USING DD
All Linux systems ship with a bit-moving program known as dd. This utility predates
Linux by several years. Its original use was for converting to and from ASCII (American Symbolic Code for Information Interchange) and EBCDIC (Extended Binary Coded Decimal Interchange Code). For those unfamiliar with EBCDIC, it was an encoding primarily used by IBM mainframes.
In addition to its conversion capabilities, dd is used for pushing data from one place to another. Data is copied in blocks, with a default block size of 512 bytes. The most basic use of dd is dd if= of=
In Linux, where everything is a file, if the input file represents a device, the output file will be a raw image.
For example, dd if=/dev/sda of=sda.img bs=512 will create a raw image of the first drive on a system. I should point out that you can also image partitions separately by using a device file that corresponds to a single partition such as /dev/sda1, /dev/sdb2, etc. I recommend that you image the entire disk as a unit, however, unless there is some reason (such as lack of space to store the image) that prevents this.
There are a few reasons why I recommend imaging the entire drive if at all possible. First, it becomes much simpler to mount multiple partitions all at once using scripts presented later in this book. Second, any string searches can be performed against everything you have collected, including swap space. Finally, there could be data hidden in unallocated space (not part of any partition).
Does block size matter? In theory it doesn’t matter as dd will faithfully copy any partial blocks so that the input and output files are the same size (assuming no conversions are performed). The default block size is 512 bytes. Optimum performance is achieved when the block size is an even multiple of the bytes read at a time from the input file.
As most devices have 512 byte blocks, any multiple of 512 will improve performance at the expense of using more memory. In the typical scenario (described later in this chapter) where an image is being created from media removed from the subject system, memory footprint is not a concern and a block size of 4 kilobytes or more is safely used. Block sizes may be directly entered in bytes or as multiples of 512 bytes, kilobytes (1024 bytes), megabytes (1024 * 1024 bytes) using the symbols b, k, and M, respectively. For example, a 4 kilobyte block size can be written as 4096, 8b, or 4k.
There is one last thing I should mention before moving on to another tool. What happens when there is an error? The default behavior is for dd to fail. This can be changed by adding the option conv=noerror,sync to the dd command. When a read error occurs, any bad bytes will be replaced with zeros in order to synchronize the position of everything between the input and output files.