{"id":2397,"date":"2025-08-28T10:17:54","date_gmt":"2025-08-28T08:17:54","guid":{"rendered":"https:\/\/www.fabriziogiancola.eu\/?p=2397"},"modified":"2025-10-16T10:28:39","modified_gmt":"2025-10-16T08:28:39","slug":"dd-vs-dcfldd","status":"publish","type":"post","link":"https:\/\/www.fabriziogiancola.eu\/index.php\/2025\/08\/28\/dd-vs-dcfldd\/","title":{"rendered":"dd vs dcfldd vs dc3dd"},"content":{"rendered":"\n<p>Un \u201cprontuario\u201d pratico su <strong>dd<\/strong>, <strong>dcfldd<\/strong> e <strong>dc3dd <\/strong>per l\u2019uso in digital forensics: differenze, buone prassi e comandi pronti all\u2019uso.<\/p>\n\n\n\n<p class=\"has-dark-gray-color has-very-light-gray-to-cyan-bluish-gray-gradient-background has-text-color has-background has-link-color has-medium-font-size wp-elements-347577257be7936a0bc1a87d9a01fc78\"><strong>Cos\u2019\u00e8 e cosa cambia<\/strong><\/p>\n\n\n\n<p class=\"has-medium-font-size\"><strong>dd (GNU coreutils)<\/strong><\/p>\n\n\n\n<p>Strumento standard Unix\/Linux per copiare e convertire file, ma privo di funzionalit\u00e0 avanzate come il calcolo di checksum multipli, pi\u00f9 file di output o una modalit\u00e0 di verifica. In pratica:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>copia byte-per-byte da\/un device o file (immagini \u201craw\u201d .dd);<\/li>\n\n\n\n<li>\u00e8 ovunque (Linux, macOS, molti live-CD);<\/li>\n\n\n\n<li>fa poche cose, bene: per hashing, split, log ecc. bisogna usare altri tool (es. <code>sha256sum<\/code>, <code>split<\/code>, <code>pv<\/code>).<\/li>\n<\/ul>\n\n\n\n<p class=\"has-medium-font-size\"><strong>dcfldd (forensic dd)<\/strong><\/p>\n\n\n\n<p><code>dcfldd<\/code>&nbsp;\u00e8 un fork avanzato di&nbsp;<code>dd<\/code>, sviluppato dal&nbsp;Dipartimento della Difesa degli Stati Uniti&nbsp;per scopi di informatica forense.&nbsp;Le differenze chiave sono che&nbsp;<code>dcfldd<\/code>&nbsp;offre la possibilit\u00e0 di specificare pi\u00f9 file di output, calcola checksum multipli simultaneamente, include una modalit\u00e0 di verifica per confrontare file e visualizza una percentuale di avanzamento del processo, tutte funzionalit\u00e0 non disponibili in&nbsp;<code>dd<\/code>.&nbsp;Quindi, in pratica:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>hashing on-the-fly<\/strong> (<code>hash=sha256<\/code>\/<code>sha1<\/code>\/<code>md5<\/code>\/<code>sha512<\/code>) con <strong>salvataggio automatico<\/strong> (<code>hashlog=<\/code>);<\/li>\n\n\n\n<li><strong>log degli errori e dei settori danneggiati<\/strong> (<code>errlog=<\/code>);<\/li>\n\n\n\n<li><strong>progress\/stato periodico<\/strong> (<code>statusinterval=<\/code>);<\/li>\n\n\n\n<li><strong>split automatico<\/strong> in chunk forensi (<code>ofsplit=<\/code>) e <strong>output multipli<\/strong> (pi\u00f9 <code>of=<\/code> nella stessa acquisizione);<\/li>\n\n\n\n<li><strong>verifica<\/strong> post-acquisizione contro l\u2019originale (<code>vf=<\/code>\/<code>verifyfile=<\/code>);<\/li>\n\n\n\n<li><strong>pattern write<\/strong> (es. bonifica con <code>pattern=00<\/code>) \u2014 utile per sanificare dischi di destinazione, non per l\u2019evidenza.<\/li>\n<\/ul>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>In breve: <strong>dd<\/strong> \u00e8 minimale e universalmente disponibile; <strong>dcfldd<\/strong> riduce gli errori operativi e velocizza le procedure forensi (hash, log, split, verifica) in un solo passaggio.<\/p>\n<\/blockquote>\n\n\n\n<h1 class=\"wp-block-heading has-medium-font-size\"><strong>Buone prassi prima di acquisire<\/strong><\/h1>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Write-blocker hardware<\/strong> (preferibile). Se non disponibile, montare <strong>read-only<\/strong>: <\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code><em># 1) Elenca dischi con flag RO<\/em>\nlsblk -o NAME,RO,SIZE,TYPE,MODEL,SERIAL\n\n<em># 2) Imposta sola lettura (sul device intero, non sulla partizione)<\/em>\nsudo blockdev --setro \/dev\/sdX\n\n<em># 3) Verifica che sia in sola lettura (1 = RO abilitato)<\/em>\nsudo blockdev --getro \/dev\/sdX\n\n<em># 4) Rivedi lo stato<\/em>\nlsblk -d -o NAME,RO,SIZE,MODEL,SERIAL\n----\n<em>Per tornare R\/W:<\/em>\nsudo blockdev --setrw \/dev\/sdX<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Identifica il device giusto e fotografa lo stato: <code>sudo fdisk -l \/dev\/sdX<\/code><\/li>\n\n\n\n<li>Prepara la <strong>cartella di caso<\/strong> con naming coerente (case ID, data ISO, operatore).<\/li>\n\n\n\n<li>Registra in un <strong>log<\/strong>: modello\/seriale supporto, hash pre\/post, tool\/parametri, orari, errori e contromisure.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading has-dark-gray-color has-very-light-gray-to-cyan-bluish-gray-gradient-background has-text-color has-background has-link-color has-medium-font-size wp-elements-a904c09c7d1b5b3b72082d198fbacade\"><strong>Esempi con dd (baseline)<\/strong><\/h1>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\"><strong>1) Acquisizione raw con gestione errori e progresso<\/strong><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo dd if=\/dev\/sdX of=\/evidence\/Caso123\/disk.dd \\\n  bs=4M conv=noerror,sync status=progress iflag=fullblock<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>conv=noerror,sync<\/code>: ignora errori di lettura e <strong>riempie con zeri<\/strong> per mantenere allineamento;<\/li>\n\n\n\n<li><code>iflag=fullblock<\/code>: evita letture parziali (utile con pipe\/stream);<\/li>\n\n\n\n<li><code>status=progress<\/code>: barra di avanzamento (GNU dd).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\"><strong>2) Hash post-acquisizione (consigliato SHA-256)<\/strong><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>cd \/evidence\/Caso123\nsha256sum disk.dd | tee disk.dd.sha256.txt<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading has-dark-gray-color has-very-light-gray-to-cyan-bluish-gray-gradient-background has-text-color has-background has-link-color has-medium-font-size wp-elements-c1f0b4c47a8b6853399d163ba8b461ad\">Esempi con dcfldd (forensic-friendly)<\/h1>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\"><strong>1) Acquisizione + hash on-the-fly + log<\/strong><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo dcfldd if=\/dev\/sdX of=\/evidence\/Caso123\/disk.dd \\\n  bs=4M conv=noerror,sync \\\n  hash=sha256 hashlog=\/evidence\/Caso123\/disk.dd.sha256.txt \\\n  errlog=\/evidence\/Caso123\/dcfldd.errors.log \\\n  statusinterval=30<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>un unico passaggio produce <strong>immagine + hash + log errori<\/strong>;<\/li>\n\n\n\n<li><code>statusinterval=30<\/code>: stampa stato ogni 30 s.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\"><strong>2) Doppia destinazione (originale + copia di lavoro)<\/strong><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo dcfldd if=\/dev\/sdX \\\n  of=\/evidence\/Caso123\/disk.dd \\\n  of=\/lab\/Caso123\/disk_working.dd \\\n  bs=4M conv=noerror,sync \\\n  hash=sha256 hashlog=\/evidence\/Caso123\/disk.dd.sha256.txt \\\n  errlog=\/evidence\/Caso123\/dcfldd.errors.log \\\n  statusinterval=30<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Riduce l&#8217;eventuale rischio di divergenze tra \u201cmaster\u201d e \u201cworking copy\u201d in caso di dispositivi danneggiati.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\"><strong>3) Split automatico in chunk (es. 2 GiB) per storage\/FAT32<\/strong><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo dcfldd if=\/dev\/sdX of=\/evidence\/Caso123\/disk.dd \\\n  bs=4M conv=noerror,sync \\\n  ofsplit=2G \\\n  hash=sha256 hashlog=\/evidence\/Caso123\/disk.dd.sha256.txt \\\n  statusinterval=30\n<em># Ricomposizione:<\/em>\ncat \/evidence\/Caso123\/disk.dd.* > \/restore\/disk.dd<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\"><strong>4) Verifica che immagine e device coincidano<\/strong><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code><em># A freddo, con il device ancora in sola lettura:<\/em>\nsudo dcfldd if=\/dev\/sdX vf=\/evidence\/Caso123\/disk.dd \\\n  hash=sha256 statusinterval=30<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>vf=<\/code> (verify file) confronta i flussi (utile anche dopo trasferimenti\/copie disk).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\"><strong>5) Log dettagliato dei settori danneggiati<\/strong><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo dcfldd if=\/dev\/sdX of=\/evidence\/Caso123\/disk.dd \\\n  bs=512 conv=noerror,sync \\\n  errlog=\/evidence\/Caso123\/badsectors.log \\\n  statusinterval=30<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Con <code>bs=512<\/code> ottieni il dettaglio <strong>settore-per-settore<\/strong> (pi\u00f9 lento ma pi\u00f9 preciso per i bad blocks).<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading has-dark-gray-color has-very-light-gray-to-cyan-bluish-gray-gradient-background has-text-color has-background has-link-color has-medium-font-size wp-elements-bb114c928f076602a388d30b1fa80183\">Note operative e suggerimenti<\/h1>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Dimensione blocco (<code>bs<\/code>)<\/strong>: 4M \u00e8 un buon compromesso prestazioni\/affidabilit\u00e0. Per supporti instabili puoi scendere (1M o 512B) per aumentare la granularit\u00e0 dei retry\/riempimenti;<\/li>\n\n\n\n<li><strong>cache OS<\/strong>: in alcuni contesti si usa <code>oflag=direct<\/code>\/<code>iflag=direct<\/code> per bypassare la cache. Verifica che il tuo <code>dd<\/code> li supporti e valuta l\u2019impatto sulle performance;<\/li>\n\n\n\n<li><strong>formati<\/strong>: dd\/dcfldd producono <strong>RAW<\/strong>. Se il tuo flusso richiede <strong>E01\/Ex01<\/strong> (metadata + compressione + segmentazione nativa), usa gli strumenti <strong>libewf<\/strong> (<code>ewfacquire<\/code>) in alternativa;<\/li>\n\n\n\n<li><strong>conservazione<\/strong>: mantieni <strong>master immodificato<\/strong>; lavora sempre su una <strong>working copy<\/strong> verificata e documenta ogni passaggio;<\/li>\n\n\n\n<li><strong>sanificazione dei dischi di destinazione<\/strong> prima del riuso (non dell\u2019evidenza!): <code># Esempio: azzera un disco di DESTINAZIONE sudo dcfldd if=\/dev\/zero of=\/dev\/sdY bs=4M pattern=00 statusinterval=30<\/code><\/li>\n\n\n\n<li><strong>ambienti non Linux<\/strong>: su Windows \u00e8 comune operare da live Linux o appliance forense. In alternativa, considera tool dedicati (FTK Imager, ecc.) quando la policy lo consente.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading has-dark-gray-color has-very-light-gray-to-cyan-bluish-gray-gradient-background has-text-color has-background has-link-color has-medium-font-size wp-elements-8dfd39ad0799e797335ce888ed518bc9\">Mini \u201ccheat-sheet\u201d<\/h1>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>dd, acquisizione rapida + progress<\/strong> <code>dd if=\/dev\/sdX of=case\/img.dd bs=4M conv=noerror,sync status=progress iflag=fullblock sha256sum case\/img.dd &gt; case\/img.dd.sha256.txt<\/code><\/li>\n\n\n\n<li><strong>dcfldd, acquisizione completa (hash+log)<\/strong> <code>dcfldd if=\/dev\/sdX of=case\/img.dd bs=4M conv=noerror,sync \\ hash=sha256 hashlog=case\/img.dd.sha256.txt errlog=case\/errors.log statusinterval=30<\/code><\/li>\n\n\n\n<li><strong>dcfldd, split + doppia uscita + verifica<\/strong> <code>dcfldd if=\/dev\/sdX of=case\/img.dd of=\/backup\/img.dd \\ ofsplit=2G bs=4M conv=noerror,sync \\ hash=sha256 hashlog=case\/img.dd.sha256.txt statusinterval=30 dcfldd if=\/dev\/sdX vf=case\/img.dd hash=sha256 statusinterval=30<\/code><\/li>\n<\/ul>\n\n\n\n<h1 class=\"wp-block-heading has-dark-gray-color has-very-light-gray-to-cyan-bluish-gray-gradient-background has-text-color has-background has-link-color has-medium-font-size wp-elements-d32f94cff6bce8124daba4f7a6ace3bc\"><strong>Cos\u2019\u00e8 dc3dd<\/strong><\/h1>\n\n\n\n<p><strong>dc3dd<\/strong> \u00e8 una versione di <code>dd<\/code> patchata dal DoD Cyber Crime Center (DC3) pensata per la forensics. Aggiunge funzioni native come hashing on-the-fly (MD5\/SHA-1\/SHA-256\/SHA-512), log dettagliati (anche machine-readable), split in segmenti, progress, error-logging raggruppato e funzioni di wipe\/verify.<\/p>\n\n\n\n<p>In pi\u00f9, a differenza di <strong>dcfldd<\/strong> (che \u00e8 un <em>fork<\/em>), <strong>dc3dd<\/strong> \u00e8 una <em>patch<\/em> di <code>dd<\/code>: in linea di massima segue gli aggiornamenti di <code>dd<\/code> e ha un set di opzioni diverso (non 1:1 con dcfldd).<\/p>\n\n\n\n<h1 class=\"wp-block-heading has-dark-gray-color has-very-light-gray-to-cyan-bluish-gray-gradient-background has-text-color has-background has-link-color has-medium-font-size wp-elements-5ce762622ee0ff5954e8505aa49873a0\"><strong>Differenze chiave (dd vs dcfldd vs dc3dd)<\/strong><\/h1>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>dd (baseline)<\/strong>: minimale e ovunque; per hash\/split\/log serve combinarlo con altri tool.<\/li>\n\n\n\n<li><strong>dcfldd (fork)<\/strong>: pensato per DFIR; <code>hash=\u2026<\/code> + <code>hashlog=\u2026<\/code>, <code>errlog=\u2026<\/code>, <code>ofsplit=\u2026<\/code>, <code>vf=<\/code> per verifica contro l\u2019originale; output multipli ripetendo <code>of=<\/code>.<\/li>\n\n\n\n<li><strong>dc3dd (patch)<\/strong>: comandi e nomi opzioni propri:<\/li>\n\n\n\n<li><strong>Hashing<\/strong>: <code>hash=md5|sha1|sha256|sha512<\/code>; log in <code>log=<\/code> e\/o <code>hlog=<\/code> (totali e <em>piecewise<\/em>), <code>mlog=<\/code> per log \u201cmachine-readable\u201d.<\/li>\n\n\n\n<li><strong>Split<\/strong>: usa <strong>set di file<\/strong> con <code>ofs=BASE.FMT<\/code> + <code>ofsz=BYTES<\/code> (es. estensioni <code>0000<\/code>, <code>0001<\/code>, \u2026); diverso da <code>ofsplit=<\/code> di dcfldd.<\/li>\n\n\n\n<li><strong>Output multipli &amp; verifica<\/strong>: oltre a <code>of=<\/code> puoi usare <code>hof=<\/code>\/<strong><code>hofs=<\/code><\/strong>: l\u2019output viene <strong>hashato e verificato<\/strong> confrontando gli hash in\/out; <code>fhod=<\/code> estende l\u2019hash a tutto il device.<\/li>\n\n\n\n<li><strong>Error handling<\/strong>: di default, se l\u2019input \u00e8 un device, <strong>riempie di zeri i settori illeggibili<\/strong>; con <code>rec=off<\/code> si ferma al primo errore. (In dd\/dcfldd l\u2019equivalente pratico \u00e8 <code>conv=noerror,sync<\/code>.)<\/li>\n\n\n\n<li><strong>Wipe\/sanitize<\/strong>: <code>wipe=\/dev\/sdY<\/code> (zerofill o pattern), <code>hwipe=<\/code> con <strong>verifica post-wipe<\/strong>; puoi impostare pattern con <code>pat=<\/code>\/<code>tpat=<\/code>.<\/li>\n\n\n\n<li><strong>Tuning<\/strong>: <code>ssz=<\/code> forza la <strong>sector size<\/strong>; <code>bufsz=<\/code> regola il buffer I\/O per performance; <code>verb=on<\/code> per report verboso.<\/li>\n<\/ul>\n\n\n\n<h1 class=\"wp-block-heading has-dark-gray-color has-very-light-gray-to-cyan-bluish-gray-gradient-background has-text-color has-background has-link-color has-medium-font-size wp-elements-14f968915c23c5b172fefa89c5bb6d06\"><strong>Esempi pratici con dc3dd (DFIR)<\/strong><\/h1>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\"><strong>1) Imaging + hash + log (singolo file)<\/strong><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo dc3dd if=\/dev\/sdX of=\/evidence\/Caso123\/disk.dd \\\n  hash=sha256 log=\/evidence\/Caso123\/logs\/dc3dd.log \\\n  hlog=\/evidence\/Caso123\/logs\/dc3dd.hashlog<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Calcola SHA-256 <strong>on-the-fly<\/strong> e scrive log e hash (totali + piecewise). <\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\"><strong>2) Split in chunk da 2 GiB (naming automatico)<\/strong><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo dc3dd if=\/dev\/sdX ofs=\/evidence\/Caso123\/disk.dd.0000 \\\n  ofsz=2G hash=sha256 \\\n  log=\/evidence\/Caso123\/logs\/dc3dd.log hlog=\/evidence\/Caso123\/logs\/dc3dd.hashlog<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Usa <code>ofs=BASE.FMT<\/code> (qui <code>0000<\/code>) e <code>ofsz=2G<\/code> per segmentare in <code>disk.dd.0000<\/code>, <code>0001<\/code>, \u2026 <\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\"><strong>3) Master + working copy con verifica automatica<\/strong><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo dc3dd if=\/dev\/sdX \\\n  of=\/evidence\/Caso123\/disk_master.dd \\\n  hof=\/lab\/Caso123\/disk_working.dd \\\n  hash=sha256 log=\/evidence\/Caso123\/logs\/dc3dd.log hlog=\/evidence\/Caso123\/logs\/dc3dd.hashlog<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>hof=<\/code> produce una copia con calcolo e verifica dell&#8217;<strong>hash<\/strong> rispetto all\u2019input nella stessa passata.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\"><strong>4) Acquisizione con dischi \u201cdifficili\u201d (settori e buffer)<\/strong><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo dc3dd if=\/dev\/sdX of=\/evidence\/Caso123\/disk.dd \\\n  hash=sha256 ssz=512 bufsz=1M log=\/evidence\/Caso123\/logs\/dc3dd.log<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Forza <strong>sector size<\/strong> a 512 B e limita il buffer per aumentare la resilienza su device instabili.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\"><strong>5) Sanificazione del disco di destinazione (non dell\u2019evidenza!)<\/strong><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code><em># Zero-fill con verifica<\/em>\nsudo dc3dd hwipe=\/dev\/sdY\n\n<em># Wipe con pattern 0x00 (senza verifica)<\/em>\nsudo dc3dd wipe=\/dev\/sdY pat=00<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Utile per preparare\/bonificare i <strong>supporti di destinazione<\/strong> prima del riuso. <\/li>\n<\/ul>\n\n\n\n<h1 class=\"wp-block-heading has-medium-font-size\"><strong>Quando preferirlo<\/strong><\/h1>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Vuoi <strong>split flessibile<\/strong> con naming prevedibile (<code>ofs<\/code> + <code>ofsz<\/code>) e <strong>verifica integrata<\/strong> sugli output (<code>hof<\/code>\/<code>hofs<\/code>).<\/li>\n\n\n\n<li>Cerchi <strong>log ricchi<\/strong> (anche <em>piecewise<\/em> e <strong>machine-readable<\/strong> via <code>mlog=<\/code>) direttamente dal tool. <\/li>\n<\/ul>\n\n\n\n<h1 class=\"wp-block-heading has-medium-font-size\"><strong>Note operative<\/strong><\/h1>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Come per dcfldd, mantieni <strong>master<\/strong> e <strong>working copy<\/strong> separati e documenta hash\/log nel fascicolo.<\/li>\n\n\n\n<li>Puoi sostituire dcfldd con dc3dd mantenendo le stesse prassi (hash, split, log), adattando per\u00f2 i nomi opzione (<code>ofsplit<\/code> \u2192 <code>ofs<\/code>+<code>ofsz<\/code>, <code>hashlog<\/code> \u2192 <code>hlog<\/code>, verifica: <code>vf<\/code> \u2192 <code>hof\/hofs<\/code>).<\/li>\n<\/ul>\n\n\n\n<h1 class=\"wp-block-heading has-dark-gray-color has-very-light-gray-to-cyan-bluish-gray-gradient-background has-text-color has-background has-link-color has-medium-font-size wp-elements-2b7225b53f07a323d6c3e64b148c7430\"><strong>Confronto operativo (dd vs dcfldd vs dc3dd)<\/strong><\/h1>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Attivit\u00e0 \/ Feature<\/th><th><strong>dd<\/strong> (baseline)<\/th><th><strong>dcfldd<\/strong> (forensic fork)<\/th><th><strong>dc3dd<\/strong> (patch DC3)<\/th><\/tr><\/thead><tbody><tr><td>Imaging RAW<\/td><td><code>dd if=\/dev\/sdX of=img.dd bs=4M conv=noerror,sync status=progress<\/code><\/td><td><code>dcfldd if=\/dev\/sdX of=img.dd bs=4M conv=noerror,sync statusinterval=30<\/code><\/td><td><code>dc3dd if=\/dev\/sdX of=img.dd<\/code><\/td><\/tr><tr><td>Hash on-the-fly<\/td><td>\u2014 (usa <code>sha256sum<\/code> dopo)<\/td><td><code>hash=sha256 hashlog=img.sha256.txt<\/code><\/td><td><code>hash=sha256 hlog=hashes.txt<\/code> (+ <code>log=<\/code> opzionale)<\/td><\/tr><tr><td>Log dettagliati<\/td><td>reindirizza std{out,err}<\/td><td><code>errlog=errors.log<\/code> + output stato<\/td><td><code>log=dc3dd.log<\/code> (testuale), <code>mlog=machine.log<\/code> (machine-readable)<\/td><\/tr><tr><td>Split immagine<\/td><td>esterno: <code>split -b 2G<\/code><\/td><td><code>ofsplit=2G<\/code> \u2192 <code>img.dd.000<\/code>, <code>.001<\/code>\u2026<\/td><td><code>ofs=img.dd.0000 ofsz=2G<\/code> \u2192 <code>.0000<\/code>, <code>.0001<\/code>\u2026<\/td><\/tr><tr><td>Doppia uscita in una passata<\/td><td>\u2014 (fai copia dopo)<\/td><td>ripeti pi\u00f9 <code>of=<\/code> nella stessa riga<\/td><td><code>hof=working.dd<\/code> (output con hash &amp; verifica)<\/td><\/tr><tr><td>Verifica contro sorgente<\/td><td>esterno: ricalcolo hash<\/td><td><code>vf=img.dd<\/code><\/td><td>con <code>hof=<\/code> verifica automaticamente la corrispondenza degli hash<\/td><\/tr><tr><td>Gestione settori danneggiati<\/td><td><code>conv=noerror,sync<\/code><\/td><td><code>conv=noerror,sync<\/code><\/td><td>riempie con zeri per default; puoi cambiare politica (fermarsi al primo errore)<\/td><\/tr><tr><td>Wipe\/sanitize (solo dischi di destinazione)<\/td><td><code>dd if=\/dev\/zero of=\/dev\/sdY<\/code><\/td><td><code>pattern=00<\/code> su destinazione<\/td><td><code>wipe=\/dev\/sdY<\/code> (o <code>hwipe=<\/code> con verifica post-wipe)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Regola pratica: <strong>dd<\/strong> = portabilit\u00e0 + minimalismo; <strong>dcfldd<\/strong> = \u201ctutto-in-uno\u201d semplice (hash\/log\/split\/verify); <strong>dc3dd<\/strong> = control-freak con <strong>log ricchi<\/strong>, <strong>split robusto<\/strong> e <strong>verifica integrata dell\u2019output (hof)<\/strong>.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading has-dark-gray-color has-very-light-gray-to-cyan-bluish-gray-gradient-background has-text-color has-background has-link-color has-medium-font-size wp-elements-f48eaab78afcf80b9c3e2d38f193f4f4\">Esempi pratici<\/h1>\n\n\n\n<h2 class=\"wp-block-heading has-medium-font-size\"><strong>1) Imaging con hash e log<\/strong><\/h2>\n\n\n\n<p><strong>dcfldd<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo dcfldd if=\/dev\/sdX of=case\/disk.dd bs=4M conv=noerror,sync \\\n  hash=sha256 hashlog=case\/logs\/disk.sha256.txt errlog=case\/logs\/errors.log \\\n  statusinterval=30<\/code><\/pre>\n\n\n\n<p><strong>dc3dd<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo dc3dd if=\/dev\/sdX of=case\/disk.dd \\\n  hash=sha256 hlog=case\/logs\/dc3dd.hashlog log=case\/logs\/dc3dd.log<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading has-medium-font-size\"><strong>2) Split a 2 GiB<\/strong><\/h2>\n\n\n\n<p><strong>dcfldd<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo dcfldd if=\/dev\/sdX of=case\/disk.dd ofsplit=2G \\\n  hash=sha256 hashlog=case\/logs\/disk.sha256.txt\n# join:  cat case\/disk.dd.* &gt; case\/disk.dd<\/code><\/pre>\n\n\n\n<p><strong>dc3dd<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo dc3dd if=\/dev\/sdX ofs=case\/disk.dd.0000 ofsz=2G \\\n  hash=sha256 hlog=case\/logs\/dc3dd.hashlog\n# join:  cat case\/disk.dd.0* &gt; case\/disk.dd<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading has-medium-font-size\"><strong>3) Master + working copy, una sola passata<\/strong><\/h2>\n\n\n\n<p><strong>dcfldd<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo dcfldd if=\/dev\/sdX of=case\/disk_master.dd of=lab\/disk_working.dd \\\n  hash=sha256 hashlog=case\/logs\/disk.sha256.txt<\/code><\/pre>\n\n\n\n<p><strong>dc3dd<\/strong> (con verifica integrata dell\u2019output)<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo dc3dd if=\/dev\/sdX of=case\/disk_master.dd \\\n  hof=lab\/disk_working.dd \\\n  hash=sha256 hlog=case\/logs\/dc3dd.hashlog log=case\/logs\/dc3dd.log<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading has-medium-font-size\"><strong>4) Bonifica del destinazione (non dell\u2019evidenza!)<\/strong><\/h2>\n\n\n\n<p><strong>dcfldd<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo dcfldd if=\/dev\/zero of=\/dev\/sdY bs=4M pattern=00 statusinterval=30<\/code><\/pre>\n\n\n\n<p><strong>dc3dd<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo dc3dd hwipe=\/dev\/sdY    # wipe + verifica\n# oppure:\nsudo dc3dd wipe=\/dev\/sdY     # wipe senza verifica<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading has-medium-font-size\"><strong>\u201cOption mapping\u201d veloce<\/strong><\/h1>\n\n\n\n<p><strong>Hashing<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>dd \u2192 <code>sha256sum img.dd &gt; img.dd.sha256.txt<\/code> (post-acq)<\/li>\n\n\n\n<li>dcfldd \u2192 <code>hash=sha256 hashlog=FILE<\/code><\/li>\n\n\n\n<li>dc3dd \u2192 <code>hash=sha256 hlog=FILE<\/code> (+ <code>log=<\/code>\/<code>mlog=<\/code>)<\/li>\n<\/ul>\n\n\n\n<p><strong>Split<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>dd \u2192 <code>split -b 2G img.dd img.dd.<\/code><\/li>\n\n\n\n<li>dcfldd \u2192 <code>ofsplit=2G<\/code> \u2192 <code>img.dd.000<\/code>, <code>.001<\/code>\u2026<\/li>\n\n\n\n<li>dc3dd \u2192 <code>ofs=img.dd.0000 ofsz=2G<\/code> \u2192 <code>.0000<\/code>, <code>.0001<\/code>\u2026<\/li>\n<\/ul>\n\n\n\n<p><strong>Doppia uscita<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>dd \u2192 <code>cp<\/code>\/<code>rsync<\/code> dopo<\/li>\n\n\n\n<li>dcfldd \u2192 pi\u00f9 <code>of=<\/code> nella stessa riga<\/li>\n\n\n\n<li>dc3dd \u2192 <code>hof=<\/code> \/ <code>hofs=<\/code> (con hashing\/verifica)<\/li>\n<\/ul>\n\n\n\n<p><strong>Verifica<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>dd \u2192 ricalcolo hash device vs file<\/li>\n\n\n\n<li>dcfldd \u2192 <code>vf=img.dd<\/code><\/li>\n\n\n\n<li>dc3dd \u2192 con <code>hof=<\/code> l\u2019output \u00e8 verificato contro l\u2019input<\/li>\n<\/ul>\n\n\n\n<p><strong>Errori lettura<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>dd \/ dcfldd \u2192 <code>conv=noerror,sync<\/code><\/li>\n\n\n\n<li>dc3dd \u2192 default riempie gli errori con zeri; modalit\u00e0 \u201cstop on first error\u201d selezionabile<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Un \u201cprontuario\u201d pratico su dd, dcfldd e dc3dd per l\u2019uso in digital forensics: differenze, buone prassi e comandi pronti all\u2019uso. Cos\u2019\u00e8 e cosa cambia dd (GNU coreutils) Strumento standard Unix\/Linux per copiare e convertire file, ma privo di funzionalit\u00e0 avanzate come il calcolo di checksum multipli, pi\u00f9 file di output o una modalit\u00e0 di verifica. &hellip; <a href=\"https:\/\/www.fabriziogiancola.eu\/index.php\/2025\/08\/28\/dd-vs-dcfldd\/\" class=\"more-link\">Leggi tutto<span class=\"screen-reader-text\"> &#8220;dd vs dcfldd vs dc3dd&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":11,"footnotes":""},"categories":[14],"tags":[51,74,49,48,52,50],"class_list":["post-2397","post","type-post","status-publish","format-standard","hentry","category-digital-forensics","tag-acquisizione-forense","tag-dc3dd","tag-dcfldd","tag-dd","tag-digital-forensics","tag-hash"],"_links":{"self":[{"href":"https:\/\/www.fabriziogiancola.eu\/index.php\/wp-json\/wp\/v2\/posts\/2397","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.fabriziogiancola.eu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.fabriziogiancola.eu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.fabriziogiancola.eu\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.fabriziogiancola.eu\/index.php\/wp-json\/wp\/v2\/comments?post=2397"}],"version-history":[{"count":31,"href":"https:\/\/www.fabriziogiancola.eu\/index.php\/wp-json\/wp\/v2\/posts\/2397\/revisions"}],"predecessor-version":[{"id":3444,"href":"https:\/\/www.fabriziogiancola.eu\/index.php\/wp-json\/wp\/v2\/posts\/2397\/revisions\/3444"}],"wp:attachment":[{"href":"https:\/\/www.fabriziogiancola.eu\/index.php\/wp-json\/wp\/v2\/media?parent=2397"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.fabriziogiancola.eu\/index.php\/wp-json\/wp\/v2\/categories?post=2397"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.fabriziogiancola.eu\/index.php\/wp-json\/wp\/v2\/tags?post=2397"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}