dc3dd - Latest 6.12.3

Quick Links

Download dc3dd
The dc3dd manual page
GNU manual on dd
The GNU Coreutils homepage
Changelog
Sourceforge project page - Home to development and feature requests

Introduction

dc3dd is a patched version of GNU dd to include a number of features useful for computer forensics. Many of these features were inspired by dcfldd, but were rewritten for dc3dd.

Pattern writes. The program can write a single hexadecimal value or a text string to the output device for wiping purposes.
Piecewise and overall hashing with multiple algorithms and variable size windows. Supports MD5, SHA-1, SHA-256, and SHA-512. Hashes can be computed before or after conversions are made.
Progress meter with automatic input/output file size probing
Combined log for hashes and errors
Error grouping. Produces one error message for identical sequential errors
Verify mode. Able to repeat any transformations done to the input file and compare it to an output.
Ability to split the output into chunks with numerical or alphabetic extensions

Design Notes

Here are some important notes about the design of dc3dd. Although some of these are changes from the default GNU dd behavior, others serve only to document the design.

Default Blocksize is 32768 bytes

For increased performance, the default block size is now 32KiB. The output file is trimmed to the size of the input device regardless of block size, so the output is exactly the same as with a block size of 512 bytes.

Sector Error Recovery

When an error is encountered and the block size is greater than the device's sector size, the entire block is no longer lost. When error recovery is enabled (conv=sync,noerror), dc3dd seeks back to the beginning of the block and attempts to read each sector individually. Good sectors are acquired and bad sectors are replaced with zeros. This results in imaging the good areas of a device at high speed without losing entire blocks of data around bad sectors.

To be effective, this mode requires direct I/O enabled (iflag=direct on Linux, /dev/rdisk* on Mac OS X).

Sector Addressing

Error messages report physical sector addresses (based on the device's reported sector size). The skip, seek, and count options take sector counts.

Detailed Log Files

When logging is enabled, dc3dd logs the compile options, command-line options, start time, end time, bytes transferred, any errors encountered, and termination reason. Given a dc3dd log file, any imaging process can be repeated exactly.

Log Files are Appending

When the user specifies the flags to generate logs (i.e. log, errorlog, or hashlog), the output files are opened in append mode, not overwrite mode. This means that the new logs are appended to any existing log files.

Supported Platforms

The program should run on any platform supported by Coreutils.

Solaris Notes

You must have the gperf and gettext packages installed.

FreeBSD Notes

You must have the gettext and libiconv packages installed.

Download dc3dd

Stable Version

The latest stable version of dc3dd is version 6.12.3 and was released on 19 Mar 2009. Be sure to verify the SHA256 hash for your download before using the program! Version numbers for dc3dd packages correspond to the version of the GNU Coreutils suite upon which they're based. You can take a look at the complete changelog, but here are the changes in the latest version:

New Features

Startup message now includes version number
Hashes always printed to console, even when hashlog/log is enabled
Update blockbench.pl script for OS X compatibility

Bug Fixes

Fixes a buffer overflow that was causing incorrect hashwindow hashes to be displayed on OS X.
Fixes a crash when verifying against an empty file

Version 6.12.3	19 Mar 2009	gzip source code (4.1M)	SHA256 cd1e0486f18441c726d3de02087af8dbe10f29cec627f4aa7094dd3ac075f024
		bzip2 source code (2.8M)	SHA256 c723a24a97291faf43e77ab91229c1bfab97156e3d2bd8ff94e9b2c261ca7ec9

Beta Version

There is no beta version of dc3dd right now. If you have any problems or would like to see something added to dc3dd, please send mail to the developer at dc3dd@dc3.mil or visit the Sourceforge project page.

Older Versions

Although older versions of dc3dd are available for historical purposes, you shouldn't use these unless you have a truly compelling reason.

Version 6.12.2	12 Nov 2008	gzip source code (4.1M)	SHA256 442c4ecf0af59a6c1b5dbc91e7a69f08ab086f36307f17fbef1d8ada8b20314c
		bzip2 source code (2.8M)	SHA256 c313e440a661ea9d43aee6d035a30dfd7a66a1bbc052ca5439140ef8de1d0303
Version 6.12.1	7 Oct 2008	gzip source code (4.1M)	SHA256 c506c061c3a8871ccd6168dde7221ce96277e146417eef21bca1ca6b5cace70e
		bzip2 source code (2.8M)	SHA256 23798a2218a622d5a14ff77fd0398ee2675c3120a2ab53a14b6f447ba135da5d
Version 6.9.91	1 Feb 2008	gzip source code	SHA256 2851e123456881b3b4a8cb2684d3442a428ee06907c36dfbe16275a21ddf26b4

License

The short answer: dc3dd is licensed under version 3 of the General Public License.

The complete answer: dc3dd is an improvement of the existing GNU dd program. GNU dd is licensed under version 3 of the General Public License (GPL). These improvements were made (and are now maintained) by the DoD Cyber Crime Center, an agency of the United States Government. By law, works of the United States Government are not eligible for copyright protection (17 USC 105). In accordance with the the GPL FAQ, the improvements made by the DoD Cyber Crime Center are public domain and the project as a whole remains licensed under the GPL.

Contact

Please send all correspondence to dc3dd@dc3.mil .

Acknowledgements

The testing of this program was made possible in part thanks to the generosity of the Computer Science Department at the University of Iowa.

This page was last updated on