Today, we’re going to dive into a super important topic when it comes to Linux forensics — evidence collection.We’ll cover the classic tools like dd, dcfldd, and dc3dd, and also talk about modern memory acquisition methods and a very cool script called UAC.

Disk Imaging Tools: dd, dcfldd, and dc3dd

When you're doing any kind of forensic work, the first rule is: capture an exact copy of the original data. In Linux, we have some legendary tools for this — and the best part? They're super easy to use once you get the hang of it!

1. dd – The Classic One

• You might think "dd" stands for something, but it actually doesn’t officially mean anything!

• It's a foundational UNIX tool for copying and converting files.

• Almost every Linux or UNIX-like system has it installed by default — making it a go-to for forensic investigators.

• It's often used to create bit-by-bit images of disks (i.e., exact copies).

Example command:

dd if=/dev/sda of=/path/to/image.dd bs=4M

• if = input file (your source device)

• of = output file (where you want to save the image)

• bs = block size (common values: 1M or 4M)

If you use /dev/sda as input, you capture the entire disk, including all partitions. If you use something like /dev/sda3, you're only capturing a specific partition. You can check your drives using:

df -h

And when naming your images, you'll often see extensions like .dd, .raw, or .img — they're all pretty standard.

2. dcfldd – Upgraded dd for Forensics

• dcfldd is basically an enhanced version of dd.

• Built by the U.S. Department of Defense Computer Forensics Lab (cool, right?).

• It adds features super useful for investigators:

  • On-the-fly hashing (SHA256, SHA1, etc.)

  • Status output (you see progress!)

  • Splitting output into multiple smaller files.

Example command:

dcfldd if=/dev/sda of=/path/to/image.dd bs=4M hash=sha256 hashwindow=1G

• hash=sha256 will hash the image during acquisition.

• hashwindow=1G means it creates a hash after every 1GB chunk.

3. dc3dd – The Newest and Most Advanced

• dc3dd is another evolution, developed by the U.S. Department of Defense Cyber Crime Center (DC3).

• It extends dcfldd with even more features:

  • Better logging.

  • Drive wiping and pattern writing (if needed).

  • Detailed forensic reporting.

Example command:

dc3dd if=/dev/sda of=/path/to/image.dd log=/path/to/logfile.txt hash=sha256 hlog=/path/to/hashlog.txt

This will:

• Capture the image.

• Log everything.

• Hash the image and save the hash to a separate file.

Quick Summary:

Important:Across all three tools, if and of parameters stay the same — so once you learn one, you can easily switch to others!

------------------------------------------------------------------------------------------------------------

Linux Memory Acquisition: Capturing the Volatile Data

Now, let’s move on to memory acquisition — another critical part of forensics.

Memory holds running processes, network connections, encryption keys, and a lot of other sensitive stuff that disappears if the machine is powered off.

Old School Method:

In the early days, people used dd to dump memory from /dev/mem or /dev/kmem.But now, we have much better tools!

Modern Tool: LiME (Linux Memory Extractor)

LiME is specifically designed for live memory acquisition on Linux machines.

You can find it here:

Another Option: AVML (Accelerated Volatile Memory Acquisition)

Built by Microsoft, AVML is a super lightweight tool for memory captures on Linux.

You can grab it here:

------------------------------------------------------------------------------------------------------------

Extra Goodie: Using UAC Script for Artifact Collection!

If you've followed my macOS forensic series, you already know about UAC (Universal Acquisition Collector)

🔗 UAC GitHub Repository

Here’s how UAC works:

1. Enumerates available system tools.

2. Loads the uac.conf configuration file.

3. Builds a list of artifacts to collect.

4. Collects data (files, hashes, timestamps).

5. Creates a single output archive and hashes it.

6. Generates a full acquisition log.

   
   

Quick How-To for UAC on Linux

• First, download and unzip UAC:

tar zxvf uac.tar.gz

• Inside the unzipped directory, you’ll find multiple folders.

  The profiles folder is important — it contains YAML files that define what artifacts will be collected.

• List available profiles:

./uac --profile list

• Run UAC to collect everything (using the full profile):

sudo ./uac -p full /path/to/output/folder

✅ Done! Now you have a full snapshot of the system's forensic artifacts.

What’s inside the output?

• A bodyfile — a text file with all the filesystem metadata (useful for timeline creation).

• A Live_Response folder — containing processes, network connections, user accounts, and much more.

• .stderr.txt files — if any command threw an error, it’s logged here.

You can easily open and analyze these outputs on Linux or even Windows (with Notepad).

Wrapping Up

Evidence collection is the foundation of any good forensic investigation. Tools like dd, dcfldd, dc3dd, LiME, AVML, and UAC make it much easier to capture, preserve, and analyze critical data.

Whether you're imaging a disk or grabbing volatile memory, remember:

-----------------------------------------Dean------------------------------------------------------