Q1: The dcfldd command is an enhanced version of dd developed by the U.S. Depart

1. Q1: The dcfldd command is an enhanced version of dd developed by the U.S. Department of Defence Computer Forensics Lab. It has some useful features for forensic investigators such as:
2.  
3. On-the-fly hashing of the transmitted data.
4. Progress bar of how much data has already been sent.
5. Wiping of disks with known patterns.
6. Verification that the image is identical to the original drive, bit-for-bit.
7. Simultaneous output to more than one file/disk is possible.
8. The output can be split into multiple files.
9. Logs and data can be piped into external applications.
10. In a forensic investigation, it is important to make sure than anything you do does not effect the data on the disk being investigated. In the case of this investigation, the USB stick has been attached as a device called /dev/sdd.
11.  
12. Use md5sum to calculate the md5 checksum of the usb stick attached to /dev/sdd, and save the hash into /home/caine/usb.md5. Use sha256sum to calculate the sha 256 checksum of the usb stick attached to /dev/sdd, and save the hash into /home/caine/usb.sha256. Note the check buttons may take quite a few seconds to check the correct hashes.
13.  
14.  
15. Answer:
16.  
17. md5sum /dev/sdd > usb.md5
18. sha256sum /dev/sdd > usb.sha256
19.  
20.  
21.  
22. Q2: Use the dcfldd command to capture this usb device. Use the format:
23.  
24. dcfldd if=/dev/sdd hash=md5,sha256 md5log=md5.txt sha256log=sha256.txt hashconv=after bs=512 conv=noerror of=usb.dd
25. Confirm that the md5 and sha256 you took of /dev/sdd matches the md5.txt and sha256.txt files created during this transfer.
26.  
27.  
28. Answer:
29.  
30. dcfldd if=/dev/sdd hash=md5,sha256 md5log=md5.txt sha256log=sha256.txt hashconv=after bs=512 conv=noerror of=usb.dd