I’m pretty sure, every Linux enthusiasts out there, are aware of the dd utility. dcfldd is an improved version with features for forensics and security. To those who ask, dcfl stands for Defense Computers Forensic Labs.

There’s a lot of new features to experiment with, but the one that i think will benefit a SysAdmin is the option to hash the input on the fly. I’m on a CentOS 7 machine. The package is from the epel repo.

To install it, run:

yum install dcfldd -y

Let’s backup the master boot record with the sha256 hash algorithm:

dcfldd if=/dev/sda of=/tmp/mbr_dcfl.bak bs=512 count=1 hash=sha256 hashlog=/tmp/mbr_dcfl_sha256.log

At this point, you can copy the hash log somewhere safe for later use. To verify the checksum, filter the output of both MBR, and hash log, and verify it with diff like so:

{% highlight console %} [root@lab tmp]# sha256sum mbr_dcfl.bak | awk ‘{print $1}’ > mbr_hash [root@lab tmp]# cat mbr_dcfl_sha256.log | awk ‘{print $3}’ > mbr_hash_log [root@lab tmp]# [root@lab tmp]# diff -s mbr_hash mbr_hash_log Files mbr_hash and mbr_hash_log are identical

To restore the MBR, boot to a rescue media(that have dcfldd installed, for e.g knoppix), and run:

{% highlight bash %}
dcfldd if=/tmp/mbr_dcfl.bak of=/dev/sda

Another tip: The master boot record contains the stage 1 of the GRUB bootloader.

You can also examine the content of the MBR, by displaying its content in hexadecimal and look for grub as a hint:

[root@lab tmp]# cat mbr_dcfl.bak | hexdump -C | grep -i grub
00000170  be 94 7d e8 2e 00 cd 18  eb fe 47 52 55 42 20 00  |..}.......GRUB .|

If you got bored, check this out.

“Make improvements, not excuses. Seek respect, not attention.” - Roy T.Bennet, The Light Of Heart