Using dd as a solution for evidence imaging

On UNIX world dd usually using to copy a file. On forensic world, we can use dd as the solution for disk / evidence imaging tool. There a some other tools that usually to use in order to build evidence image file such as EnCase or SafeBack, but again, it’s to expensive for us (especially for me) which learn and doing forensics independently (also, with a limited budget).

What is special about the dd copy command is that it has special flags available to it that make it suitable for copying block-oriented devices, such as tapes. dd is capable of addressing these block devices sequentially. We will discuss this later. But, for now, it is good to note that this is why dd can be a powerful tool when acquiring and copying tapes for cases.

I will not explain about dd flag option or how to use it, cause I believe, you can read it by yourself on dd manual page. Here, I’ll explain the main sytax using dd. To copy evidence disk into your disk you can use these command below;

 dd if=/dev/source of=/dev/destination


if means infile, which the evidence disk/tape you’re going to clone

of means outfile, the target medium devices, place where to backup the evidence

Besides copying from hard drive, dd can also copying file from tapes, cd/dvd, etc.

Ok, now how can we implement dd on forensics world, to imaging the evidence disk. To understand of how dd can be used on forensics world, I will use an example case.

Let’s say we have a 20GB evidence harddrive, now using Linux live cd run on evidence PC, don’t forget prepare 1 HD that will be used for destination, size min 20GB, more bigger more good. In this case we are using 80 GB harddisk.

mount /dev/sda2 /mnt/backupdisk
dd if=/dev/sda1 of=/mnt/backupdisk/evid1
Now let’s say we have an unknown tape to examine. If we are unsure of the block size used on the tape, we could use the ibs/obs flags to find the correct size. Finding the correct size speeds up the copying process – sometimes dramatically!
dd if=/dev/st0 ibs=128 of=/mnt/backupdisk/evid1 obs=1 count=1

The above usage will attempt to take 1 block with size of 128 from ’st0? and create ‘evid1? output with a block size of 1. The ‘count’ flag is used so that only 1 block is read. We do this because we want to limit DD to just the 1 block. If we did not set a count size DD would continue on and a whole lot of time would be wasted! What this example attempts to show is that by setting the input block size to 128 we can effectively find what the real block size is (unless, of course, it is 128!). With 512 as the standard block size, assuming 128 is virtually a failproof way to find the real block size. The output of the above command would most likely be an ‘error’ message (which was our intent) with the real block size revealed (say 1024, for example).

but, how if we only have cd, not hard disk, how can we copy the whole disk into cd/dvd?We still could use dd with the flags below to create 4 images of the evidence, each 1GB in size.

dd if=/dev/st0 count=4000000 of=/mnt/backupdisk/evid1
dd if=/dev/st0 count=4000000 skip=4000000 of=/mnt/backupdisk/evid2
dd if=/dev/st0 count=4000000 skip=8000000 of=/mnt/backupdisk/evid3
dd if=/dev/st0 count=4000000 skip=12000000 of=/mnt/backupdisk/evid4
dd if=/dev/st0 count=4000000 skip=16000000 of=/mnt/backupdisk/evid5

Now, we have taken the 20GB evidence tape and chopped it into 5 separate 4GB images (which, the size of 1 DVD-R disk). Each image is 4GB in size. Let’s look at this example more closely. Notice that the first command takes 4GB (count=4000000) and copies it, naming the copy ‘evid1.’ The second command skips the first 4GB (skip=4000000) and then copies the next 4GB (count=4000000), naming this image ‘evid2.’ We can now see exactly what the ‘count’ and ’skip’ flags do.

As you can see, dd is a very resourceful tool to use when performing physical backups of evidence. It is especially useful when working with large hard disks and/or tapes. The examples above were created to show you different ways you can get dd to work for you. As you become more familiar with it, you will find that you can do more than what I’ve shown above. You may even find out that dd is also quite useful when restoring evidence! I recommend you to read more at dd’s man pages.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About Spentera

We are specializing in penetration test, vulnerability assessment, computer forensics, as well as intrusion analyst and malware analysis. Customers can contact us directly at contact[at]spentera[dot]id, or use Contact Our Team menu on the sidebar.