SBM Labs

Cyber Security Collaboration Project

How to create image of HDD for forensics and security?
08 Jun 2013

You should use dcfldd in order to create image of hard disk for forensics and security.

$ man dcfldd

Example of use:

1. Get disk image:
fdisk -l
dcfldd bs=32k if=/dev/sda of=./image_sda.dd md5log=./image_sda.dd.md5 sha1log=./image_sda.dd.sha1 sizeprobe=if conv=noerror,sync

2. Get disk image through a network:
dd if=/dev/xxx | gzip | ssh user@host "dd of=/path/to/file//xxx.gzip"
ssh user@host "dd if="/path/to/file//xxx.gzip" | gzip -d | dd if=/dev/xxx

3. Get Master Boot Record (MBR):
dd if=/dev/xxx of=mbr.copy bs=512 count=1

DD for Windows:
http://www.chrysocome.net/dd

Using NTFS Data Streams