Notifications
Clear all

dc3dd vs dd

3 Posts
3 Users
0 Likes
1,631 Views
(@forensicinsider)
Posts: 1
New Member
Topic starter
 

I am new to computer forensics and I'm wondering if it's better to use dd or dc3dd.

So far base on what I found, dc3dd is good in the sense that it's able to generate hash of drive and log important information.

However, the issue is that it's not installed by default and to use it I have to execute apt-get .

I'm supporting the usage of dc3dd but wonder if there's strong points to back this up.

My questions are

1) By using apt-get , am I right that unallocated space will be allocated to install it?

2) If so, how would we justify that it's the best method used since we did modification to the evidence disk?

 
Posted : 28/02/2013 10:59 am
(@twjolson)
Posts: 417
Honorable Member
 

From the context, it sounds like you are asking if it's ok to install dc3dd on a live machine, which you will then image?

No. Just no.

When you respond to a live machine, you bring your own, verified, tools. You pointed out the obvious downside to installing dc3dd. But what about using dd on the live machine? How do you know that is even a good copy? How do you know that it isn't a hacked version, set up to help the hacker hide his files and tools (say, zero filling in the sectors they occupy)?

You can get statically linked binaries of programs. They should run straight from a flash drive.

Here is a webpage I found to do just that
http//www.vmforensics.org/?p=61

 
Posted : 28/02/2013 11:30 am
(@pragmatopian)
Posts: 154
Estimable Member
 

1) By using apt-get , am I right that unallocated space will be allocated to install it?

2) If so, how would we justify that it's the best method used since we did modification to the evidence disk?

The first rule of Digital Forensics is that you do not talk about Digital Forensics ) The second rule of Digital Forensics is that you shouldn't alter the source system if you can achieve your objectives while avoiding it.

If you're able to work on a dead disk boot to a Forensic distro (e.g. Paladin) on a CD-ROM or flash drive. You'll struggle to find a Forensic distro that doesn't have dc3dd (which I would recommend in preference to DD for the reasons you describe).

If you're working on a live system minimise your footprint by running the software from a flash drive as twjolson suggests. Besides dc3dd there are also CLI versions of FTK Imager for Debian/Ubuntu and Fedora/Red Hat.

 
Posted : 28/02/2013 5:02 pm
Share: