means read-only is enabled)

# Alternatively, use udev rules for persistent write-blocking
echo 'SUBSYSTEM=="block", ATTRS{serial}=="WD-WCAV5H861234", ATTR{ro}="1"' > /etc/udev/rules.d/99-writeblock.rules
udevadm control --reload-rules

Step 2: Prepare the Destination and Document the Source

# Create case directory structure
mkdir -p /cases/case-2024-001/{images,hashes,logs,notes}

# Document source drive information
hdparm -I /dev/sdb > /cases/case-2024-001/notes/source_drive_info.txt

# Record the serial number and model
smartctl -i /dev/sdb >> /cases/case-2024-001/notes/source_drive_info.txt

# Pre-hash the source device
sha256sum /dev/sdb | tee /cases/case-2024-001/hashes/source_hash_before.txt

Step 3: Acquire the Image Using dd

# Basic dd acquisition with progress and error handling
dd if=/dev/sdb of=/cases/case-2024-001/images/evidence.dd \
   bs=4096 \
   conv=noerror,sync \
   status=progress 2>&1 | tee /cases/case-2024-001/logs/dd_acquisition.log

# For compressed images to save space
dd if=/dev/sdb bs=4096 conv=noerror,sync status=progress | \
   gzip -c > /cases/case-2024-001/images/evidence.dd.gz

# Using dd with a specific count for partial acquisition
dd if=/dev/sdb of=/cases/case-2024-001/images/first_1gb.dd \
   bs=1M count=1024 status=progress

Step 4: Acquire Using dcfldd (Preferred Forensic Method)

# Install dcfldd if not present
apt-get install dcfldd

# Acquire image with built-in hashing and split output
dcfldd if=/dev/sdb \
   of=/cases/case-2024-001/images/evidence.dd \
   hash=sha256,md5 \
   hashwindow=1G \
   hashlog=/cases/case-2024-001/hashes/acquisition_hashes.txt \
   bs=4096 \
   conv=noerror,sync \
   errlog=/cases/case-2024-001/logs/dcfldd_errors.log

# Split large images into manageable segments
dcfldd if=/dev/sdb \
   of=/cases/case-2024-001/images/evidence.dd \
   hash=sha256 \
   hashlog=/cases/case-2024-001/hashes/split_hashes.txt \
   bs=4096 \
   split=2G \
   splitformat=aa

# Acquire with verification pass
dcfldd if=/dev/sdb \
   of=/cases/case-2024-001/images/evidence.dd \
   hash=sha256 \
   hashlog=/cases/case-2024-001/hashes/verification.txt \
   vf=/cases/case-2024-001/images/evidence.dd \
   verifylog=/cases/case-2024-001/logs/verify.log

Step 5: Verify Image Integrity

# Hash the acquired image
sha256sum /cases/case-2024-001/images/evidence.dd | \
   tee /cases/case-2024-001/hashes/image_hash.txt

# Compare source and image hashes
diff <(sha256sum /dev/sdb | awk '{print $1}') \
     <(sha256sum /cases/case-2024-001/images/evidence.dd | awk '{print $1}')

# If using split images, verify each segment
sha256sum /cases/case-2024-001/images/evidence.dd.* | \
   tee /cases/case-2024-001/hashes/split_image_hashes.txt

# Re-hash source to confirm no changes occurred
sha256sum /dev/sdb | tee /cases/case-2024-001/hashes/source_hash_after.txt
diff /cases/case-2024-001/hashes/source_hash_before.txt \
     /cases/case-2024-001/hashes/source_hash_after.txt

Step 6: Document the Acquisition Process

# Generate acquisition report
cat << 'EOF' > /cases/case-2024-001/notes/acquisition_report.txt
DISK IMAGE ACQUISITION REPORT
==============================
Case Number: 2024-001
Date/Time: $(date -u +"%Y-%m-%d %H:%M:%S UTC")
Examiner: [Name]

Source Device: /dev/sdb
Model: [from hdparm output]
Serial: [from hdparm output]
Size: [from fdisk output]

Acquisition Tool: dcfldd v1.9.1
Block Size: 4096
Write Blocker: [Hardware/Software model]

Image File: evidence.dd
Image Hash (SHA-256): [from hash file]
Source Hash (SHA-256): [from hash file]
Hash Match: YES/NO

Errors During Acquisition: [from error log]
EOF

# Compress logs for archival
tar -czf /cases/case-2024-001/acquisition_package.tar.gz \
   /cases/case-2024-001/hashes/ \
   /cases/case-2024-001/logs/ \
   /cases/case-2024-001/notes/

Key Concepts

ConceptDescription
Bit-for-bit copyExact replica of source including unallocated space and slack space
Write blockerHardware or software mechanism preventing writes to evidence media
Hash verificationCryptographic hash comparing source and image to prove integrity
Block size (bs)Transfer chunk size affecting speed; 4096 or 64K typical for forensics
conv=noerror,syncContinue on read errors and pad with zeros to maintain offset alignment
Chain of custodyDocumented trail proving evidence has not been tampered with
Split imagingBreaking large images into smaller files for storage and transport
Raw/dd formatBit-for-bit image format without metadata container overhead

Tools & Systems

ToolPurpose
ddStandard Unix disk duplication utility for raw imaging
dcflddDoD Computer Forensics Laboratory enhanced version of dd with hashing
dc3ddAnother forensic dd variant from the DoD Cyber Crime Center
sha256sumSHA-256 hash calculation for integrity verification
blockdevLinux command to set block device read-only mode
hdparmDrive identification and parameter reporting
smartctlS.M.A.R.T. data retrieval for drive health and identification
lsblkBlock device enumeration and identification

Common Scenarios

Scenario 1: Acquiring a Suspect Laptop Hard Drive Connect the drive via a Tableau T35u hardware write-blocker, identify as /dev/sdb, use dcfldd with SHA-256 hashing, split into 4GB segments for DVD archival, verify hashes match, document in case notes.

Scenario 2: Imaging a USB Flash Drive from a Compromised Workstation Use software write-blocking with blockdev --setro, acquire with dcfldd including MD5 and SHA-256 dual hashing, image is small enough for single file, verify and store on encrypted case drive.

Scenario 3: Remote Acquisition Over Network Use dd piped through netcat or ssh for remote acquisition: ssh root@remote "dd if=/dev/sda bs=4096" | dd of=remote_image.dd bs=4096, hash both ends independently to verify transfer integrity.

Scenario 4: Acquiring from a Failing Drive Use ddrescue first to recover readable sectors, then use dd with conv=noerror,sync to fill gaps with zeros, document which sectors were unreadable in the error log.

Output Format

Acquisition Summary:
  Source:       /dev/sdb (500GB Western Digital WD5000AAKX)
  Destination:  /cases/case-2024-001/images/evidence.dd
  Tool:         dcfldd 1.9.1
  Block Size:   4096 bytes
  Duration:     2h 15m 32s
  Bytes Copied: 500,107,862,016
  Errors:       0 bad sectors
  Source SHA-256:  a3f2b8c9d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1
  Image SHA-256:   a3f2b8c9d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1
  Verification:    PASSED - Hashes match
how to use acquiring-disk-image-with-dd-and-dcfldd

How to use acquiring-disk-image-with-dd-and-dcfldd on Cursor

AI-first code editor with Composer

1

Prerequisites

Before installing skills in Cursor, ensure your development environment meets these requirements:

  • Cursor installed and configured on your development machine
  • Node.js version 16.0+ with npm package manager (verify with node --version)
  • Active project directory or workspace where you want to add acquiring-disk-image-with-dd-and-dcfldd
2

Execute installation command

Execute the skills CLI command in your project's root directory to begin installation:

$npx skills install mukul975/Anthropic-Cybersecurity-Skills/acquiring-disk-image-with-dd-and-dcfldd

The skills CLI fetches acquiring-disk-image-with-dd-and-dcfldd from GitHub repository mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.

3

Select Cursor when prompted

The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:

◆ Which agents do you want to install to?
│ ── Universal (.agents/skills) ── always included ────
│ • Amp
│ • Antigravity
│ • Cline
│ • Codex
│ ●Cursor(selected)
│ • Cursor
│ • Windsurf
4

Verify installation

Confirm successful installation by checking the skill directory location:

.cursor/skills/acquiring-disk-image-with-dd-and-dcfldd

Reload or restart Cursor to activate acquiring-disk-image-with-dd-and-dcfldd. Access the skill through slash commands (e.g., /acquiring-disk-image-with-dd-and-dcfldd) or your agent's skill management interface.

Security & Verification Notice

We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.

Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.

Additional Resources

View source code on GitHubSkills CLI documentationLearn more about CursorWhat are agent skills?

List & Monetize Your Skill

Submit your Claude Code skill and start earning

GET_STARTED →

Use Cases

Task Automation & Efficiency

Automate repetitive workflows and reduce manual effort

Example

Generate reports, summarize documents, draft communications

Save 3-5 hours per week on routine tasks

Knowledge Enhancement

Learn new skills, understand complex topics, get expert guidance

Example

Explain concepts, provide examples, suggest learning resources

Accelerate learning and skill development by 2x

Quality Improvement

Enhance output quality through reviews, suggestions, and refinements

Example

Review drafts, suggest improvements, catch errors

Improve work quality by 30-40% with less effort

Implementation Guide

Prerequisites

  • Claude Desktop or compatible AI client with skill support
  • Clear understanding of task or problem to solve
  • Willingness to iterate and refine outputs

Time Estimate

15-45 minutes depending on use case complexity

Installation Steps

  1. 1.Install skill using provided installation command
  2. 2.Test with simple use case relevant to your work
  3. 3.Evaluate output quality and relevance
  4. 4.Iterate on prompts to improve results
  5. 5.Integrate into regular workflow if valuable

Common Pitfalls

  • Expecting perfect results without iteration
  • Not providing enough context in prompts
  • Using skill for tasks outside its intended scope
  • Accepting outputs without review and validation

Best Practices

✓ Do

  • +Start with clear, specific prompts
  • +Provide relevant context and constraints
  • +Review and refine all outputs before using
  • +Iterate to improve output quality
  • +Document successful prompt patterns

✗ Don't

  • Don't use without understanding skill limitations
  • Don't skip validation of outputs
  • Don't share sensitive information in prompts
  • Don't expect skill to replace human judgment

💡 Pro Tips

  • Be specific about desired format and style
  • Ask for multiple options to choose from
  • Request explanations to understand reasoning
  • Combine AI efficiency with human expertise

When to Use This

✓ Use When

Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.

✗ Avoid When

Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.

Learning Path

  1. 1Familiarize yourself with skill capabilities and limitations
  2. 2Start with low-risk, non-critical tasks
  3. 3Progress to more complex and valuable use cases
  4. 4Build expertise through regular use and experimentation

Discussion

Product Hunt–style comments (not star reviews)
  • No comments yet — start the thread.
general reviews

Ratings

4.567 reviews
  • Carlos Ndlovu· Dec 28, 2024

    I recommend acquiring-disk-image-with-dd-and-dcfldd for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.

  • Dev Kapoor· Dec 28, 2024

    We added acquiring-disk-image-with-dd-and-dcfldd from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.

  • Chaitanya Patil· Dec 24, 2024

    Useful defaults in acquiring-disk-image-with-dd-and-dcfldd — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.

  • Emma Chen· Dec 16, 2024

    acquiring-disk-image-with-dd-and-dcfldd fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.

  • Carlos Mehta· Dec 12, 2024

    Useful defaults in acquiring-disk-image-with-dd-and-dcfldd — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.

  • Neel Choi· Dec 4, 2024

    Registry listing for acquiring-disk-image-with-dd-and-dcfldd matched our evaluation — installs cleanly and behaves as described in the markdown.

  • Luis Wang· Nov 19, 2024

    Solid pick for teams standardizing on skills: acquiring-disk-image-with-dd-and-dcfldd is focused, and the summary matches what you get after install.

  • Aanya Khanna· Nov 19, 2024

    acquiring-disk-image-with-dd-and-dcfldd reduced setup friction for our internal harness; good balance of opinion and flexibility.

  • Arya Choi· Nov 19, 2024

    Keeps context tight: acquiring-disk-image-with-dd-and-dcfldd is the kind of skill you can hand to a new teammate without a long onboarding doc.

  • Piyush G· Nov 15, 2024

    acquiring-disk-image-with-dd-and-dcfldd has been reliable in day-to-day use. Documentation quality is above average for community skills.

showing 1-10 of 67

1 / 7