acquiring-disk-image-with-dd-and-dcfldd

by mukul975

acquiring-disk-image-with-dd-and-dcfldd helps Security Audit and forensic users create a defensible bit-for-bit disk image with dd or dcfldd, using write protection, hash verification, and a clear acquisition workflow for incident response and evidence handling.

Stars0

Favorites0

Comments0

AddedMay 9, 2026

CategorySecurity Audit

Install Command

npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill acquiring-disk-image-with-dd-and-dcfldd

Curation Score

This skill scores 79/100, which means it is a solid listing candidate for directory users who need forensic disk acquisition guidance. It is clearly triggerable for dd/dcfldd imaging work, includes a substantial workflow, and provides enough operational detail to reduce guesswork compared with a generic prompt, though users should still review the included commands carefully before running them on evidence devices.

79/100

Strengths

Strong task fit: the frontmatter and "When to Use" section clearly target forensic bit-for-bit imaging, evidence preservation, and verified acquisition.
Good operational depth: the body is substantial, with a stepwise workflow, code fences, and an API reference covering dd and dcfldd flags such as hash logging and error handling.
Agent leverage is real: the bundled script and reference file suggest the skill is meant to support repeatable acquisition and hash verification, not just explain the concept.

Cautions

The excerpt shows a truncated workflow and no install command, so users may need to inspect the full skill before adoption.
The script appears to automate storage and write-protection operations, which are high-risk in forensic contexts and require careful environment validation.

Security Forensics Linux Cli Bash Scripts Dd Dcfldd

Overview

Overview of acquiring-disk-image-with-dd-and-dcfldd skill

The acquiring-disk-image-with-dd-and-dcfldd skill helps you create a forensically defensible, bit-for-bit image of a disk or removable device using dd or dcfldd. It is best for incident responders, digital forensic analysts, and Security Audit work where evidence integrity, repeatability, and hash verification matter more than speed or convenience.

This is not a generic backup workflow. The job-to-be-done is to preserve a source device exactly as it was, avoid accidental writes, and produce an image plus hashes that can stand up to review. The main value of the acquiring-disk-image-with-dd-and-dcfldd skill is that it keeps the acquisition process focused on device identification, write protection, imaging, and verification.

Best fit for forensic acquisition

Use this skill when you need to image a suspect drive, USB device, or memory card before analysis. It fits Security Audit cases where you need a reproducible acquisition trail and a clear handoff artifact for later examination.

What makes it different

The acquiring-disk-image-with-dd-and-dcfldd skill centers on practical evidence handling: read-only targeting, careful source selection, hash logging, and error-aware copying. It is more suitable than a plain prompt when you need the workflow translated into an operational sequence.

When it may not fit

Do not use it for routine file backups, cloud snapshots, or live system cloning where exact sector-level capture is unnecessary. It is also a poor fit if you cannot attach a write blocker or cannot safely run privileged commands on the acquisition workstation.

How to Use acquiring-disk-image-with-dd-and-dcfldd skill

Install and locate the workflow

Install the acquiring-disk-image-with-dd-and-dcfldd skill in your skill environment, then open skills/acquiring-disk-image-with-dd-and-dcfldd/SKILL.md first. Read references/api-reference.md next for the option reference, and inspect scripts/agent.py if you want the implementation logic behind device enumeration, read-only checks, and hash handling.

Give the skill the right input

The acquiring-disk-image-with-dd-and-dcfldd usage works best when you specify:

the source device path, such as /dev/sdb
the evidence goal, such as incident response or Security Audit
whether hardware write blocking is available
the target image path and storage location
whether you want plain dd output or dcfldd with hash logging

A weak request is: “image this drive.” A stronger one is: “Create a forensic acquisition plan for /dev/sdb on Linux, use dcfldd if available, write hashes to a log file, and include verification steps for a Security Audit.”

Follow a practical acquisition flow

Start by identifying the device with lsblk and confirming it is the correct target. Then ensure write protection, image the drive to a destination with enough free space, and verify the resulting image hash against the acquisition log. For damaged media, prefer options like conv=noerror,sync so the process continues without losing alignment.

Read the repo files in the right order

For fastest adoption, read:

SKILL.md for the end-to-end workflow
references/api-reference.md for dd and dcfldd flags
scripts/agent.py for command structure and verification logic

That order helps you turn the acquiring-disk-image-with-dd-and-dcfldd skill into an executable procedure instead of a loose concept.

acquiring-disk-image-with-dd-and-dcfldd skill FAQ

Is this skill only for forensic specialists?

No. The acquiring-disk-image-with-dd-and-dcfldd skill is useful for any user who needs a verified disk image and can follow basic Linux command-line procedures. Beginners can use it if they are careful about device selection and permissions.

Should I choose dd or dcfldd?

Use dd when you want the standard tool already present on most Linux systems. Use dcfldd when you need built-in hash logging, split output, or more forensic-friendly reporting. If your workflow depends on audit trails, dcfldd is usually the better default.

How is this different from a normal prompt?

A normal prompt may explain the concept but often misses the operational details that matter in evidence work. This skill adds a structured acquiring-disk-image-with-dd-and-dcfldd guide approach: what to verify first, what options matter, and what output you should preserve.

What are the main limitations?

This skill assumes a Linux forensic workstation, root or sudo access, and a clear source device. If you need GUI-based imaging, encrypted volume handling, or cloud evidence collection, this skill is not the best match.

How to Improve acquiring-disk-image-with-dd-and-dcfldd skill

Provide evidence-grade context up front

Better inputs produce better acquisition plans. Tell the model whether this is for Security Audit, incident response, or training, and include the device type, expected size, and whether the media has read errors. That lets the acquiring-disk-image-with-dd-and-dcfldd skill choose sensible defaults and warning language.

Ask for the exact output you need

If you need a report, ask for the command sequence, verification checklist, and expected hash records. If you need a runbook, ask for a step-by-step procedure with decision points for write blocking, read errors, and split images. Narrow output goals reduce ambiguity.

Watch for common failure modes

The biggest risks are imaging the wrong device, forgetting write protection, and failing to verify the image after acquisition. Another common issue is asking for a command without specifying source, destination, or hash requirements. Strong prompts name all three.

Iterate after the first draft

If the first answer is too generic, ask for:

a version optimized for dcfldd
a version for damaged media using conv=noerror,sync
a verification checklist for chain-of-custody review
a shorter Security Audit checklist for field use

This is the fastest way to turn the acquiring-disk-image-with-dd-and-dcfldd guide into a workflow you can actually run and defend.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

security-threat-model

by openai

Repository-grounded security-threat-model skill for AppSec threat modeling. It maps trust boundaries, assets, attacker goals, abuse paths, and mitigations into a concise Markdown threat model. Use it when you need security-threat-model for Threat Modeling on a specific repo or path, not a generic architecture review or code check.

Threat Modeling

Favorites 0GitHub 0

solana-vulnerability-scanner

by trailofbits

solana-vulnerability-scanner is a focused Solana security audit skill for native Rust and Anchor programs. It helps review CPI logic, PDA validation, signer and ownership checks, and sysvar spoofing to catch six critical Solana-specific vulnerabilities before deployment.

Security Audit

Favorites 0GitHub 4.9k

azure-ai-contentsafety-ts

by microsoft

azure-ai-contentsafety-ts helps analyze text and images for harmful content with Azure AI Content Safety in TypeScript. Use this skill for moderation workflows, blocklists, and security audit checks for hate, violence, sexual content, and self-harm. It also covers Azure endpoint and auth setup.

Security Audit

Favorites 0GitHub 2.3k

sharp-edges

by trailofbits

The sharp-edges skill helps you find APIs, configs, and interfaces where the easy path leads to insecure use. Use it to review authentication flows, cryptographic wrappers, dangerous defaults, null or zero semantics, and misuse-prone design choices. It is a strong fit for sharp-edges for Security Audit work when you need concrete footguns, not generic security guesses.

Security Audit

Favorites 0GitHub 5k

security-review

by affaan-m

Use the security-review skill to review auth, user input, secrets, APIs, payments, uploads, and other sensitive flows. It provides a practical security-review guide with clear pass/fail checks, risky-pattern examples, and a focused process for catching common issues before release.

Security Audit

Favorites 0GitHub 156.3k

django-security

by affaan-m

django-security is a practical guide for hardening Django apps with authentication, authorization, CSRF, XSS, SQL injection prevention, secure cookies, and production settings. It helps developers and reviewers run a focused Security Audit, quickly spot risky config, and apply concrete fixes before deployment.

Security Audit

Favorites 0GitHub 156.1k

exploiting-insecure-data-storage-in-mobile

by mukul975

The exploiting-insecure-data-storage-in-mobile skill helps assess and extract evidence from insecure local storage in Android and iOS apps. It covers SharedPreferences, SQLite databases, plist files, world-readable files, backup exposure, and weak keychain/keystore handling for mobile pentesting and Security Audit workflows.

Security Audit

Favorites 0GitHub 6.2k

detecting-s3-data-exfiltration-attempts

by mukul975

detecting-s3-data-exfiltration-attempts helps investigate possible AWS S3 data theft by correlating CloudTrail S3 data events, GuardDuty findings, Amazon Macie alerts, and S3 access patterns. Use this detecting-s3-data-exfiltration-attempts skill for Security Audit, incident response, and suspicious bulk-download analysis.

Security Audit

Favorites 0GitHub 6.2k

building-incident-response-playbook

by mukul975

building-incident-response-playbook helps security teams create reusable incident response playbooks with step-by-step phases, decision trees, escalation criteria, RACI ownership, and SOAR-ready structure. It is designed for incident response procedure documentation, incident triage workflows, and audit-friendly operational response plans.

Incident Triage

Favorites 0GitHub 6.1k

building-patch-tuesday-response-process

by mukul975

building-patch-tuesday-response-process helps teams build a repeatable Microsoft Patch Tuesday process to triage advisories, rank risk, test patches, approve rollout, and track compliance. Useful for security operations, vulnerability management, and building-patch-tuesday-response-process for Project Management.

Project Management

Favorites 0GitHub 6.1k

ossfuzz

by trailofbits

Learn the ossfuzz skill for continuous fuzzing setup, project enrollment, harness planning, and build workflow review. This guide helps security engineers and maintainers assess readiness, spot build blockers, and prepare a practical path from source tree to OSS-Fuzz or private fuzzing infrastructure.

Security Audit

Favorites 0GitHub 5k

codeql

by trailofbits

The codeql skill helps you run CodeQL with fewer blind spots during a security audit. It focuses on database quality, suite selection, data extensions, and SARIF review so you can use codeql usage more reliably across supported languages. Use it for repeatable codeql guide steps when analyzing real repositories.

Security Audit

Favorites 0GitHub 5k

semgrep-rule-creator

by trailofbits

semgrep-rule-creator creates production-quality Semgrep rules for security vulnerabilities, bug patterns, taint-flow detections, and coding standards. Use the semgrep-rule-creator skill for Security Audit work when you need precise rules, test cases, and validation instead of a generic draft.

Security Audit

Favorites 0GitHub 5k

insecure-defaults

by trailofbits

The insecure-defaults skill helps spot fail-open configuration patterns that let software run with unsafe settings instead of stopping. Use it for a Security Audit of production code, deployment configs, and secret-handling logic to catch weak auth, hardcoded secrets, and permissive defaults.

Security Audit

Favorites 0GitHub 5k

constant-time-analysis

by trailofbits

constant-time-analysis is a security-audit skill for finding timing side-channel risks in cryptographic code before they become exploitable bugs. Use it to review secret-dependent math, branches, comparisons, and compiled output when checking C, C++, Go, Rust, Swift, Java, Kotlin, PHP, JavaScript, TypeScript, Python, or Ruby.

Security Audit

Favorites 0GitHub 5k

secure-workflow-guide

by trailofbits

secure-workflow-guide guides a 5-step Solidity security workflow: Slither triage, feature-specific checks, visual inspection, security-property notes, and manual review. It is built for smart contract teams, auditors, and builders who want a repeatable secure-workflow-guide guide before deployment or release.

Security Audit

Favorites 0GitHub 4.9k