On UNIX world dd usually using to copy a file. On forensic world, we can use dd as the solution for disk / evidence imaging tool. There a some other tools that usually to use in order to build evidence image file such as EnCase or SafeBack, but again, it’s to expensive for us (especially for me) which learn and doing forensics independently (also, with a limited budget).
I will not explain about dd flag option or how to use it, cause I believe, you can read it by yourself on dd manual page. Here, I’ll explain the main sytax using dd. To copy evidence disk into your disk you can use these command below;
dd if=/dev/source of=/dev/destination
if means infile, which the evidence disk/tape you’re going to clone
of means outfile, the target medium devices, place where to backup the evidence
Besides copying from hard drive, dd can also copying file from tapes, cd/dvd, etc.
Ok, now how can we implement dd on forensics world, to imaging the evidence disk. To understand of how dd can be used on forensics world, I will use an example case.
Let’s say we have a 20GB evidence harddrive, now using Linux live cd run on evidence PC, don’t forget prepare 1 HD that will be used for destination, size min 20GB, more bigger more good. In this case we are using 80 GB harddisk.
mount /dev/sda2 /mnt/backupdisk dd if=/dev/sda1 of=/mnt/backupdisk/evid1
dd if=/dev/st0 ibs=128 of=/mnt/backupdisk/evid1 obs=1 count=1
The above usage will attempt to take 1 block with size of 128 from ’st0? and create ‘evid1? output with a block size of 1. The ‘count’ flag is used so that only 1 block is read. We do this because we want to limit DD to just the 1 block. If we did not set a count size DD would continue on and a whole lot of time would be wasted! What this example attempts to show is that by setting the input block size to 128 we can effectively find what the real block size is (unless, of course, it is 128!). With 512 as the standard block size, assuming 128 is virtually a failproof way to find the real block size. The output of the above command would most likely be an ‘error’ message (which was our intent) with the real block size revealed (say 1024, for example).
but, how if we only have cd, not hard disk, how can we copy the whole disk into cd/dvd?We still could use dd with the flags below to create 4 images of the evidence, each 1GB in size.
dd if=/dev/st0 count=4000000 of=/mnt/backupdisk/evid1 dd if=/dev/st0 count=4000000 skip=4000000 of=/mnt/backupdisk/evid2 dd if=/dev/st0 count=4000000 skip=8000000 of=/mnt/backupdisk/evid3 dd if=/dev/st0 count=4000000 skip=12000000 of=/mnt/backupdisk/evid4 dd if=/dev/st0 count=4000000 skip=16000000 of=/mnt/backupdisk/evid5
Now, we have taken the 20GB evidence tape and chopped it into 5 separate 4GB images (which, the size of 1 DVD-R disk). Each image is 4GB in size. Let’s look at this example more closely. Notice that the first command takes 4GB (count=4000000) and copies it, naming the copy ‘evid1.’ The second command skips the first 4GB (skip=4000000) and then copies the next 4GB (count=4000000), naming this image ‘evid2.’ We can now see exactly what the ‘count’ and ’skip’ flags do.
As you can see, dd is a very resourceful tool to use when performing physical backups of evidence. It is especially useful when working with large hard disks and/or tapes. The examples above were created to show you different ways you can get dd to work for you. As you become more familiar with it, you will find that you can do more than what I’ve shown above. You may even find out that dd is also quite useful when restoring evidence! I recommend you to read more at dd’s man pages.