---
id: skill:acquire-disk-image
type: skill
title: 'Sample skill: Acquiring Disk Image with dd and dcfldd'
status: active
confidence: 0.9
sources:
  - 2026-05-09-cybersec-skill-acquire-disk-image.md
created: 2026-05-09
updated: 2026-05-09
updated_log:
  - 2026-05-09: created
tiers: semantic
half_life_days: 180
tags: [skill-sample, forensics, disk-imaging, evidence]
---

# Sample skill — Acquiring Disk Image with dd and dcfldd

## Summary

A worked example skill from the digital-forensics domain. Use it when you need to create a forensic copy of a suspect drive for investigation: incident response, law-enforcement chain of custody, or before any destructive analysis. The workflow uses `dd` and the forensic-grade `dcfldd` to produce bit-for-bit images with hash verification on a write-blocked source. This skill is also our reference for "what a real SKILL.md looks like" in [[pattern:skill-anatomy]] and a worked example for [[pattern:cross-mapping-in-practice]].

## Claims

- Skill name: `acquiring-disk-image-with-dd-and-dcfldd`. Domain: cybersecurity, subdomain: digital-forensics. Version 1.0, author "mahipal", Apache-2.0 license. `[src: raw/2026-05-09-cybersec-skill-acquire-disk-image.md] {conf: 0.95}`
- The skill's purpose is to "create forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification." Trigger conditions include: forensic copy of a suspect drive, IR preserving volatile evidence, legal proceedings requiring verified bit-for-bit copy, before destructive analysis, or imaging physical drives / USB / memory cards. `[src: raw/2026-05-09-cybersec-skill-acquire-disk-image.md] {conf: 0.9}`
- Frontmatter declares `nist_csf: [RS.AN-01, RS.AN-03, DE.AE-02, RS.MA-01]` — four NIST CSF 2.0 subcategories spanning Respond (Incident Analysis + Management) and Detect (Adverse Event Analysis). No atlas/d3fend/ai_rmf/mitre_attack frontmatter fields. `[src: raw/2026-05-09-cybersec-skill-acquire-disk-image.md] {conf: 0.95}`
- Workflow tools: `lsblk`, `fdisk`, `blockdev --setro`, `hdparm`, `smartctl`, `sha256sum`, `dd`, `dcfldd`, `dc3dd`, `ddrescue`, `udev` rules, plus hardware write-blockers (Tableau T35u referenced in scenarios). The 6-step workflow covers identification, write-protection, source documentation, dd acquisition, dcfldd acquisition with hashing/splitting, integrity verification, and case-package documentation. `[src: raw/2026-05-09-cybersec-skill-acquire-disk-image.md] {conf: 0.85}`
- Tags: forensics, disk-imaging, evidence-acquisition, dd, dcfldd, hash-verification. `[src: raw/2026-05-09-cybersec-skill-acquire-disk-image.md] {conf: 0.95}`

## Relationships

- categorized-as → [[domain:digital-forensics]] `{conf: 0.9}`
- uses → [[tool:dd]] `{conf: 0.95}`
- uses → [[tool:dcfldd]] `{conf: 0.95}`
- maps-to → [[framework:nist-csf-20]] `{conf: 0.9}`
- composes → [[concept:cybersec-skill-library]] `{conf: 0.8}`

## Open questions

- [ ] Why is this skill not also tagged with ATT&CK Collection (T1005 Data from Local System)? It would be a natural fit if read offensively.

## Changelog

- 2026-05-09 — created