I’m pretty sure, every Linux enthusiasts out there, are aware of the dd utility. dcfldd is an improved version with features for forensics and security. To those who ask, dcfl stands for Defense Computers Forensic Labs.
There’s a lot of new features to experiment with, but the one that i think will benefit a SysAdmin is the option to hash the input on the fly. I’m on a CentOS 7 machine. The package is from the epel repo.
To install it, run:
yum install dcfldd -y
Let’s backup the master boot record with the sha256 hash algorithm:
dcfldd if=/dev/sda of=/tmp/mbr_dcfl.bak bs=512 count=1 hash=sha256 hashlog=/tmp/mbr_dcfl_sha256.log
At this point, you can copy the hash log somewhere safe for later use. To verify the checksum, filter the output of both MBR, and hash log, and verify it with diff like so:
[root@lab tmp]# sha256sum mbr_dcfl.bak | awk '{print $1}' > mbr_hash
[root@lab tmp]# cat mbr_dcfl_sha256.log | awk '{print $3}' > mbr_hash_log
[root@lab tmp]#
[root@lab tmp]# diff -s mbr_hash mbr_hash_log
Files mbr_hash and mbr_hash_log are identical
To restore the MBR, boot to a rescue media(that have dcfldd installed, for e.g knoppix), and run:
dcfldd if=/tmp/mbr_dcfl.bak of=/dev/sda
Another tip: The master boot record contains the stage 1 of the GRUB bootloader.
You can also examine the content of the MBR, by displaying its content in hexadecimal and look for grub as a hint:
[root@lab tmp]# cat mbr_dcfl.bak | hexdump -C | grep -i grub
00000170 be 94 7d e8 2e 00 cd 18 eb fe 47 52 55 42 20 00 |..}.......GRUB .|
If you got bored, check this out.
“Make improvements, not excuses. Seek respect, not attention.” - Roy T.Bennet, The Light Of Heart