Code:
dd if=/dev/fd0 of=/home/sam/floppy.img
Mount /home/sam/floppy.img:
Code:
mkdir /mnt/floppy.img
mount -o loop /home/sam/floppy.img /mnt/floppy.img
Customize the image:
Code:
cd /mnt/floppy.img/
rm
cp /home/sam/bios.bin .
or any other files you want on the CD. But don't exceed the 1.44 MB size of a floppy. Check space left in the mounted image
Code:
df -h
Unmount the floppy image
Code:
cd ..
umount /mnt/floppy.img
Make the .iso CD image file:
Code:
mkisofs -o /home/sam/floppy.img.iso -b /home/sam/floppy.img /home/sam/floppy.img
Burn the iso file to a CD:
Code:
wodim dev=/dev/hdc -sao driveropts=burnfree -dummy /home/sam/floppy.img.iso
This is a dummy burn, with the drive laser off. After you check the dummy run for errors, by looking at the program output, hit the up arrow, delete '-dummy', Enter. If you need a DOS boot floppy image file: http://www.fdos.org/bootdisks/autogen/FDOEM.144.gz .
You want to find out if your girlfriend is cheating on you, having cyber whoopie, or just misbehaving. Even if the computer is secured with a password you can boot with the:
http://www.efense.com/helix
CD and search the entire drive partition for text strings:
Code:
dd if=/dev/sda2 bs=16065 | hexdump -C | grep 'I love you.'
... will search the whole drive partition for the text string specified between the single quotes. Searching an entire disk partition several times can be quite tedious. This particular command string prints the search results to the screen, with the offset where it is located in the partition. Dd works in the decimal system. Hexdump works in hexidecimal. The output text string is at offset 0x020d0d90h. You convert that to decimal with one of the many calculators found in Linux. This is decimal offset: 34,409,872. We want some manageable numbers, custom designed for speed and ease of use. The decimal disk offset is roughly 34 million, so the data we want to view is 34 MB into the partition. We divide 34,409,872 by some power of 2. Experience says 2^13 is about what we want to get a quotient in the thousands. 34,409,872/8192=~4200. The data we want is 8,192 4,200 byte blocks, OR, 4,200 8,192 byte blocks, into the partition. We check: 4200*8192=34406400; 34,409,872-34406400=3472. This means the following command line will start reading 3,472 bytes before the search string location.
Code:
dd if=/dev/sda2 bs=4200 skip=8192 count=2 | hexdump -C > file.txt
... and finish reading approximately 4,200 bytes after the string. This will net you 3.4k of disk contents before the search string, and 4.2k after. That's a 7.6k chunk of disk, plenty for what we're doing. With this method you search all the deleted files, any chat activity, and emails. It works no matter what security is being employed on the machine. It works with NTFS, ext2, ext3, reiserfs, swap, and FAT partitions. But, it is illegal to use this method on a computer you aren't authorized to search. People can be sued, or imprisoned for performing unauthorized searches. On a related note, you can search system memory with this method, by substituting
Code:
/dev/mem
for
Code:
/dev/sda2
.
Write system memory to a CD. This is useful for documenting memory contents without contaminating the HDD. I recommend using a CD-RW so you can practice a little. This doesn't involve dd, but it's cool.
Code:
wodim /dev=/dev/scd0 -raw driveropts=burnfree /dev/mem
to find the cdwriter:
Code:
wodim --devices
This method records raw, so you have to do a:
Code:
dd if=/dev/hdd | hexdump -C | less
to view the recorded memory. You can also employ the string search method above, substituting
Code:
/dev/hdd
for
Code:
/dev/sda2
.
Code:
dd if=/dev/hdd | hexdump -C | grep 'string'
string is any ascii sequence, hex sequence (must be separated with a space: '55
list:
Code:
'[[:alnum:]]' any alphanumeric characters
'[[:alpha:]]' any alpha character
'[[:digit:]]' any numeric character
'[[:blank:]]' tabs and spaces
'[[:lower:]]' any lower case alpha characters
'[[:upper:]]' any uppercase alpha character
'[[:cntrl:]]' ASCII characters 000 thru 037, and 177 octal
'[[:graph:]]' [:alnum:] and [:punct:]
'[[:punct:]]' any punctuation character ` ! ' # $ % ' ( ) * + - . / : ; < = > ? @ [ \ ] ^ _ { | } ~
'[[:space:]]' tab, newline, vertical tab, form feed, carriage return, and space '[[:xdigit:]]' any hex digit ranges('[a-d]' = any, or all abcd, '[0-9]' = any, or all 0123456789)
Code:
dd if=/dev/sda | hexdump -C | grep '[:punct:]' | less
... will return every line from the
Code:
hexdump -C
output that contains any punctuation characters specified above. It will not gather only punctuation characters.
Back up your MBR:
Code:
dd if=/dev/sda of=mbr.bin count=1
Put this on a floppy you make with:
Code:
dd if=boot.img of=/dev/fd0
I back up floppies to a HDD. Floppies don't last forever, so I do:
Code:
dd if=/dev/fd0 of=/home/sam/floppies/backup.bin conv=notrunc
If my floppy fails, I can make unlimited copies:
Code:
dd if=/home/sam/floppies/backup.bin of=/dev/fd0 conv=notrunc
Here is a command line to read your BIOS, and interfaces:
Code:
dd if=/dev/mem bs=1k skip=768 count=256 2>/dev/null | strings -n 8
dd will not duplicate or erase an HPA, OR, host protected area. Dd will erase a disk completely, but not as well as using the hardware secure erase, security erase unit command
Dd need not be black boxed like other inexpensive forensic software:
http://www.cftt.nist.gov/
For a low cost bootable CD based professional ghosting solution, that supports all operating systems and file systems:
http://www.feyrer.de/g4u/
Variation of dd for data rescue off defective media:
http://www.garloff.de/kurt/linux/ddrescue/
Department of Defense implementation of dd:
http://dcfldd.sourceforge.net/
Sdd is useful when input block size is different than output block size, and will succeed in some instances where dd fails:
http://linux.maruhn.com/sec/sdd.html
This is one of the best links I haven't written about dd:
http://www.softpanorama.org/Tools/dd.shtml
Copyright 2008 by AwesomeMachine.
All Rights Reserved.
Public Domain Copyright Material Begins Here:
Note that sending a SIGUSR1 signal to a running 'dd' process makes it
print to standard error the number of records read and written so far,
then to resume copying.
Code:
$ dd if=/dev/zero of=/dev/null& pid=$!
$ kill -USR1 $pid; sleep 1; kill $pid
10899206+0 records in 10899206+0 records out
BLOCKS and BYTES may be followed by the following multiplicative suffixes: c 1, w 2, b 512, kB 1000, K 1024, MB 1000*1000, M 1024*1024, GB 1000*1000*1000, G 1024*1024*1024
So,
Code:
dd if=/dev/sda of=/dev/sdb bs=1GB
Will use one gigabyte block sizes.
bs=4b would give dd a block size of 4 disk sectors. 1 sector=512 bytes.
bs=4k would indicate dd use a 4 kilobyte block size. I have found bs=4k to be the fastest for copying disk drives on a modern machine.
OPERANDS The following operands are supported:
Code:
if=file
Specifies the input path. Standard input is the default.
Code:
of=file
Specifies the output path.
Standard output is the default.
seek=blocks Skip this many blocks in the output file.
Code:
ibs=n
Specifies the input block size in n bytes (default is 512).
Code:
obs=n
Specifies the output block size in n bytes (default is 512).
If no conversion other than
Code:
sync, noerror, and, notrunc
is specified, each input block is copied to the output as a single block without aggregating short blocks.
Code:
cbs=n
Specifies the conversion block size for block and unblock in bytes by n (default is 0). If cbs= is omitted or given a value of 0, using
Code:
block or unblock
produces unspecified results. This option is used only if ASCII or EBCDIC conversion is specified.
Code:
ascii and asciib
operands, the input is handled as described for the unblock operand except that characters are converted to ASCII before the trailing SPACE characters are deleted.
Code:
ebcdic, ebcdicb, ibm, and ibmb
operands, the input is handled as described for the block operand except that the characters are converted to EBCDIC or IBM EBCDIC after the trailing SPACE characters are added.
Code:
files=n
Copies and concatenates n input files before terminating (makes sense only where input is a magnetic tape or similar device).
Code:
skip=n
Skips n input blocks (using the specified input block size) before starting to copy. On seekable files, the implementation reads the blocks or seeks past them. On non-seekable files, the blocks are read and the data is discarded.
Code:
iseek=n
Seeks n blocks from beginning of input file before copying (appropriate for disk files, where skip can be incredibly slow).
Code:
oseek=n
Seeks n blocks from beginning of output file before copying.
Code:
seek=n
Skips n blocks (using the specified output block size) from beginning of output file before copying. On non-seekable files, existing blocks are read and space from the current end-of-file to the specified offset, if any, is filled with null bytes. On seekable files, the implementation seeks to the specified offset or reads the blocks as described for non-seekable files.
Code:
count=n
Copies only n input blocks.
Code:
conv=value
[,value. . . ] Where values are comma-separated symbols from the following list:
Code:
conv=notrunc
Tells dd not to abbreviate blocks of all zero value, or multiple adjacent blocks of zeroes, with five asterisks (when you want to maintain size) Do not use notrunc for copying a larger volume to a smaller volume. Without
Code:
conv=notrunc
Do not truncate the output file.
Code:
ascii
Converts EBCDIC to ASCII.
Code:
asciib
Converts EBCDIC to ASCII using BSD-compatible character translations.
Code:
ebcdic
Converts ASCII to EBCDIC. If converting fixed-length ASCII records without NEWLINEs, sets up a pipeline with
Code:
dd conv=unblock
beforehand.
Code:
ebcdicb
Converts ASCII to EBCDIC using BSD-compatible character translations. If converting fixed-length ASCII records without NEWLINEs, sets up a pipeline with
Code:
dd conv=unblock
beforehand.
Code:
ibm
Slightly different map of ASCII to EBCDIC. If converting fixed-length ASCII records without NEWLINEs, sets up a pipeline with dd
Code:
dd conv=unblock
beforehand.
Code:
ibmb
Slightly different map of ASCII to EBCDIC using BSD-compatible character translations. If converting fixed-length ASCII records without NEWLINEs, sets up a pipeline with
Code:
dd conv=unblock
beforehand. The
Code:
ascii (or asciib), ebcdic (or ebcdicb), and ibm (or ibmb)
values are mutually exclusive. block Treats the input as a sequence of NEWLINE-terminated or EOF-terminated variable-length records independent of the input block boundaries. Each record is converted to a record with a fixed length specified by the conversion block size. Any NEWLINE character is removed from the input line. SPACE characters are appended to lines that are shorter than their conversion block size to fill the block. Lines that are longer than the conversion block size are truncated to the largest number of characters that will fit into that size. The number of truncated lines is reported. unblock Converts fixed-length records to variable length. Reads a number of bytes equal to the conversion block size (or the number of bytes remaining in the input, if less than the conversion block size), delete all trailing SPACE characters, and append a NEWLINE character. The block and unblock values are mutually exclusive.
Code:
lcase
Maps upper-case characters specified by the LC_CTYPE keyword tolower to the corresponding lower-case character. Characters for which no mapping is specified are not modified by this conversion.
Code:
ucase
Maps lower-case characters specified by the LC_CTYPE keyword toupper to the corresponding upper-case character. Characters for which no mapping is specified are not modified by this conversion. The lcase and ucase symbols are mutually exclusive.
Code:
swab
Swaps every pair of input bytes. If the current input record is an odd number of bytes, the last byte in the input record is ignored.
Code:
noerror
Does not stop processing on an input error. When an input error occurs, a diagnostic message is written on standard error, followed by the current input and output block counts in the same format as used at completion. If the
Code:
sync
conversion is specified, the missing input is replaced with null bytes and processed normally. Otherwise, the input block will be omitted from the output. notrunc Does not truncate the output file. Preserves blocks in the output file not explicitly written by this invocation of dd. (See also the preceding
Code:
of=file
operand.)
Code:
sync
Pads every input block to the size of the ibs= buffer, appending null bytes. (If either block or unblock is also specified, appends SPACE characters, rather than null bytes.)
ENVIRONMENT VARIABLES
The following environment variables affect the messages and errors messages of dd:
Code:
LANG
Provide a default value for the internationalisation variables that are unset or null. If
Code:
LANG
is unset or null, the corresponding value from the implementation-dependent default locale will be used. If any of the internationalisation variables contains an invalid setting, the utility will behave as if none of the variables had been defined.
Code:
LC_ALL
If set to a non-empty string value, override the values of all the other internationalisation variables.
Code:
LC_CTYPE
Determine the locale for the interpretation of sequences of bytes of text data as characters (for example, single- as opposed to multi-byte characters in arguments and input files), the classification of characters as upper- or lower-case, and the mapping of characters from one case to the other.
Code:
LC_MESSAGES
Determine the locale that should be used to affect the format and contents of diagnostic messages written to standard error and informative messages written to standard output.
Code:
NLSPATH
Determine the location of message catalogues for the processing of LC_MESSAGES.
Public Domain Copyright Material Ends Here:
Reference: http://www.linuxquestions.org/questions/linux-newbie-8/learn-the-dd-command-362506/