In this tutorial, I will explain what dd is and how to use it to create an image of a device. Let’s start with explaining what an image is, and why you may want to create one. An image is just a “comprehensive duplicate of electronic media such as a hard-disk drive.” (Goldstein, 2019) Comprehensive duplicate means that it exactly copies a device, being a USB-drive, hard-drive, floppy disk, etc, bit-for-bit. Images are used in virtualization when you want to run an Operating System from a predetermined state, and in digital forensics investigations to ensure that all work is done on an image, so as to not accidentally taint the integrity of an original piece of evidence.
The dd command in Linux (*nix) is “a command-line utility for Unix and Unix-like operating systems whose primary purpose is to convert and copy files.” (GeeksforGeeks, 2019) In other words, dd is a program that can be run in a Linux or Unix terminal that can easily make an image of a device medium, such as a USB drive. dd is built into *nix machines so you don’t have to worry about installing it.
Let’s begin by looking at the manual file and learning the syntax. You can read the man file of most binaries by invoking man <binary>. For dd, you can read it with man dd.
We can see that dd is used to convert and copy files, and you can manually adjust some of the operands. The general syntax is dd [OPERAND]. The only operands we will worry about for this tutorial are if (infile), of (outfile), and status. The infile is the device you want to make an image of, the outfile is where you want this image to be safed, and status is used to provide a given level of information to the user.
When you want to create an image of a usb drive, we must first locate the usb drive using lsblk. This command “lists information about all available devices.” (Broz, Zak 2021)
We can see a couple devices, but we will focus on sdb. This is the second disk drive, and will likely be the usb-stick you want to image. To double check that this is the drive you want to image, you can look at the MOUNTPOINT for sdb1 and see that it is mounted at /media/ubuntu/003B-5B4A. Just list the files in that location using ls and make sure it is the usb-stick you want to image.
Next, we will invoke the dd command. The syntax we will use will be as follows:
sudo dd if=/dev/sdb of=~/Desktop/imageOfUSB status=progress
Above, we specify that we want the infile, or device we want to image, to be the USB stick drive. The outfile will save the image in our current user’s desktop, called imageOfUSB, and the status line states that we want to see the progress of the image. The sudo at the beginning means that we will run the command as superuser, which is necessary for the dd program. When the program completes the copy, the output should look like this:
We can use hashes to ensure that both the image and device are exactly the same, bit-for-bit. A hash takes any input and outputs a string of alphanumeric characters. These characters are found with a very complex algorithm. It ensures that if any data changes, even if one bit is flipped, the output of the hash algorithm will look vastly different. We can see below that the image and the device have the same hash results:
Now, we will put the image on an empty usb stick. To ensure it is empty, I will explain how to format (clean) a usb-stick. First, open the Disks utility on Linux. The screen should look something like this:
Next, select the usb stick. Click the cogwheels on the volume you want to format, then click Format Partition. You can name the volume, but make sure you select Erase to erase everything on that usb stick. Click Next then click Format. It shouldn’t take too long for small drives, but if you have anything over 1GB, it will likely take a few minutes. Anything over 10GB may take an hour or longer on a virtual machine. Anything over 1TB may take a day. Once it is formatted, we can run essentially the reverse of our previous command to put the image onto the usb drive.
sudo dd if=~/Desktop/imageOfUSB of=/dev/sdb status=progress
This may take a lot longer than the previous run, since usb write speeds are usually slower than the read speeds.
That is really all there is to making images and putting images onto devices.
References
Broz, M., & Zak, K. (2021, October 27). lsblk(8) -- Linux manual page. LSBLK(8) - linux manual page. Retrieved January 29, 2022, from https://man7.org/linux/man-pages/man8/lsblk.8.html
GeeksforGeeks. (2019, May 15). 'DD' command in linux. GeeksforGeeks. Retrieved January 29, 2022, from https://www.geeksforgeeks.org/dd-command-linux/#:~:text=dd%20is%20a%20command%2Dline,system%20just%20like%20normal%20files.
Goldstein, S. (2019, September 24). Two key differences between digital forensic imaging and digital forensic clone and how they can affect your legal case.: News: Capsicum: Digital Forensics, investigations, cyber security. CAPSICUM. Retrieved January 29, 2022, from https://capsicumgroup.com/2-key-differences-between-digital-forensic-imaging-and-digital-forensic-clone-and-how-they-can-affect-your-legal-case/#:~:text=A%20Forensic%20Image%20is%20a,as%20a%20hard%2Ddisk%20drive.&text=This%20exact%20duplicate%20of%20the,for%20analysis%20and%20evidence%20preservation.