Thiago Teixeira

EN | PT

dd

Unix utility for low-level byte copy — used to make raw forensic disk images.

Digital Forensics & IR Built-in OS CLI Learning Linux macOS

Cyber Kill Chain & Defender Lifecycle

Attacker — Kill Chain

1 Reconnaissance

2 Weaponization

3 Delivery

4 Exploitation

5 Installation

6 Command & Control

7 Actions on Objectives

Defender — IR Lifecycle

8 Detection / Monitoring

9 Containment & Eradication

10 Post-incident Forensics

Description

dd is the Unix byte-stream copy utility, traditionally the first tool taught for forensic acquisition on Linux. Variants like dcfldd (DoD Computer Forensics Lab) and dc3dd add hashing and progress reporting for forensic use.

Important flags:

if= input file, of= output file.
bs= block size (often 4M for speed).
conv=noerror,sync continues on read errors and pads with zeros to preserve offsets.
status=progress (GNU coreutils) shows live throughput.

Use cases

Imaging a Linux server's disk before reformat
Cloning USB evidence in a controlled lab
Wiping (with if=/dev/zero or /dev/urandom) — be careful!

Example

sudo dd if=/dev/sda of=/mnt/evidence/sda.img bs=4M \
        conv=noerror,sync status=progress
sha256sum /mnt/evidence/sda.img > /mnt/evidence/sda.img.sha256