EC-Council: Computer Hacking Forensic Investigator(CHFI-V10)
Module 7 : Linux and Mac Forensics
         
Notes available : 4 You are not logged in.
Please Login for track your learning progress
   
 
Sl.No: 1 | 2 | 3 | 4 |
Go to Note No.



Bookmark this Note
Note ID: 116

dd command common options

If you want to share the link of this note, please click here to "Copy note link" and share that generated link. Link from URL may change in future.
 

The dd command accepts several options to customize its behavior and achieve specific tasks. Here are some of the most commonly used options:

Operands

bs=BYTES

Read and write BYTES bytes at a time (also see ibs=,obs=).

cbs=BYTES

Convert BYTES bytes at a time.

conv=CONVS

Convert the file as per the comma separated symbol list. Each symbol may be one of the following, and represents a specific type of conversion:
asciifrom EBCDIC to ASCII
ebcdicfrom ASCII to EBCDIC
ibm from ASCII to alternate EBCDIC
blockpad newline-terminated records with spaces to cbs-size
unblockreplace trailing spaces in cbs-size records with newline
lcasechange uppercase to lowercase
nocreatdo not create the output file
exclfail if the output file already exists
notruncdo not truncate the output file
ucasechange lowercase to uppercase
swabswap every pair of input bytes
noerrorcontinue after read errors
syncpad every input block with NULLs to ibs-size; when used with block or unblock, pad with spaces rather than NULLs
fdatasyncphysically write output file data before finishing
fsynclikewise, but also write metadata.

count=BLOCKS

Copy only BLOCKS input blocks.

ibs=BYTES

Read BYTES bytes at a time (default: 512).

if=FILE

Read from FILE instead of stdin.

iflag=FLAGS

Read as per the comma separated symbol list. Each symbol may be one of the following:
appendappend mode (makes sense only for output; conv=notrunc suggested)
directuse direct I/O for data
directoryfail unless a directory
dsyncuse synchronized I/O for data
synclikewise, but also for metadata
fullblockaccumulate full blocks of input (iflag only)
nonblockuse non-blocking I/O
noatimedo not update access time
nocttydo not assign controlling terminal from file
nofollowdo not follow symlinks.

obs=BYTES

Write BYTES bytes at a time (default: 512).

of=FILE

Write to FILE instead of stdout.

oflag=FLAGS

Write as per the comma separated symbol list.

seek=BLOCKS

Skip BLOCKS obs-sized blocks at start of output.

skip=BLOCKS

Skip BLOCKS ibs-sized blocks at start of input.

status=noxfer

Suppress transfer statistics.

Options

Numerical suffixes

BLOCKS and BYTES may be followed by the following multiplicative suffixes:

c=1
w=2
b=512
kB=1000
K=1024
MB=1000*1000
M=1024*1024
xM=M
GB=1000*1000*1000
G=1024*1024*1024

...and so on for T (terabytes), P (petabytes), E (exabytes), Z (zettabytes), and Y (yottabytes).

Eg:

$ dd if=source.txt of=destination.txt conv=notrunc : This option ensures that the destination file is not truncated during the write process.

$ dd if=/dev/sda1 of=partition_backup.img : This command reads the content of /dev/sda1, the first partition of the disk, and saves it to a file named partition_backup.img.

$ dd if=partition_backup.img of=/dev/sda1 : This command reads the content from the partition_backup.img file and writes it to the /dev/sda1 partition, effectively restoring the partition to its previous state.

$ dd if=/dev/sda of=hard_drive_backup.img : This command reads the entire content of /dev/sda (Entire Linux Hard Drive) saves it to a file named hard_drive_backup.img.

$ dd if=/dev/sda of=mbr_backup.img bs=512 count=1 : In this command, if=/dev/sda specifies the disk from which to read the MBR, of=mbr_backup.img specifies the output file to save the backup, bs=512 sets the block size to 512 bytes (the size of the MBR), and count=1 specifies that only one block should be copied.

$ dd if=mbr_backup.img of=/dev/sda bs=512 count=1 : This command reads the content from the mbr_backup.img file and writes it back to the /dev/sda disk, effectively restoring the MBR.

$ dd if=/dev/cdrom of=disk_copy.iso : In this command, /dev/cdrom represents the CD/DVD drive, and disk_copy.iso is the output file where the copied data will be saved.

$ sudo dd if=/dev/sda bs=1M | gzip -c -9 > sda.dd.gz : In this example, we specify that dd should read from the /dev/sda device and adjust the block size to 1M for improved performance. We then pipe the data to the gzip program, utilizing the -c option to output to stdout and the -9 option for maximum compression. Finally, we redirect the output to the "sda.dd.gz" file.

$ dd if=user.txt of=newusers.txt skip=100 : In this command, the dd command skips the first 100 bytes of data in users.txt and writes the remaining content to newusers.txt.

$ sudo dd if=/dev/zero bs=1M of=/dev/sda : With this command, dd reads from the /dev/zero device, which provides null characters, and writes them to the target device until it is completely filled. For filling with random data, we can read data from either the /dev/random or /dev/urandom devices

$ dd if=linux_distro.iso of=/dev/sdX bs=4M status=progress : In this command, linux_distro.iso represents the ISO image of the Linux distribution, /dev/sdX is the USB drive (replace X with the appropriate drive letter), bs=4M sets the block size to 4 megabytes for faster copying, and status=progress displays the progress of the dd command. It will create a bootable USB disk.

$ dd if=source_file of=destination_file status=progress : By using the status=progress option with the dd command, you can display a progress bar that indicates the completion percentage of the ongoing operation. This can be helpful, especially when dealing with large files or lengthy processes.



  Go to notes  






WELCOME TO ONLINE EXAM PREPARATION SYSTEM

Certification Examinations