Difference between revisions of "Dd"

From Forensics Wiki
Jump to: navigation, search
(See also.)
(Infobox.)
Line 1: Line 1:
'''dd''', sometimes called GNUdd, is the oldest of the imaging tools currently in use. A command line program that has been ported to many [[operating system]]s, dd uses a complex series of flags to allow the user to image or write data from and to [[raw image files]]. There are a few forks of dd for forensic purposes including [[dcfldd]], [[dccidd]], a [[Microsoft Windows]] version that supports reading [[physical memory]].
+
{{Infobox_Software |
 +
  name = dd |
 +
  maintainer = [[Paul Rubin]], [[David MacKenzie]], [[Stuart Kemp]] |
 +
  os = [[Linux]], [[Windows]], [[Mac OS X]] |
 +
  genre = [[Imaging]] |
 +
  license = [[GPL]] |
 +
  website = [ftp://ftp.gnu.org/gnu/coreutils/ ftp.gnu.org/gnu/coreutils/] |
 +
}}
  
When using dd, be sure to specify a proper "conversion" that will ignore [[bad block]]s. You can also improve imaging performance by specifying a [[blocksize]] that is larger than the default of 512 bytes.
+
'''dd''', sometimes called '''GNU dd''', is the oldest of the [[Imaging|imaging tools]] currently in use. It is part of the [[coreutils]] package. A command line program that has been ported to many [[operating system]]s, dd uses a complex series of flags to allow the user to image or write data from and to [[raw image file]]s.
 +
 
 +
There are a few forks of dd for forensic purposes including [[dcfldd]], [[sdd]], [[dd_rescue]], [[ddrescue]], [[dccidd]], a [[Microsoft]] [[Windows]] version that supports reading [[physical memory]].
 +
 
 +
== Example ==
  
 
Here is a common dd command:
 
Here is a common dd command:
  
 
  dd if=/dev/hda of=mybigfile.img bs=65536 conv=noerror,sync
 
  dd if=/dev/hda of=mybigfile.img bs=65536 conv=noerror,sync
 +
 +
== Tips ==
 +
 +
When using dd, be sure to specify a proper "conversion" that will ignore [[bad block]]s. You can also improve imaging performance by specifying a [[blocksize]] that is larger than the default of 512 bytes.
  
 
== Cautions ==
 
== Cautions ==
Line 17: Line 32:
 
* [[dcfldd]]
 
* [[dcfldd]]
 
* [[dd_rescue]]
 
* [[dd_rescue]]
 +
* [[ddrescue]]
 
* [[sdd]]
 
* [[sdd]]

Revision as of 12:32, 30 March 2006

dd
Maintainer: Paul Rubin, David MacKenzie, Stuart Kemp
OS: Linux, Windows, Mac OS X
Genre: Imaging
License: GPL
Website: ftp.gnu.org/gnu/coreutils/

dd, sometimes called GNU dd, is the oldest of the imaging tools currently in use. It is part of the coreutils package. A command line program that has been ported to many operating systems, dd uses a complex series of flags to allow the user to image or write data from and to raw image files.

There are a few forks of dd for forensic purposes including dcfldd, sdd, dd_rescue, ddrescue, dccidd, a Microsoft Windows version that supports reading physical memory.

Contents

Example

Here is a common dd command:

dd if=/dev/hda of=mybigfile.img bs=65536 conv=noerror,sync

Tips

When using dd, be sure to specify a proper "conversion" that will ignore bad blocks. You can also improve imaging performance by specifying a blocksize that is larger than the default of 512 bytes.

Cautions

Use extreme care when typing the command line for this program. Reversing the if and of flags will cause the computer to erase your evidence!

See also