left4code.neocities.org/courses/filesystem_imaging_forensics/dd.html

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="description" content="dd is part of the gnu core utilities. It can be used to create or copy block data from different devices or files.">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta name="author" content="Left4Code">
    <meta name="keywords" content="dd, gnu dd">
    <link rel="icon" type="image/x-icon" href="../../favicon/favicon.ico">
    <title>Left4Code - (Courses) - {dd}</title>
    <link rel="stylesheet" type="text/css" href='../../style.css'>
</head>
<body>
    <header>
        <span>Left4Code</span>
    </header>

    <nav>
        <div>
            <a href="../../index.html">Home</a>
            <a href="../../blog.html">Blog</a>
        </div>
    </nav>

    <div class="container">
        <section>
	    <h1 class="blog-header">dd</h1>
            <h3>--| Posted: 05-06-25</h3>

	    <h4 class="blog-header">Table of Contents</h4>
	    <div id="toc_container">
		    <hr>
		    <ul class="toc_list">
			    <li><a href="#>~(1)">1. Background Information</a></li>
			    <ul>
				    <li><a href="#>~{1.1}">1.1 Warnings</a></li>
				    <li><a href="#>~{1.2}">1.2 Links Used on This Page</a></li>
				    <li><a href="#>~{1.3}">1.3 How A Hard Disk Drive Works (Optional)</a></li>
			    </ul>
			    <li><a href="#>~(2)">2. DD Usage</a></li>
			    <ul>
				    <li><a href="#>~{2.1}">2.1 Additional Parameters</a></li>
			    </ul>
			    <li><a href="#>~(3)">3. Read-only Mounting of a Drive</a></li>
			    <ul>

				    <li><a href="#>~{3.1}">3.1 Warnings for Mounting a Drive as Read-only</a></li>

			    </ul>
			    <li><a href="#>~(4)">4. Example of dd Usage with Parameters</a></li>
			    <li><a href="#>~(5)">5. Using Hashing with dd</a></li>
			    <li><a href="#>~(6)">6. Conclusion</a></li>



	    </div>
	    <hr>

	    

	    <h4 id=">~(1)" class="blog-header">1. Background Information</h4>

	    <p>dd is part of the gnu core utilities. It can be used to create or copy block data from different devices or files.</p>

	    <p>For the purposes of this course, I will show how to copy data from a partition or entire drive to an image file, and how to write random data to an image file.</p>

	    <h4 id=">~{1.1}" class="blog-header">1.1 Warnings</h4>

	    <p>Most programs you use on a daily basis can be compared to a car, it has seatbelts, a (hopefully) strong exterior, and if your car is a bit newer, sensors for road obstructions. This could be programs like Firefox, your GUI calculator software, and that fun video game.</p>

	    <p>dd is not like this, dd can be compared more to a motorcycle than a car. dd is a small program prioritizing efficiency and has little to no safety measures. Much like a motorcycle, you should learn to use dd in a safe environment where potential damage is minimized. You should also bring a helmet too. (understanding of commands, virtual environment, patience.)</p>


	    <details>
	    <summary id=">~{1.2}" class="blog-header">1.2 Links Used on This Page</summary>

	    <pre class="preformatted">
<a href="https://en.wikipedia.org/wiki/Hard_disk_drive?lang=en">▶[https://en.wikipedia.org/wiki/Hard_disk_drive?lang=en]</a> 

◉───╡ Wikipedia Link for How a Hard Drive Works.

<a href="https://www.gnu.org/software/coreutils/manual/html_node/dd-invocation.html">▶[https://www.gnu.org/software/coreutils/manual/html_node/dd-invocation.html]</a>

◉───╡ dd GNU coreutils manual.

<a href="https://maizure.org/projects/decoded-gnu-coreutils/index.html">▶[https://maizure.org/projects/decoded-gnu-coreutils/index.html]</a>

◉───╡ A Project which explains the GNU coreutil functionality from a programmers perspective (written by MaiZure, my hero.)

<a href="https://youtube.com/channel/UCnjRWRyHTLZo5l7cfq04Uwg">▶[https://youtube.com/channel/UCnjRWRyHTLZo5l7cfq04Uwg]</a>

◉───╡ MaiZure's Youtube Channel.

<a href="https://dfir.ru/2018/07/21/a-live-forensic-distribution-executing-malicious-code-from-a-suspect-drive/">https://dfir.ru/2018/07/21/a-live-forensic-distribution-executing-malicious-code-from-a-suspect-drive/</a> 

◉───╡ Maxim Suhanov's PoC for malicious code from a drive being executed in a live forensic distribution.

<a href="https://dfir.ru/2018/07/25/a-live-forensic-distribution-writing-to-a-suspect-drive/">https://dfir.ru/2018/07/25/a-live-forensic-distribution-writing-to-a-suspect-drive/</a> 

◉───╡ Maxim Suhanov's Additional implications for the PoC.</pre>


	    </details>
	    <hr>
	    <details>


		    <summary id=">~{1.3}" class="blog-header">1.3 How A Hard Disk Drive (HDD) Works (Click to Expand)</summary>
		    <p>A HDD consist of the following major components:</p>

		    <pre class="preformatted">
1. Platter: Magnetic glass disk responsible for storing binary data in a non-volatile way.

2. Spindle: The thing that holds a single platter or multiple platters together.

3. Actuator: Magnetic Motor responsible for controlling the actuator arm and read/write head for precise data operation.

4. Actuator Arm: holds the read/write head

5. read/write head: an Electromagnet responsible for writing ones and zeros to the platter.</pre>

		    <p>The hard disk will begin by spinning up to around 5,400 or 7,200 RPM.</p>

		    <p>Physically on the disk, the platter is grouped up into sectors which are readable by the disk firmware.</p>

		    <p>When an operating system is installed into the disk, the entire boot process is run and the disk IO process is mainly managed by the kernel and operating system filestructure schemes, which are for example: NTFS, ext4, btrfs.</p>

		    <p>When a program on the operating system requires the use of the disk, this is managed by the kernel through system calls, which are the layer of abstraction between the user and the kernel.</p>

		    <p>normally, a program will call a wrapper function in a standard library (glibc, musl) and this function will then invoke the system call to the kernel.</p>

		    <p>In the Case of dd, (I'm not 100% on this, I'm really bad at reading C code I haven't written) the program uses the internal functions iread and iread_fullblock to read data from a file and put it into a buffer, then writing it to the output parameter. the iread function seems to call read(). By default, dd will write in 512-byte blocks. </p>

		    <p>After doing some searching, I found <a href="https://maizure.org/projects/decoded-gnu-coreutils/index.html">MaiZure's graphical guide for the GNU coreutils</a>  This project has to be one of the most underrated things ever. I can not thank this person enough for the work they have done here. Just amazing. Seriously, Amazing. </p>

		    <p>It covers all relevant GNU coreutils in a way that is super easy to understand, providing graphical representations of the control flow of the program. MaiZure also outlined all of the functions and literally broke everything down.</p>

		    <p>MaiZure also has a <a href="https://youtube.com/channel/UCnjRWRyHTLZo5l7cfq04Uwg">Youtube channel</a>. Support and learn!</p>

		    <p>I guess that serves as my personal thank you to MaiZure since I'm silly and can't figure out how to contact you directly.</p>

		    
	    </details>
	    <hr>

	    <h4 id=">~(2)" class="blog-header">2. DD Usage</h4>

	    <p>The standard dd usage for most forensic purposes is the following:</p>

	    <pre class="preformatted">
dd if=&lt;input&gt; of=&lt;output&gt; 	    </pre>

	    <p>This command will function to copy all bytes from the specified input file to the specified output file. By default, dd will copy 512 bytes of information from the input file to the output file at a time.</p>


	    <p>The general format for dd follows the old IBM Job Control Language parameters, which is why this may look different from the standard flag-style "<b>-</b>" or "<b>--</b>" system.</p>

	    <h4 id=">~{2.1}" class="blog-header">2.1 Additional Parameters</h4>

	    <p>dd parameters are able to manipulate the placement, input, and output of data. </p>

	    <p>the parameters you would probably only be using for a forensic investigation would be:</p>

	    <pre class="preformatted">
'if' (input file) - the file that dd will copy data from. Default is stdin.

'of' (output file) - the file that dd will copy data to.

'bs' (byte size) - the rate of bytes transferred from 'if' to 'of'. Default is 512 Bytes.

'count' - the amount of times a transfer of the value assigned to 'bs' will happen.

the 'noerror' convention - dd will continue to operate despite a read error.

the 'excl' convention - if the file specified in 'of' already exists, dd will not overwrite it.

the 'progress' status convention - will show the progress of longer file copying procedures.</pre>

	    <h4 id=">~(3)" class="blog-header">3. Read-only Mounting of a Drive</h4>

	    <p>In a forensic situation, you would want to make sure you are mounting the drive in read only mode, you would do this by first running:</p>

	    <pre class="preformatted">
blockdev --setro	    </pre>
	    
	    <p>After, you would then mount the device like this:</p>

	    <pre class="preformatted">
sudo mount -o ro,noreload /dev/&lt;partition&gt;	    </pre>

	    <p>the device should then be able to be only read from and should not be modified for the most part.</p>

	    <h4 id=">~{3.1}" class="blog-header">3.1 Warnings for Mounting a Drive as Read-only</h4>

	    <p>NOTE: It is quite hard to 100% mark a device as read-only when doing a forensic investigation. As detailed in the readme for a Linux kernel patch for software write blocking which modifies the block device driver to check for read only conditions more, <a href="https://github.com/msuhanov/Linux-write-blocker">the issue is quite complex</a> and there are many potential problems that could arise from both userland processes and the actual block device driver or operating system fighting you and modifying or clearing data.</p>



	    <p>Using a forensically-focused Linux distribution which supports software write-blocking is a wise decision instead of trying to manually patch your kernel if you're using a different distribution. Tsurugi Linux supports such a feature natively and will block write access and open drives in read-only mode by default.</p>

	    <p>Out of curiosity, I was wondering what the difference is between how Tsurugi Linux handles this issue and how the kernel patch handles this issue. So I contacted the Tsurugi Linux developers for some insight. The Project founder of Tsurugi Linux, 'sug4r' informed me of the following:</p>

	    <pre class="preformatted">
1: Tsurugi Linux uses their own write-blocker system, and originally used the previously linked github patch

2: Tsurugi Linux will build a dirty filesystem for ext4 and check the hash before and after mounting the image.</pre>

	    <p>This ensures that the chance that writing to the drive is heavily minimized and there should be no problems.</p>

	    <p>Huge thanks to sug4r for replying to my message, I probably wouldn't have found the answer to my question without it.</p>

	    <p>If you would like to read the initial articles by Maxim Suhanov which describes executing malicious code on a target hard drive from a forensic live Linux distribution, they are here:</p>

	    <pre class="preformatted">
<a href="https://dfir.ru/2018/07/21/a-live-forensic-distribution-executing-malicious-code-from-a-suspect-drive/">The initial article</a> 

<a href="https://dfir.ru/2018/07/25/a-live-forensic-distribution-writing-to-a-suspect-drive/">Additional article explaining further implications</a></pre>

	    <p>Maxim has a lot of very interesting blog posts at <a href="https://dfir.ru">dfir.ru</a>. If anything from there interests you, I highly recommend you read it.</p>

	    <h4 id=">~(4)" class="blog-header">4. Example of dd Usage with Parameters</h4>

	    <p>Let's start by making a test input file. As the reader, you can make this however you want. Personally, typing some funny stuff into a text file seems like the best way. But for the purposes of using dd, you can generate a file of any chosen size using /dev/random.</p>

	    <p>the command below will generate a file 4Kb in size using data from /dev/random as the input and will place the output file in the current directory you are operating in. /dev/random is a special virtual device on Linux that will produce random data:</p>
	    <h4>Creates a 4Kb file named "testfile.txt".</h4>
	    <pre class="preformatted">
dd if=/dev/random of=testfile.txt bs=1024 count=4   </pre>

	    <p>upon examining the file, you will notice that the data in the file is not made up entirely of human-readable ASCII, if you would like to make a file that is made up of random ASCII data, you can use the following command:</p>

	    <h4>Creates a 4Kb File Named "testfile.txt" Filled only with ASCII Readable Text.</h4>
	    <pre class="preformatted">
tr -dc [:alnum:] &lt;/dev/random | head -c 4096 > testfile.txt	    </pre>

	    <p>This command sequence will take input from /dev/random and use tr to only take alphanumeric characters as defined by "[:alnum:]", this output will then be sent to head, where it will load 4096 bytes of the translated output into testfile.txt</p>


	    <p>the 'ucase' and 'lcase' conventions can be used to modify data at the block level from lower-case to upper-case and vice-versa.</p>

	    <h4>Converts the Content from &lt;testfile_created&gt; to Uppercase.</h4>
	    <pre class="preformatted">
dd if=&lt;testfile_created&gt; of=&lt;testfile_created&gt;_new.txt conv=ucase	    </pre>

	    <p>for forensics, dd can be used to create image files from entire disks or disk partitions on the system. These image files can then be processed by other forensic tools like Autopsy or Foremost.</p>

	    <h4>Puts Contents from /dev/sda Into an Image File Using noerror Convention.</h4>
	    <pre class="preformatted">
sudo dd if=/dev/sda of=sda_image.dd bs=4096 conv=noerror status=progress   </pre>

	    <p>This example will make a complete copy of the entire /dev/sda drive and save the output to the image file "sda_image.dd"</p>

	    <p>additionally, individual partitions can be copied like so:</p>

	    <h4>Copies Content from /dev/sda1 Partition to Image File.</h4>
	    <pre class="preformatted">
sudo dd if=/dev/sda1 of=sda1_image.dd bs=4096 status=progress	    </pre>


	    <h4 id=">~(5)" class="blog-header">5. Using Hashing with dd</h4>

	    <p>When you only have the choice to use dd for data acquisition, the method used for hashing is generally as follows:</p>

	    <h5 id=">()" class="blog-header">1: Take a Hash of the Drive you Intend to Make a Copy of</h5>


	    <p>If you do not understand what I mean when I use "sha*sum" in the command, please refer to the beginning of the 'sha*sum' page for context.</p>


	    <pre class="preformatted">
sha*sum /dev/sdX	    </pre>

	    <h5 id=">()" class="blog-header">2: Use dd to Copy the Contents of the Drive to an Image File</h5>

	    <pre class="preformatted">
dd if=/dev/sdX of=&lt;outputfile.dd&gt; 	    </pre>

	    <h5 id=">()" class="blog-header">3: Calculate the Hash of the Resulting Output File</h5>


	    <pre class="preformatted">
sha*sum &lt;outputfile.dd&gt; 	    </pre>

	    <h5 id=">()" class="blog-header">4: Compare the Hash of the /dev/sdX Drive to the &lt;outputfile.dd&gt; file</h5>

	    <p>You should make sure the hash of the drive and the image file match</p>

	    <h4 id=">~(6)" class="blog-header">6. Conclusion</h4>

	    <p>This concludes the general usage of dd for a forensic application. Additional tooling using the original dd framework with extended features such as ddrescue, dcfldd, or ddc3dd will be subsequently covered.</p>

        </section>
    </div>

</body>
</html>