dd Most comprehensive documentation and example sheet for one of the most useful linux/UNIX commands, "dd". It is a bitstream duplicator for copying data, but can use input or output pipes to another command. I maintain this thread, so if you have a question, post it. I know most things about dd. Tutorial The basic command is structured as follows: dd if= of= bs=("USUALLY" some power of 2, not less than 512 bytes(ie, 512, 1024, 2048, 4096, 8192, 16384, but can be ANY reasonable number.) skip= seek= conv=. Source is the data being read. Target is where the data gets written. If you mess up, and accidentally reverse the source and target, you can wipe out a lot of data. Examples: Copy one hard disk partition to another hard disk: dd if=/dev/sda2 of=/dev/sdb2 bs=4096 conv=notrunc,noerror sda2, sdb2 are partitions. You want to copy sda2 to sdb2. If sdb2 doesn't exist, dd will start at the beginning of the disk, and create it. Be careful with order of if and of. You can write a blank disk to a good disk if you get confused. The only difference between a big partition and a small partition, besides size, is the partition table. If you are copying sda to sdb, an entire drive with a single partition, sdb being smaller than sda, then you have to do: dd if=/dev/sda skip=1 of=/dev/sdb seek=1 bs=4k conv=noerror Skip skips input blocks at the beginning of the media(sda). Seek skips over so many blocks on the output media before writing(sdb). By doing this, you leave the first 4k bytes on each drive untouched. You don't want to tell a drive it is bigger than it really is by writing a partition table from a larger drive to a smaller drive. The first 63 sectors of a drive are empty, except sector 1, the MBR. Now, if you are copying sda3 to sda2, this is different. What you want to do is this: dd if=/dev/sda3 of=/dev/sda2 bs=4096 conv=noerror Do not use the conv=notrunc option. Without notrunc, multiple blocks of zeros get abbreviated with a string of asterisks, saving a lot of space. if you use notrunc, all the zeros will be written out. On a smaller partition you want to save room. If you write out all the zeros, the smaller partition won't be big enough. Make an iso image of a CD: dd if=/dev/hdc of=/home/sam/mycd.iso bs=2048 conv=notrunc This copies sector for sector. The result will be a hard disk image file of the CD. You can use "chmod a+rwx mycd.iso" to make the image writable. You can mount the image with "mkdir /mnt/mycd", this line in fstab: /home/sam/mycd.iso /mnt/mycd iso9660 rw,user,noauto 0 0 Save fstab, "mount -o loop /mnt/mycd". Then the file system will be viewable as files and directories in the directory /mnt/mycd. You can edit the image as you wish, and the new file will be "/home/sam/mycd.iso" dd does not write to CD's. Copy a floppy disk: dd if=/dev/fd0 of=/home/sam/floppy.image bs=2x80x18b conv=notrunc or dd if=/dev/fd0 of=/home/sam/floppy.image conv=notrunc The 18b specifies 18 sectors of 512 bytes, the 2x multiplies the sector size by the number of heads, and the 80x is for the cylinders--a total of 1474560 bytes. This issues a single 1474560-byte read request to /dev/fd0 and a single 1474560 write request to /home/sam/floppy.image. This makes a hard drive image of the floppy, with bootable info intact. The second example uses default "bs=" of 512, which is the sector size of a floppy. If you're concerned about spies with superconducting quantum-interference detectors you can always add a "for" loop for government level secure disk erasure: copy and paste the following two lines into a text editor. #!/bin/bash for n in `seq 7`; do dd if=/dev/urandom of=/dev/sda bs=8b conv=notrunc; done Now you have a shell script for seven passes of random characters over the whole disk Do: chmod a+x to make it executable. To make a bootable USB thumb drive: Download 50 MB Debian based distro here: http://sourceforge.net/projects/insert/ Plug in the thumb drive to a USB port. Type dmesg | tail Look where the new drive is, sdb, or something similar. Do: dd if=/home/sam/insert.iso of=/dev/sdb ibs=4b obs=1bconv=notrunc,noerror Now set the BIOS to USB boot, plug in the thumb drive, and boot the machine. To format a series of floppies: Take one empty, never been used, formatted floppy; and: dd if=/dev/fd0 of=/home/sam/floppy.bin and make a hard disk image of a new formatted floppy, then: load one of the floppies you want to format into the floppy drive, and: dd if=/home/sam/floppy.bin of=/dev/fd0 This floppy will end up exactly like the never been used floppy you started with To make a trusted DOS boot floppy: Get DR DOS 7 from http://www.bootdisk.com You have to use Windows to make the boot disk. copy the new boot disk: dd if=/dev/fd0 of=/home/sam/floppy.bin Open the image in a hex editor and change all references of "DRIVESPACE" to "XXXX.XXXXX" and "DOUBLESPACE" to "XXXXX.XXXXX". Change all references of "C:" to "A:". This is now a trusted boot floppy. Trusted boot floppies are used to insure no writes are made to the hard drive on a floppy boot. Copy a hard drive image of a floppy to a floppy: dd if=/home/sam/floppy.image of=fd0 bs=2x80x18b conv=notrunc Copy just the MBR and boot sector of a floppy to hard drive image: dd if=/dev/fd0 of=/home/sam/MBRboot.image bs=512 count=2 This copies the first 2 sectors of the floppy Fix a floppy hacked by a DRM trojan. Insert the floppy dd if=/dev/null of=/dev/fd0 conv=notrunc dd if=/home/sam/floppy.image of=/dev/fd0 conv=notrunc,noerror Normally, writing null to the first two sectors of a floppy renders the floppy totally unusable. It cannot even be formatted after that. Thanks to the image of the new, unused floppy, floppy.image, you can write the first two sectors back properly. Cloning an entire hard disk: dd if=/dev/sda of=/dev/sdb conv=notrunc,noerror In this example, sda is the source. sdb is the target. Do not reverse the intended source and target. Surprisingly many people do. notrunc means to not abbreviate multiple blocks of zeros with a string of asterisks. noerror means to keep going if there is an error. Normally dd stops at any error. Copy MBR only of a hard drive: dd if=/dev/sda of=/home/sam/MBR.image bs=446 count=1 this will copy the first 446 bytes of the hard drive to a file. If you haven't already guessed, reversing the objects of if and of, in the dd command line reverses the direction of the write. Wipe a hard drive of all data (you would want to boot from a cd to do this) http://www.efense.com/helix is a good boot cd The helix boot environment contains the DoD version of dd called dcfldd. It works the same way, but is has a progress bar. dcfldd if=/dev/zero of=/dev/sda conv=notrunc This is useful for getting rid of viruses, DRM trojans and the like. Overwrite all the free space on a partition (deleted files you don't want recovered) dd if=/dev/random > fileconsumingallfreespaceWhen dd says no room left on device, all the free space has been overwritten with random characters. Then, delete the big file with "rm". [color="DarkGreen"][b]To view your virtual memory: dd if=/proc/kcore | hexdump -C | less use PgUp, PgDn, up arrow, down arrow to navigate in less Less is my favorite editor. Or, I should say, it would be my favorite editor if it allowed editing. What filesystems are installed: dd if=/proc/filesystems | hexdump -C | less all loaded modules: dd if=/proc/kallsyms | hexdump -C | less interrupt table: dd if=/proc/interrupts | hexdump -C | less How many seconds has the system been up: dd if=/proc/uptime | hexdump -C | less partitions and sizes in kb: dd if=/proc/partitions | hexdump -C | less Memory stats: dd if=/proc/meminfo | hexdump -C | less I put two identical drives in every one of my machines. Before I do anything which might be disasterous, I do: dcfldd if=/dev/sda of=/dev/sdb bs=4096 conv=notrunc,noerror and copy my present working sda drive system to the sdb drive. If I wreck the installation on sda, I just boot with the helix cd and dcfldd if=/dev/sdb of=/dev/sda bs=4096 conv=notrunc,noerror and I get everything back exactly the same as before whatever boneheaded thing I was trying to do didn't work. You can really, really learn linux this way, because you absolutely can't wreck what you have an exact copy of. To make a file of 100 random bytes: dd if=/dev/urandom of=/home/sam/myrandom bs=1 count=100 /dev/random produces only as many random bits as the entropy pool contains. This yields quality randomness for kryptographic keys. If more random bytes are required, the process stops until the entropy pool is refilled (waggling your mouse helps). /dev/urandom does not have this restriction. If the user demands more bits than currently in the entropy pool, it produces them using a pseudo random number generator. Here, urandom is the linux random byte device. myrandom is a file. Write random data over a file before deleting it: first do an ls -l to find filesize. In this case it is 3769 ls -l afile -rw------- ... 3769 Nov 2 13:41 dd if=/dev/urandom of=afile bs=3769 count=1 conv=notrunc This will write random characters over the entire file. Copy a disk partition to a file on a different partition. Do not copy a partition to the same partition. dd if=/dev/sdb2 of=/home/sam/partition.image bs=4096 conv=notrunc,noerror This will make a file that is an exact duplicate of the sdb2 partition. You can substitue hdb, sda, hda, or whatever the disk is called. ordd if=/dev/sdb2 ibs=4096 | gzip > partition.image.gz conv=noerrorMakes a gzipped archive of the entire partition. To restore use: | gunzip >for bzip2(slower,smaller), substitute bzip2 and bunzip2, and name the file .bz2 Restore a disk partition from an image file. dd if=/home/sam/partition.image of=/dev/sdb2 bs=4096 conv=notrunc,noerror This way you can get a bazonga hard drive and partition it so you can back up your root partition. If you mess up your root partition, you just boot from the helix cd and restore the image. To covert a file to all uppercase: dd if=filename of=filename conv=ucase Copy ram memory to a file: dd if=/dev/mem of=/home/sam/mem.bin bs=1024 The device /dev/mem is your system memory. You can actually copy any block or character device to a file with dd. Memory capture on a fast system, with bs=1024 takes about 60 seconds. Copying a 120 GB HDD takes about an hour. Copying a CD to hard drive takes about 10 minutes. Copying a floppy to a hard drive takes about 2 minutes. With dd, your floppy drive images will not change at all. If you have a bootable DOS diskette, and you save it to your HDD as an image file, when you restore that image to another floppy it will be bootable. dd will print to the terminal window if you omit the of=/dev/output part. dd if=/home/sam/myfile will print the file myfile to the terminal window. If you are just curious about what might be on you disk drive, or what an MBR looks like, or maybe what is at the very end of your disk: dd if=/dev/sda count=1 | hexdump -C Will show you sector 1, or the MBR. There is the beginning of the loader code and the partition table in there. To see the end of the disk you have to know the total number of sectors for the disk, and the disk has to be set up with Maximum Addressable Sector equal to Maximum Native Address. The helix CD has a utility to set this correctly. In the dd command your seek value will be one less than MNA of the disk. For a 120 GB Seagate SATA drives dd if=/dev/sda of=home/sam/myfile skip=234441646 default bs=512, so this reads sector for sector, and writes the last sector to myfile. Disks, even though there is LBA addressing now, still secretly are read in sectors, cylinders, and heads. There are 63 sectors per cylinder, and 255 heads per cylinder. Then there is a total cylinder count for the disk. You multiply out 512x63x255=bytes per cylinder. 63x255=sectors per cylinder. With 234441647 total sectors, and 16065 sectors per cylinder, you get some trailing sectors which do not make up an entire cylinder, 14593.317584812. This leaves you with 5102 sectors which cannot be partitioned because to be in a partition you have to be a whole cylinder. It's like having part of a person. That doesn't really count as a person. So, what happens to these sectors? They become surplus sectors after the last partition. You can't ordinarily read in there with an operating system. But, dd can. It is really a good idea to check for anything writing to surplus sectors. For our Seagate 120 GB drive you subtract total sectors(234441647)-(5102) which don't make up a whole cylinder=234436545 partitionable sectors. dd if=/dev/sda of=/home/sam/myfile skip=234436545 This writes the last 5102 sectors to myfile. Launch midnight commander (mc) to view the file. If there is something in there, you do not need it for anything. In this case you would write over it with random characters: dd if=/dev/urandom of=/dev/sda bs=512 seek=234436545 Will overwrite the 5102 surplus sectors on our 120 GB Seagate drive. If you want to check out some random area of the disk: dd if=/dev/sda of=/home/sam/myfile bs=4096 skip=2000 count=1000 will give you 8,000 sectors in myfile, after the first 16,000 sectors. You can open that file with a hex editor, edit some of it, and write the edited part back to disk: dd if=/home/sam/myfile of=/dev/sda bs=4096 seek=2000 count=1000 So there you got yourself a disk editor. It's not the best, but it works. You can make a boot floppy: with the boot.img file, which is pretty easy to get. You just need a program that will literally start writing at sector 1. dd if=boot.img of=/dev/fd0 bs=1440k This makes a bootable disk you can add stuff to. If you want to make a partition image on another machine: on source machine: dd if=/dev/hda bs=16065b | netcat targethost-IP 1234 on target machine: netcat -l -p 1234 | dd of=/dev/hdc bs=16065b Netcat is a program, available by default, on almost every linux installation. It is like a swiss army knife of networking. In the preceding example netcat and dd are piped to one another. One of the functions of the linux kernel is to make pipes. The pipe character looks like two little lines on top of one another, both vertical. Here is how this command behaves: This byte size is a cylinder. bs=16065b equals one cylinder on an LBA drive. The dd command is piped to netcat, which takes as its arguments the IP address of the target(like 192.168.0.1, or any IP address with an open port) and what port you want to use(1234). Don't hit enter yet. Hit enter on the target machine, hit enter on the source machine. This is kind of how Norton Ghost works to image a drive to another machine. Boot both machines with the helix CD. Ok, say you want to find out if your girlfriend or wife is cheating on you, having cyber sex, or just basically misbehaving with her computer. Even if the computer is secured with a password, you can boot with the: http://www.efense.com/helix CD and search the entire drive partition for text strings: dd if=/dev/sda2 bs=16065 | hexdump -C | grep 'I really don't love him anymore.' Will search the whole drive partition for the text string specified between the single quotes. Searching an entire disk partition several times can be quite tedious. This particular command string prints the search results to the screen, with the offset where it is located in the partition. dd works in the decimal system. Disk offsets work in hexidecimal. Say you found that text string in your partition at offset 020d0d90. You convert that to decimal with one of the many calculators found in linux. This is decimal offset 34409872. Dividing by 512 per sector we get 67206.78125. dd if=/dev/sda2 bs=16065 skip=2140 count=3 | less This will print to the screen so you don't accidentally write a file over free disk space, which may hold deleted files you want to search. With this method you search all the deleted files, any chat activity, and emails. It works no matter what security is being employed on the machine. It works with NTFS, ext2, ext3, reiserfs, swap, and FAT partitions. On a related note, you can write the system memory to a CD. This is useful for documenting memory contents without contaminating the HDD. I recommend using a CD-RW so you can practice a little. This doesn't involve dd, but it's cool. cdrecord dev=ATAPI:0,1,0 -raw tsize=700000000 driveropts=burnfree /dev/mem to find the cdwriter: cdrecord -scanbus=ATAPI This method records raw, so you have to do a: dd if=/dev/hdd | less to view the recorded memory. Searching the recorded memory is as above: dd if=/dev/hdd | hexdump -C | grep 'string' string is any ascii sequence, hex sequence (must be separated with a space: '55aa09' searches for the hex string '55aa09'), list: '[[:alnum:]]' any alphanumeric characters '[[:alpha:]]' any alpha character '[[:digit:]]' any numeric character '[[:blank:]]' tabs and spaces '[[:lower:]]' any lower case alpha characters '[[:upper:]]' any uppercase alpha character '[[:cntrl:]]' ASCII characters 000 thru 037, and 177 octal '[[:graph:]]' [:alnum:] and [unct:] '[[unct:]]' any punctuation character ` ! ' # $ % ' ( ) * + - . / : ; ? @ [ \ ] ^ _ { | } ~ '[[:space:]]' tab, newline, vertical tab, form feed, carriage return, and space '[[:xdigit:]]' any hex digit ranges('[a-d]' = any, or all abcd, '[0-9]' = any, or all 0123456789) You can back up your MBR: dd if=/dev/sda of=mbr.bin count=1 Put this on a floppy you make with: dd if=boot.img of=/dev/fd0 Along with dd. Boot from the floppy and: dd if=mbr.bin of=/dev/sda count=1 Will restore the MBR. I back up all my floppies to HDD. Floppies don't last forever, so I do: dd if=/dev/fd0 of=/home/sam/floppies/backup.bin conv=notrunc If my floppy fails, I can make unlimited copies: dd if=/home/sam/floppies/backup.bin of=/dev/fd0 conv=notrunc Here is a command line to read your BIOS, and interfaces: dd if=/dev/mem bs=1k skip=768 count=256 2>/dev/null | strings -n 8 There is a variation of dd for rescuing data off defective media, such as a hard drive with some bad sectors. It is called dd_rescue. It is available here: http://www.garloff.de/kurt/linux/ddrescue/ dd will not copy or erase an HPA or host protected area. dd, if used properly, will erase a disk completely, but not as well as using the drive's secure erase, security erase unit command