-
Report on DD
The national Institute of Justice conducted a report in 2004 to display the accuracy of the tool dd on freebsd(it's really the tool that matters, not the OS) for imaging disks and partitions..
It's a good report, and it essentially illustrates one thing.. STOP wasting money on costly forensics bit stream copy programs!
http://www.ncjrs.org/pdffiles1/nij/203095.pdf
-
Wow, great read hogfly...they definitely tested the crap out of dd!
-
thx for the find.. good read !!
I use dd for backups of whole partitions and even disks..
Realy easy.. and you can also do some very cool tricks with it !!
-
so how does one make a copy of a hard drive to examine using dd and netcat in windows. i dont find the help file helpful in this
Usage: dd [OPTION]...
Copy a file, converting and formatting according to the options.
bs=BYTES force ibs=BYTES and obs=BYTES
cbs=BYTES convert BYTES bytes at a time
conv=KEYWORDS convert the file as per the comma separated keyword list
count=BLOCKS copy only BLOCKS input blocks
ibs=BYTES read BYTES bytes at a time
if=FILE read from FILE instead of stdin
obs=BYTES write BYTES bytes at a time
of=FILE write to FILE instead of stdout, don't truncate file
seek=BLOCKS skip BLOCKS obs-sized blocks at start of output
skip=BLOCKS skip BLOCKS ibs-sized blocks at start of input
--help display this help and exit
--version output version information and exit
BYTES may be suffixed: by xM for multiplication by M, by c for x1,
by w for x2, by b for x512, by k for x1024. Each KEYWORD may be:
ascii from EBCDIC to ASCII
ebcdic from ASCII to EBCDIC
ibm from ASCII to alternated EBCDIC
block pad newline-terminated records with spaces to cbs-size
unblock replace trailing spaces in cbs-size records with newline
lcase change upper case to lower case
ucase change lower case to upper case
swab swap every pair of input bytes
noerror continue after read errors
sync pad every input block with NULs to ibs-size
i notice in helix there is a front end for dd listed is this any more intuitive?
-
Last year, we got a course in which we had to construct an automated backup-solution that was more flexible than products like Norton Ghost. We used a combination that was based on dd and UDP Cast. It was easy to set up, and the learning curve was minimal. And just as nice: it was plain fun to play with.
-
Quote:
Originally posted here by Tedob1
so how does one make a copy of a hard drive to examine using dd and netcat in windows. i dont find the help file helpful in this
Usage: dd [OPTION]...
Copy a file, converting and formatting according to the options.
bs=BYTES force ibs=BYTES and obs=BYTES
cbs=BYTES convert BYTES bytes at a time
conv=KEYWORDS convert the file as per the comma separated keyword list
count=BLOCKS copy only BLOCKS input blocks
ibs=BYTES read BYTES bytes at a time
if=FILE read from FILE instead of stdin
obs=BYTES write BYTES bytes at a time
of=FILE write to FILE instead of stdout, don't truncate file
seek=BLOCKS skip BLOCKS obs-sized blocks at start of output
skip=BLOCKS skip BLOCKS ibs-sized blocks at start of input
--help display this help and exit
--version output version information and exit
BYTES may be suffixed: by xM for multiplication by M, by c for x1,
by w for x2, by b for x512, by k for x1024. Each KEYWORD may be:
ascii from EBCDIC to ASCII
ebcdic from ASCII to EBCDIC
ibm from ASCII to alternated EBCDIC
block pad newline-terminated records with spaces to cbs-size
unblock replace trailing spaces in cbs-size records with newline
lcase change upper case to lower case
ucase change lower case to upper case
swab swap every pair of input bytes
noerror continue after read errors
sync pad every input block with NULs to ibs-size
i notice in helix there is a front end for dd listed is this any more intuitive?
Tedob.
Grab is MUCH more intuitive because all you need to do is set the source drive. (note I said drive, NOT partition), set the destination /path/to/dd_file.img, make sure you have md5 configured, and let it rip. hmmm I should write a quick how to for that..but ugh I've been swamped lately. It also has dcfldd which is the gov's version of dd that md5's as it copies rather than at the end which is faster.
FYI
while on a windows box, pop in the helix cd and if you have autoplay turned on it will bring up a gui that will dd your disk to a machine that has a netcat listener running. Helix is not just a live cd, it's also a windows incident response toolkit :D
With dd on windows, you need to make sure you have dd for windows
This is another group of tools that I use...
http://users.erols.com/gmgarner/forensics/
He has examples at the bottom of the page.