Chapter 9 Creating Bit-by-Bit or Physical Copies of Storage Devices

Download 7,3 Mb. Pdf ko'rish
bet	98/115
Sana	27.11.2023
Hajmi	7,3 Mb.
	#106243

1 ... 94 95 96 97 98 99 100 101 ... 115

Bog'liq
linuxbasicsforhackers

98
Chapter 9
Creating Bit-by-Bit or Physical Copies of Storage Devices
Within the world of information security and hacking, one Linux archiving
command stands above the rest in its usefulness. The
dd
command makes
a bit-by-bit copy of a file, a filesystem, or even an entire hard drive. This
means that even deleted files are copied (yes, it’s important to know that
your deleted files may be recoverable), making for easy discovery and
recovery. Deleted files will not be copied with most logical copying utili-
ties, such as
cp
.
Once a hacker has owned a target system, the
dd
command will allow
them to copy the entire hard drive or a storage device to their system. In
addition, those people whose job it is to catch hackers—namely, forensic
investigators—will likely use this command to make a physical copy of the
hard drive with deleted files and other artifacts that might be useful for
finding evidence against the hacker.
It’s critical to note that the
dd
command should not be used for typical
day-to-day copying of files and storage devices because it is very slow; other
commands do the job faster and more efficiently. It is, though, excellent
when you need a copy of a storage device without the filesystem or other
logical structures, such as in a forensic investigation.
The basic syntax for the
dd
command is as follows:
dd if=inputfile of=outputfile
So, if you wanted to make a physical copy of your flash drive, assuming
the flash drive is sdb (we’ll discuss this designation more in Chapter 10),
you would enter the following:
kali >dd if=/dev/sdb of=/root/flashcopy
1257441=0 records in
1257440+0 records out
7643809280 bytes (7.6 GB) copied, 1220.729 s, 5.2 MB/s
Let’s break down this command:
dd
is your physical “copy” command;
if
designates your input file, with
/dev/sdb
representing your flash drive in
the /dev directory;
of
designates your output file; and
/root/flashcopy
is the
name of the file you want to copy the physical copy to. (For a more com-
plete explanation of the Linux system designation of drives within the /dev
directory, see Chapter 10.)
Numerous options are available to use with the
dd
command, and you
can do a bit of research on these, but among the most useful are the
noerror
option and the
bs
(block size) option. As the name implies, the
noerror
option
continues to copy even if errors are encountered. The
bs
option allows you
to determine the block size (the number of bytes read/written per block) of
the data being copied. By default, it is set to 512 bytes, but it can be changed
to speed up the process. Typically, this would be set to the sector size of the

Compressing and Archiving
99
device, most often 4KB (4,096 bytes). With these options, your command
would look like this:
kali >dd if=/dev/media of=/root/flashcopy bs=4096 conv:noerror
As mentioned, it’s worth doing a little more research on your own, but
this is a good introduction to the command and its common usages.
Summary
Linux has a number of commands to enable you to combine and compress
your files for easier transfer. For combining files,
tar
is the command of
choice, and you have at least three utilities for compressing files—
gzip
,
bzip2
,
and
compress
—all with different compression ratios. The
dd
command goes
above and beyond. It enables you to make a physical copy of storage devices
without the logical structures such as a filesystem, allowing you to recover
such artifacts as deleted files.

Download 7,3 Mb.

1 ... 94 95 96 97 98 99 100 101 ... 115

Download 7,3 Mb.

Pdf ko'rish