DD for DFIR

< 1 min read

Creating a forensic image of a disk or partition:

sudo dd if=/dev/sda of=/path/to/output/image bs=4M

This command will create a forensic image of the entire /dev/sda disk, using a block size of 4 megabytes. The resulting image can be analyzed for evidence.

Extracting a raw image of a specific partition:

sudo dd if=/dev/sda2 of=/path/to/output/image bs=4M

This command will create a forensic image of the /dev/sda2 partition, using a block size of 4 megabytes.

Extracting a raw image of a specific file:

sudo dd if=/path/to/input/file of=/path/to/output/image bs=4M

This command will create a forensic image of the file at /path/to/input/file, using a block size of 4 megabytes. This can be useful for extracting a specific file from a disk image.

Extracting a raw image of a specific sector range:

sudo dd if=/dev/sda of=/path/to/output/image bs=512 count=100 skip=300

What are your Feelings

Have ideas, how to improve content? Please contact me!

Updated on January 10, 2023

Digital forensics

Windows forensics

Linux forensics

Incident response

DD for DFIR

What are your Feelings

Leave a Reply Cancel reply

What are your Feelings

Share This Article :

Have ideas, how to improve content? Please contact me!

Leave a Reply Cancel reply