How to do it...

The steps for drive acquisition in RAW format using dc3dd are as follows:

1. Open Windows Command Prompt, change directory (you can use cd command to do it) to the one with dc3dd.exe, and type the following command:

dc3dd.exe if=\\.\PHYSICALDRIVE2 of=X:\147-2017.dd hash=sha256
log=X:\147-2017.log

1. Press Enter and the acquisition process will start.

Of course, your command will be a bit different, so let's find out what each part of it means:

• if - stands for input file. Originally, dd was a Linux utility, and in case you didn't know, everything is a file in Linux. As you can see in our command, we put the physical drive 2 here (this is the drive we wanted to image, but in your case it may be another drive, depending on the number of drives connected to your workstation).
• of - stands for output file. Here, you should type the destination of your image in RAW format. In our case, it's X:\ drive and 147-2017.dd file.
• hash - as has already been said, DC3DD supports four hashing algorithms: MD5, SHA-1, SHA-256, and SHA-512. We chose SHA-256, but you can choose whichever one you like.
• log - here, you should type the destination for the logs. You will find the image version, image hash, and so on in this file once acquisition is completed.