Difference between revisions of "Dd"

From ForensicsWiki
Jump to: navigation, search
m
(See also.)
Line 1: Line 1:
'''dd''', sometimes called GNUdd, is the oldest of the imaging tools currently in use. A command line program that has been ported to many [[operating systems]], dd uses a complex series of flags to allow the user to image or write data from and to [[raw image files]]. There are a few forks of dd for forensic purposes including [[dcfldd]], [[dccidd]], a [[Microsoft Windows]] version that supports reading [[physical memory]].
+
'''dd''', sometimes called GNUdd, is the oldest of the imaging tools currently in use. A command line program that has been ported to many [[operating system]]s, dd uses a complex series of flags to allow the user to image or write data from and to [[raw image files]]. There are a few forks of dd for forensic purposes including [[dcfldd]], [[dccidd]], a [[Microsoft Windows]] version that supports reading [[physical memory]].
  
When using dd, be sure to specify a proper "conversion" that will ignore [[bad blocks]]. You can also improve imaging performance by specifying a [[blocksize]] that is larger than the default of 512 bytes.
+
When using dd, be sure to specify a proper "conversion" that will ignore [[bad block]]s. You can also improve imaging performance by specifying a [[blocksize]] that is larger than the default of 512 bytes.
  
 
Here is a common dd command:
 
Here is a common dd command:
Line 10: Line 10:
  
 
Use extreme care when typing the command line for this program. Reversing the <tt>if</tt> and <tt>of</tt> flags will cause the computer to erase your evidence!
 
Use extreme care when typing the command line for this program. Reversing the <tt>if</tt> and <tt>of</tt> flags will cause the computer to erase your evidence!
 +
 +
== See also ==
 +
 +
* [[aimage]]
 +
* [[Blackbag]]
 +
* [[dcfldd]]
 +
* [[dd_rescue]]
 +
* [[sdd]]

Revision as of 21:43, 18 March 2006

dd, sometimes called GNUdd, is the oldest of the imaging tools currently in use. A command line program that has been ported to many operating systems, dd uses a complex series of flags to allow the user to image or write data from and to raw image files. There are a few forks of dd for forensic purposes including dcfldd, dccidd, a Microsoft Windows version that supports reading physical memory.

When using dd, be sure to specify a proper "conversion" that will ignore bad blocks. You can also improve imaging performance by specifying a blocksize that is larger than the default of 512 bytes.

Here is a common dd command:

dd if=/dev/hda of=mybigfile.img bs=65536 conv=noerror,sync

Cautions

Use extreme care when typing the command line for this program. Reversing the if and of flags will cause the computer to erase your evidence!

See also