ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between revisions of "Dd"

From ForensicsWiki
Jump to: navigation, search
(See also: - Added dc3dd)
Line 39: Line 39:
* [[aimage]]
* [[aimage]]
* [[Blackbag]]
* [[Blackbag]]
* [[dc3dd]]
* [[dcfldd]]
* [[dcfldd]]
* [[dd_rescue]]
* [[dd_rescue]]

Revision as of 22:54, 19 December 2007

Maintainer: Paul Rubin, David MacKenzie, Stuart Kemp
OS: Linux,Windows,Mac OS X
Genre: Disk imaging
License: GPL

dd, sometimes called GNU dd, is the oldest imaging tool still used. Although it is functional and requires only minimal resources to run, it lacks some of the useful features found in more modern imagers such as metadata gathering, error correction, piecewise hashing, and a user-friendly interface. dd is a command line program that uses several obscure command line arguments to control the imaging process. Because some of these flags are similar and, if confused, can destroy the source media the examiner is trying to duplicate, users should be careful when running this program. The program generates raw image files which can be read by many other programs.

dd is part of the GNU Coreutils package which in turn has been ported to many operating systems.

There are a few forks of dd for forensic purposes including dcfldd, sdd, dd_rescue, ddrescue, dccidd, and a Microsoft Windows version that supports reading physical memory.


Here are two common dd command lines:


dd if=/dev/hda of=mybigfile.img bs=65536 conv=noerror,sync


dd.exe if=\\.\PhysicalDrive0 of=d:\images\PhysicalDrive0.img --md5sum --verifymd5


When using dd, be sure to specify a proper "conversion" that will ignore bad blocks. You can also improve imaging performance by specifying a blocksize that is larger than the default of 512 bytes.


Use extreme care when typing the command line for this program. Reversing the if and of flags will cause the computer to erase your evidence!

See also

External Links