This walks you through creating forensically sound disk images using dd and dcfldd, covering everything from write-blocking the source drive to hash verification. You get practical commands for both tools, with dcfldd being the better choice since it handles SHA-256 hashing during acquisition instead of as a separate step. The workflow includes proper evidence documentation, split imaging for large drives, and integrity verification that'll hold up in court. It's comprehensive enough that you could hand it to a junior analyst during an incident response and they'd know exactly what commands to run and why the conv=noerror,sync flags matter for maintaining offset alignment.
npx skills add https://github.com/mukul975/anthropic-cybersecurity-skills --skill acquiring-disk-image-with-dd-and-dcfldd