98
Chapter 9
Creating Bit-by-Bit or Physical Copies of Storage Devices
Within the world of information security and hacking, one Linux archiving
command stands above the rest in its usefulness. The
dd
command makes
a bit-by-bit copy of a file, a filesystem, or even an entire hard drive. This
means that even deleted files are copied (yes, it’s important to know that
your deleted files may be recoverable), making for easy discovery and
recovery. Deleted files will not be copied with most logical copying utili-
ties, such as
cp
.
Once a hacker has owned a target system, the
dd
command will allow
them to copy the entire hard drive or a storage device to their system. In
addition, those people whose job it is to catch hackers—namely, forensic
investigators—will likely use this command to make a physical copy of the
hard drive with deleted files and other artifacts that might be useful for
finding evidence against the hacker.
It’s critical to note that the
dd
command should not be used for typical
day-to-day copying of files and storage devices because it is
very slow; other
commands do the job faster and more efficiently. It is, though, excellent
when you need a copy of a storage device without the filesystem or other
logical structures, such as in a forensic investigation.
The basic syntax for the
dd
command is as follows:
dd if=
inputfile
of=
outputfile
So, if you wanted to make a physical copy of your flash drive, assuming
the flash drive is sdb (we’ll discuss this designation more in Chapter 10),
you would enter the following:
kali >
