ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between revisions of "Dd"

From ForensicsWiki
Jump to: navigation, search
(Added dd command options.)
(Added warnings about using command line arguments correctly)
Line 7: Line 7:
  
 
   dd if=/dev/hda of=mybigfile.img bs=65536 conv=noerror,sync
 
   dd if=/dev/hda of=mybigfile.img bs=65536 conv=noerror,sync
 +
 +
==Cautions==
 +
 +
Use extreme care when typing the command line for this program. Reversing the <tt>if</tt> and <tt>of</tt> flags will cause the computer to erase your evidence!

Revision as of 18:34, 5 November 2005

dd, sometimes called GNUdd, is the oldest of the imaging tools currently in use. A command line program that has been ported to many operating systems, dd uses a complex series of flags to allow the user to image or write data from and to raw image files. There are a few forks of dd for forensic purposes including dcfldd, dccidd, a Microsoft Windows version that supports reading Physical Memory.


When using dd, be sure to specify a proper "conversion" that will ignore bad blocks. You can also improve imaging performance by specifying a blocksize that is larger than the default of 512 bytes.

Here is a common dd command:

  dd if=/dev/hda of=mybigfile.img bs=65536 conv=noerror,sync

Cautions

Use extreme care when typing the command line for this program. Reversing the if and of flags will cause the computer to erase your evidence!