Difference between revisions of "Dd"

From Forensics Wiki
Jump to: navigation, search
(Added dd command options.)
Line 1: Line 1:
 
dd, sometimes called GNUdd, is the oldest of the imaging tools currently in use. A command line program that has been ported to many operating systems, dd uses a complex series of flags to allow the user to image or write data from and to [[raw image files]]. There are a few forks of dd for forensic purposes including [[dcfldd]], [[dccidd]], a [[Microsoft Windows]] version that supports reading [[Physical Memory]].
 
dd, sometimes called GNUdd, is the oldest of the imaging tools currently in use. A command line program that has been ported to many operating systems, dd uses a complex series of flags to allow the user to image or write data from and to [[raw image files]]. There are a few forks of dd for forensic purposes including [[dcfldd]], [[dccidd]], a [[Microsoft Windows]] version that supports reading [[Physical Memory]].
 +
 +
 +
When using dd, be sure to specify a proper "conversion" that will ignore bad blocks. You can also improve imaging performance by specifying a blocksize that is larger than the default of 512 bytes.
 +
 +
Here is a common dd command:
 +
 +
  dd if=/dev/hda of=mybigfile.img bs=65536 conv=noerror,sync

Revision as of 08:41, 31 October 2005

dd, sometimes called GNUdd, is the oldest of the imaging tools currently in use. A command line program that has been ported to many operating systems, dd uses a complex series of flags to allow the user to image or write data from and to raw image files. There are a few forks of dd for forensic purposes including dcfldd, dccidd, a Microsoft Windows version that supports reading Physical Memory.


When using dd, be sure to specify a proper "conversion" that will ignore bad blocks. You can also improve imaging performance by specifying a blocksize that is larger than the default of 512 bytes.

Here is a common dd command:

  dd if=/dev/hda of=mybigfile.img bs=65536 conv=noerror,sync