DD and Computer Forensics
Examples of Using DD within UNIX to Create Physical Backups
by Thomas Rude, CISSP
next generation forensics
In the most basic sense, the DD command is used for copying in the UNIX environment. For simplicity, we will consider 'copy' to mean 'to duplicate exactly.' The DD command is used in the Forensics Arena to perform a physical backup of the evidence. DD can be thought of as tool - in the sense that using it is a means of building an evidence file. There are other tools which can be used when making a physical backup, such as EnCase and SafeBack. However, the intent of this paper is to give some insight on what DD is and how to use it.
What is special about the DD copy command is that it has special flags available to it that make it suitable for copying block-oriented devices, such as tapes. DD is capable of addressing these block devices sequentially. We will discuss this later. But, for now, it is good to note that this is why DD can be a powerful tool when acquiring and copying tapes for cases.
I do not want to describe each and every flag option available to DD ('man DD' can show you them). I do, however, want to detail some key flags that are very useful when copying evidence. Before we can get into these, it is imperative to understand the basic syntax of the DD command:
dd if=/*source* of=/*destination*
if = infile, or evidence you are copying (a hard disk, tape, etc.)
source = source of evidence
of = outfile, or copy of evidence
destination = where you want to put the copy
For example, if our acquired evidence is /dev/hda, the following would produce an exact copy with the name of 'case10img1':
dd if=/dev/hda of=/dev/case10img1
Now that we see the basic use of DD we can look at the options which make it very suitable for copying in the UNIX environment.
As mentioned earlier, DD is very useful when copying and/or restoring block-oriented devices, such as tapes. (NOTE: DD is an excellent tool to use when copying hard disks as well. I am stressing the usage with regards to tapes because it has proved quite useful in reducing the amount of time required to copy tapes of large sizes.) There are a few options available when copying tapes (or any device). Of the options available, I have found some more useful than others. These are shown below:
ibs = input block size
obs = output block size
count = number of blocks to copy
skip = number of blocks to skip at start of input
seek = number of blocks to skip at start of output
conv = conversion
Let's say we have a 2GB hard disk seized as evidence. We will use DD to make a complete physical backup of the hard disk:
dd if=/dev/hda of=/dev/case5img1
Now let's say we have an unknown tape to examine. If we are unsure of the block size used on the tape, we could use the ibs/obs flags to find the correct size. Finding the correct size speeds up the copying process - sometimes dramatically!
dd if=/dev/st0 ibs=128 of=/dev/case10img1 obs=1 count=1
The above usage will attempt to take 1 block with size of 128 from 'st0' and create 'case10img1' output with a block size of 1. The 'count' flag is used so that only 1 block is read. We do this because we want to limit DD to just the 1 block. If we did not set a count size DD would continue on and a whole lot of time would be wasted! What this example attempts to show is that by setting the input block size to 128 we can effectively find what the real block size is (unless, of course, it is 128!). With 512 as the standard block size, assuming 128 is virtually a failproof way to find the real block size. The output of the above command would most likely be an 'error' message (which was our intent) with the real block size revealed (say 1024, for example).
Another example of DD usage is the following. Let's say we have an image which we need to chop up into smaller pieces. Perhaps our backup media is limited to 4 1GB discs and the evidence is 4GB in size. We could use DD with the flags below to create 4 images of the evidence, each 1GB in size.
dd if=/dev/st0 count=1000000 of=/dev/case10img1
dd if=/dev/st0 count=1000000 skip=1000000 of=/dev/case10img2
dd if=/dev/st0 count=1000000 skip=2000000 of=/dev/case10img3
dd if=/dev/st0 count=1000000 skip=3000000 of=/dev/case10img4
Now, we have taken the 4GB evidence tape and chopped it into 4 separate 1GB images. Each image is 1GB in size. Let's look at this example more closely. Notice that the first command takes 1GB (count=1000000) and copies it, naming the copy 'case10img1.' The second command skips the first 1GB (skip=1000000) and then copies the next 1GB (count=1000000), naming this image 'case10img2.' We can now see exactly what the 'count' and 'skip' flags do.
As you can see, DD is a very resourceful tool to use when performing physical backups of evidence. It is especially useful when working with large hard disks and/or tapes. The examples above were created to show you different ways you can get DD to work for you. As you become more familiar with it, you will find that you can do more than what I've shown above. You may even find out that DD is also quite useful when restoring evidence! I recommend that you create some evidence disks and tapes and play with DD. Read the man page on it and try the different flags. The learning curve is not steep, and the cost (free) can't be beat!
Back to Papers