Subject: Digital Forensics

Topic: Initial response and forensic duplication

Difficulty: High

The ' dd ' command is one of the original Unix utilities and should be in everyone's tool box. It can strip headers, extract parts of binary files and write into the middle of floppy disks; it is used by the Linux kernel Makefiles to make boot images. It can be used to copy and convert magnetic tape formats, convert between ASCII and EBCDIC, swap bytes, and force to upper and lowercase.

For blocked I/O, the dd command has no competition in the standard tool set. One could write a custom utility to do specific I/O or formatting but, as dd is already available almost everywhere, it makes sense to use it. Like most well-behaved commands, dd reads from its standard input and writes to its standard output, unless a command line specification has been given.

This allows dd to be used in pipes, and remotely with the rsh remote shell command. Unlike most commands, dd uses a keyword=value format for its parameters. This was reputedly modeled after IBM System/360 JCL, which had an elaborate DD 'Dataset Definition' specification for I/O devices. A complete listing of all keywords is available from GNU dd with

Syntax : dd [OPERAND]...

dd OPTION

Operands

bs=BYTES read and write BYTES bytes at a time (also see ibs=,obs=)

conv=CONVS convert the file as per the comma separated symbol list. Each symbol may be one of the following, and represents a specific type of conversion

if=FILE read from FILE instead of stdin

of=FILE write to FILE instead of stdout