Creating a disk image with dd

The dd command is a useful utility that allows someone to easily image a storage unit. You can use this command to backup and restore your flash drive, SD card, etc. It can also be useful for forensic work, e.g if you’re trying to recover deleted files from a flash drive, you can image the drive then work on the image keeping the original safe.


This command if used improperly can result in destruction of data. Be very carefull and double check the command before executing it.


sudo dd -if [Source] -of [Destination]

You can always see the commands documentation with the fallowing command

man dd

Or click the arrow bellow to see a copy of the documentation

[expand title=”dd man page”]

       dd - convert and copy a file

       dd [OPERAND]...
       dd OPTION

       Copy a file, converting and formatting according to the operands.

              read and write up to BYTES bytes at a time

              convert BYTES bytes at a time

              convert the file as per the comma separated symbol list

              copy only N input blocks

              read up to BYTES bytes at a time (default: 512)

              read from FILE instead of stdin

              read as per the comma separated symbol list

              write BYTES bytes at a time (default: 512)

              write to FILE instead of stdout

              write as per the comma separated symbol list

       seek=N skip N obs-sized blocks at start of output

       skip=N skip N ibs-sized blocks at start of input

              The  LEVEL  of information to print to stderr; 'none' suppresses
              everything but error messages,  'noxfer'  suppresses  the  final
              transfer  statistics, 'progress' shows periodic transfer statis-

       N and BYTES may be followed by the following multiplicative suffixes: c
       =1, w =2, b =512, kB =1000, K =1024, MB =1000*1000, M =1024*1024, xM =M
       GB =1000*1000*1000, G =1024*1024*1024, and so on for T, P, E, Z, Y.

       Each CONV symbol may be:

       ascii  from EBCDIC to ASCII

       ebcdic from ASCII to EBCDIC

       ibm    from ASCII to alternate EBCDIC

       block  pad newline-terminated records with spaces to cbs-size

              replace trailing spaces in cbs-size records with newline

       lcase  change upper case to lower case

       ucase  change lower case to upper case

       sparse try to seek rather than write the output for NUL input blocks

       swab   swap every pair of input bytes

       sync   pad every input block with NULs  to  ibs-size;  when  used  with
              block or unblock, pad with spaces rather than NULs

       excl   fail if the output file already exists

              do not create the output file

              do not truncate the output file

              continue after read errors

              physically write output file data before finishing

       fsync  likewise, but also write metadata

       Each FLAG symbol may be:

       append append  mode  (makes  sense  only  for output; conv=notrunc sug-

       direct use direct I/O for data

              fail unless a directory

       dsync  use synchronized I/O for data

       sync   likewise, but also for metadata

              accumulate full blocks of input (iflag only)

              use non-blocking I/O

              do not update access time

              Request to drop cache.  See also oflag=sync

       noctty do not assign controlling terminal from file

              do not follow symlinks

              treat 'count=N' as a byte count (iflag only)

              treat 'skip=N' as a byte count (iflag only)

              treat 'seek=N' as a byte count (oflag only)

       Sending a USR1 signal to a running 'dd' process makes it print I/O sta-
       tistics to standard error and then resume copying.

       Options are:

       --help display this help and exit

              output version information and exit

       Written by Paul Rubin, David MacKenzie, and Stuart Kemp.

       GNU coreutils online help: <>
       Report dd translation bugs to <>

       Copyright  (C) 2016 Free Software Foundation, Inc.  License GPLv3+: GNU
       GPL version 3 or later <>.
       This is free software: you are free  to  change  and  redistribute  it.
       There is NO WARRANTY, to the extent permitted by law.

       Full documentation at: <>
       or available locally via: info '(coreutils) dd invocation'


In this example i will be creating an image of a 32MB SD card (Yes i said 32MB not GB). For the first step we must identify where the SD card is mounted to do this we must list all mounted drives the easiest way is with the following command

sudo fdisk -l

After we have located the drive, all we have to do is run the dd command. BE CAREFUL in this step because if you mix up the source with the destination you will loose all the data in the drive, read twice and execute once. And as you can see bellow the image file has been created.

After imaging the drive if you want to store the image it’s best to compress it especially when its a large file, that way you save valuable space. To compress it use the following command.

zip image01.img

After compressing it you can delete the image file, to do that run the following command.

rm image01.img

And that’s it, we have copied a physical storage device to a file. From here you can do whatever you want with the file without worrying about the original storage media. You can store the file as a backup, you can mount it and run recovery or forensic software or whatever else you need.

Leave a Reply