Creating a disk image with dd
The dd command is a useful utility that allows someone to easily image a storage unit. You can use this command to backup and restore your flash drive, SD card, etc. It can also be useful for forensic work, e.g if you’re trying to recover deleted files from a flash drive, you can image the drive then work on the image keeping the original safe.
WARNING
This command if used improperly can result in destruction of data. Be very carefull and double check the command before executing it.
Syntax
sudo dd -if [Source] -of [Destination]
You can always see the commands documentation with the fallowing command
man dd
Or click the arrow bellow to see a copy of the documentation
[expand title=”dd man page”]
NAME
dd - convert and copy a file
SYNOPSIS
dd [OPERAND]...
dd OPTION
DESCRIPTION
Copy a file, converting and formatting according to the operands.
bs=BYTES
read and write up to BYTES bytes at a time
cbs=BYTES
convert BYTES bytes at a time
conv=CONVS
convert the file as per the comma separated symbol list
count=N
copy only N input blocks
ibs=BYTES
read up to BYTES bytes at a time (default: 512)
if=FILE
read from FILE instead of stdin
iflag=FLAGS
read as per the comma separated symbol list
obs=BYTES
write BYTES bytes at a time (default: 512)
of=FILE
write to FILE instead of stdout
oflag=FLAGS
write as per the comma separated symbol list
seek=N skip N obs-sized blocks at start of output
skip=N skip N ibs-sized blocks at start of input
status=LEVEL
The LEVEL of information to print to stderr; 'none' suppresses
everything but error messages, 'noxfer' suppresses the final
transfer statistics, 'progress' shows periodic transfer statis-
tics
N and BYTES may be followed by the following multiplicative suffixes: c
=1, w =2, b =512, kB =1000, K =1024, MB =1000*1000, M =1024*1024, xM =M
GB =1000*1000*1000, G =1024*1024*1024, and so on for T, P, E, Z, Y.
Each CONV symbol may be:
ascii from EBCDIC to ASCII
ebcdic from ASCII to EBCDIC
ibm from ASCII to alternate EBCDIC
block pad newline-terminated records with spaces to cbs-size
unblock
replace trailing spaces in cbs-size records with newline
lcase change upper case to lower case
ucase change lower case to upper case
sparse try to seek rather than write the output for NUL input blocks
swab swap every pair of input bytes
sync pad every input block with NULs to ibs-size; when used with
block or unblock, pad with spaces rather than NULs
excl fail if the output file already exists
nocreat
do not create the output file
notrunc
do not truncate the output file
noerror
continue after read errors
fdatasync
physically write output file data before finishing
fsync likewise, but also write metadata
Each FLAG symbol may be:
append append mode (makes sense only for output; conv=notrunc sug-
gested)
direct use direct I/O for data
directory
fail unless a directory
dsync use synchronized I/O for data
sync likewise, but also for metadata
fullblock
accumulate full blocks of input (iflag only)
nonblock
use non-blocking I/O
noatime
do not update access time
nocache
Request to drop cache. See also oflag=sync
noctty do not assign controlling terminal from file
nofollow
do not follow symlinks
count_bytes
treat 'count=N' as a byte count (iflag only)
skip_bytes
treat 'skip=N' as a byte count (iflag only)
seek_bytes
treat 'seek=N' as a byte count (oflag only)
Sending a USR1 signal to a running 'dd' process makes it print I/O sta-
tistics to standard error and then resume copying.
Options are:
--help display this help and exit
--version
output version information and exit
AUTHOR
Written by Paul Rubin, David MacKenzie, and Stuart Kemp.
REPORTING BUGS
GNU coreutils online help: <http://www.gnu.org/software/coreutils/>
Report dd translation bugs to <http://translationproject.org/team/>
COPYRIGHT
Copyright (C) 2016 Free Software Foundation, Inc. License GPLv3+: GNU
GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
SEE ALSO
Full documentation at: <http://www.gnu.org/software/coreutils/dd>
or available locally via: info '(coreutils) dd invocation'
[/expand]
Example
In this example i will be creating an image of a 32MB SD card (Yes i said 32MB not GB). For the first step we must identify where the SD card is mounted to do this we must list all mounted drives the easiest way is with the following command
sudo fdisk -l
After we have located the drive, all we have to do is run the dd command. BE CAREFUL in this step because if you mix up the source with the destination you will loose all the data in the drive, read twice and execute once. And as you can see bellow the image file has been created.
After imaging the drive if you want to store the image it’s best to compress it especially when its a large file, that way you save valuable space. To compress it use the following command.
zip arch_image.zip image01.img
After compressing it you can delete the image file, to do that run the following command.
rm image01.img
And that’s it, we have copied a physical storage device to a file. From here you can do whatever you want with the file without worrying about the original storage media. You can store the file as a backup, you can mount it and run recovery or forensic software or whatever else you need.