acquiring-disk-image-with-dd-and-dcfldd

star 3

Create forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.

oyi77 By oyi77 schedule Updated 6/8/2026
play_arrow Run Skill in Manus View GitHub

name: acquiring-disk-image-with-dd-and-dcfldd description: Create forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification. domain: cybersecurity tags:

  • forensics
  • disk-imaging
  • evidence-acquisition
  • dd
  • dcfldd
  • hash-verification subdomain: digital-forensics version: '1.0' author: mahipal license: Apache-2.0 nist_csf:
  • RS.AN-01
  • RS.AN-03
  • DE.AE-02
  • RS.MA-01

Acquiring Disk Image With Dd And Dcfldd

Overview

Cybersecurity skill for acquiring disk image with dd and dcfldd. Follows industry best practices and security standards.

When to Use

  • When you need to create a forensic copy of a suspect drive for investigation
  • During incident response when preserving volatile disk evidence before analysis
  • When law enforcement or legal proceedings require a verified bit-for-bit copy
  • Before performing any destructive analysis on a storage device
  • When acquiring images from physical drives, USB devices, or memory cards

When NOT to Use

  • When you lack proper authorization for testing
  • For production systems without change management
  • When the task requires legal or compliance expertise beyond technical scope

Prerequisites

  • Linux-based forensic workstation (SIFT, Kali, or any Linux distro)
  • dd (pre-installed on all Linux systems) or dcfldd (enhanced forensic version)
  • Write-blocker hardware or software write-blocking configured
  • Destination drive with sufficient storage (larger than source)
  • Root/sudo privileges on the forensic workstation
  • SHA-256 or MD5 hashing utilities (sha256sum, md5sum)

Workflow

# Example: IOC detection
import re

IOC_PATTERNS = {
    "ip": r"\b(?:\d{1,3}\.){3}\d{1,3}\b",
    "domain": r"\b[a-z0-9-]+\.[a-z]{2,}\b",
    "hash_md5": r"\b[a-f0-9]{32}\b",
    "hash_sha256": r"\b[a-f0-9]{64}\b",
}

def extract_iocs(text: str) -> dict:
    return {k: re.findall(v, text) for k, v in IOC_PATTERNS.items()}
  1. Define Objectives — Clarify the goals and scope for disk image.
  2. Gather Resources — Collect tools, data, and access needed for disk image.
  3. Execute Process — Carry out disk image operations methodically.
  4. Verify Quality — Check results against acceptance criteria.
  5. Document Outcomes — Record findings, decisions, and next steps.

Tools

  • dd and dcfldd — Primary tool for this skill
  • Analysis Platform — Data processing and visualization
  • Collaboration Tools — Team coordination and knowledge sharing

Verification

  • All disk image procedures executed completely and documented
  • Findings validated against multiple data sources
  • False positives identified and filtered
  • Results documented with evidence and timestamps
  • Recommendations provided with risk-based prioritization

Anti-Rationalization

Rationalization Reality
"We are too small to be targeted" Automated attacks target everyone. Size does not matter.
"Security slows us down" A breach slows you down 100x more. Build security in from the start.
"We will fix it after launch" Vulnerabilities in production are exploited within hours. Fix before deploy.
Install via CLI
npx skills add https://github.com/oyi77/1ai-skills --skill acquiring-disk-image-with-dd-and-dcfldd
Repository Details
star Stars 3
call_split Forks 0
navigation Branch main
article Path SKILL.md
More from Creator
oyi77
oyi77 Explore all skills →