This story begins with the Defense Computer Forensics Laboratory, or DCFL for short. DCFL claims to be a “world class facility providing comprehensive evidentiary analysis of material.” They say so right on their homepage.

http://www.dc3.mil/dcfl/dcflAbout.php

DCFL also claims to have an organized process of handling digital evidence that is “unmatched elsewhere in terms of its scope.” What this means is that DCFL has a team of “experts” that tear apart electronics to get at the digital goodness within. They then create forensic images of the now disassembled digital evidence. This includes laptops, desktops, internal and external hard drives, flash drives, iPods, XBOX, PS3, smartphones, cell phones and so on. There is another team which then performs data recovery. This might entail bookmarking all of the pictures and videos on a hard drive. A third individual then typically pieces together a “report” from the data gathered. Sometimes, the individual that creates the actual report is from a different alphabet agency.

I gather that this is a pretty straight-forward and “industrialized” process but I’m not entirely convinced that the evidence is examined as thoroughly or fairly as it should be. Especially when the accused may face many years in Federal prison. I suppose though, with the amount of cases DCFL brags about completing every year, they don’t always have the time to do a thorough examination.

There are some who also make claim that DCFL is simply in the business of smashing personal electronics. Items such as laptops, computer cases, iPod’s and more are routinely shattered and broken when in possession of this “world class facility”. Some claim that DCFL employees derive sadistic pleasure from destroying the plastic and aluminum shells of your cherished electronics. Sucking the electrifying energy from the device, so as to only grow stronger. This is sort of like how in Highlander, the TV series, when an immortal cuts off the head of another immortal, they then gain some of their victims energy and power. I’ve heard this is almost exactly the same thing that happens at DCFL.

Every now and then, the owners of the now shattered electronics are still alive when their shattered laptop is returned to them, albeit decades older. However, most times after filing a damages claim with the appropriate alphabet agency, they can expect a small reimbursement in about two full human life cycles. Owners can rest easy knowing that their descendents will be able to purchase a single frappe at Starbucks with the few hundred dollars of inflated Federal Reserve Notes that they will receive in reimbursements for their late great grandfather’s shattered laptop.

Nick Harbour

So now that you know what the DCFL does, did you also know that a real ninja was once employed at DCFL? His name is Nick Harbour, and from his current Twitter and Facebook picture, you can tell that he was a fearsome warrior of the night. Some might say that Chuck Norris lives only because Nick Harbour allows it.

This is Nick Harbour, I think.

Nick Harbour appears to be pretty awesome sometimes (even if he disagrees with some recent events) so you might consider following him on Twitter. Also, view dcfldd and his other projects at http://www.rnicrosoft.net/.

Nick Harbour is also the guy that Greg Hoglund of the disgraced HBGary threatened as can be seen in leaked emails such as this one.

Subject: watch this guy closely for stinger ops
Body: If this guy says anything stupid we want to deploy a stinger - here is his website and his name is Nick Harbour ... - Greg Hoglund

http://hbgary.anonleaks.ch/greg_hbgary_com/262.html

During Nick’s employment at DCFL, he coded “dcfldd”, an enhanced version of the “dd” program found in GNU Core Utilities (GNU coreutils).

dcfldd

dcfldd is still used quite often when imaging digital evidence.Not only is it used by DCFL and other alphabet soup but by individuals working in the private sector as well. dcfldd has additional features over dd, such as those detailed on the dcfldd Sourceforge.

• Hashing on-the-fly – dcfldd can hash the input data as it is being transferred, helping to ensure data integrity.
• Status output – dcfldd can update the user of its progress in terms of the amount of data transferred and how much longer operation will take.
• Flexible disk wipes – dcfldd can be used to wipe disks quickly and with a known pattern if desired.
• Image/wipe Verify – dcfldd can verify that a target drive is a bit-for-bit match of the specified input file or pattern.
• Multiple outputs – dcfldd can output to multiple files or disks at the same time.
• Split output – dcfldd can split output to multiple files with more configurability than the split command.
• Piped output and logs – dcfldd can send all its log data and output to commands as well as files natively.

The benefits of dcfldd over dd are plainly obvious when used in the context of forensic acquisitions and these benefits make it a valuable software for forensic examiners.

dcfldd is usually included in specialized Linux distributions such as BackTrack, Raptor, HELIX3, and so on. With standard Linux distributions, you can usually find the latest version within the package repository of your choice.

Since I am using Debian at the moment (and have su to root for demonstration), I will simply use aptitude to download dcfldd like so:

It is important to know how digital evidence is seized and acquired so as to have the ability to employ proper anti-forensics. This is why I recommend that those of you truly interested in anti-forensics and computer forensics download and experiment with a copy of something like Raptor Forensics which is a Linux Live CD for the purpose of forensic acquisitions.

If you’re like me, you have a lot of hard drives laying around and regardless of what data is on these, they will be seized during a raid and later examined. So if you do not need any of the data on them, it is in your best interest to fully wipe these hard drives. You can fully wipe standard mechanical hard drives using dcfldd, just as you can image most digital media with dcfldd. If you have experience with dd, then dcfldd should be no problem and the improvements should be helpful.

dcfldd Disk Wiping

For this article, I have purchased a 20GB PATA hard drive off of eBay. A quick glance at the data on it makes me believe it was used in a small rural school somewhere up in the northwestern United States.

The hard drive was plugged in via a USB adapter to a laptop with one of these SATA/PATA/IDE to USB adapters. These adapters are constructed by some of the finest craftsmen in all of China. So you had better get a spare as well. These types of adapters come in all shapes and sizes but this one in particular is useful for forensic technicians and those performing acquisitions or examinations out in the field. It will allow an examiner with a mobile laptop to preview and acquire evidence through a USB bus.

Now, to begin, I am going to show you a preview of the data contained within the first sector of the hard drive using dcfldd.

Lets break down the command used to view the first sector..

dcfldd if=/dev/sdb count=1 bs=512 | hexdump -C

I have specified the first sector (count=1) with a block size of 512 bytes (bs=512) of the Seagate hard drive (sdb) as input which is piped to hexdump with the -C option for display in the terminal. You can see that from the existing data in the screenshot, that this hard drive has not yet been wiped. So lets fix that.

The command used is very basic but will write the hexadecimal byte 0×00 across the entire disk /dev/sdb. There are further options you can specify for skipping blocks (bad sectors) as well, but for this example, I kept it simple.

dcfldd pattern=00 of=/dev/sdb

One major difference over dd is that dcfldd keeps an updated counter of how many MB have been written as it occurs. Where-as you’re kind of twiddling your thumbs with dd, wondering how far along it is.

So, if this command, with these options has worked as advertised, the disk should be “filled with zero’s”. There will be no data to recover and this can be tested as you will see below.

You can see that using dcfldd, the external hard drive is used as input which is piped to hexdump for display in the terminal. You’ll notice that starting at the first sector on the hard disk, that the first 16 bytes are all zero’s. You will also notice that a wildcard “*” is used with the hexdump program output to denote that all further bytes are also 0×00.

So, just for further demonstration, I’m going to first write some data to a single sector on the disk with dcfldd and then perform a similar wipe verification to see what differs.

The command dcfldd textpattern=lol count=1 bs=512 seek=2 of=/dev/sdb is used to write “lol” to all 512 bytes of sector 3. There are two new options used in this command. The first is “textpattern” which repeatedly writes your textual input. The second option is “seek” which is used to skip blocks, hence why we have skipped writing data to the first two 512 byte blocks or sectors.

Now, I’m going to perform a similar verification as the one which was done before, but only specify the first five sectors of the hard drive as input to speed things up. The data will be printed to the terminal with hexdump -C again.

Notice that the results are as expected. Starting at sector 3 we can see the textual pattern lol was written and that the following sectors retain the hexadecimal value 0x00.

As always, be sure to verify your wiped hard drives with multiple tools. Some disk wiping software may have issues writing to the final or last block of a device and some may skip sectors because of software errors.

As always, report in with your ideas, improvements, and criticisms in the comments below.

Related posts:

1. Disk Wiping – One Pass is Enough Many people are under the impression that hard drives need...
2. Disk Wiping – One Pass is Enough – Part 2 (this time with screenshots) It seems that there are still many people who do...