AwesomeMachine

This document is made to be easily skimmed. The latest addition was on 01-05-08, "Brief notes for Microsoft Windows XP and Windows Vista users". This is comprehensive documentation for one of the most useful linux/UNIX Windows commands-dd. It is a bitstream duplicator for copying data. If you have a question, post it.

Windows users will find help about 50 lines down from here.

First Time visitors please leave a reply.

Copying smaller partition, or drive to larger partition, or drive; or vice versa
Rsync preserves the target file system. You need to run:
for the target to become bootable. If the target was bootable previously, it remains bootable.

Brief notes for Microsoft Windows XP and Windows Vista users

Using Windows XP is no excuse for not using dd for all your drive cloning, backup, upgrading, and restore tasks. Boot a Windows XP machine with a Knoppix CD, a live CD operating system that is self contained, and doesn't use the hard drive. You can download Knoppix, burn the iso image file to a CD, boot with it, and clone drives.

Drives are described to the dd command using device files. When you boot into Knoppix, which is Linux, you want to open a root command prompt, or root terminal shell. Parallel IDE (80 conductor grey ribbon cable), the first drive (master) on channel 0 is /dev/hda. The second drive (slave) on IDE channel 0 (The first IDE channel), is /dev/hdb.

SATA, no matter if there there are also IDE hard drives, are /dev/sda and /dev/sdb. In the root shell you can enter commands:

The partitions on the first drive. The manual page for fdisk. Parted to make partitions Dd command examples will be found in the remainder of the post. If one has trouble, ask.

Please note: Performance of Knoppix Linux does not indicate performance of Linux overall. Knoppix Linux runs on a CD drive (1/1000 the speed of an HDD). Linux is high performance, giving power users the speed and flexibility to do High Performance Computing. The Knoppix CD has over 1 GB of software, in compressed format. Feel free to read the entire post.

Dd is not presently able to clone Microsoft Windows Vista OEM Partitions.

End Windows Section


When to use the 'conv=sync' option

Pressed CDs are difficult accurately write to a HDD, because there are sectors that fool dd. The image file (.iso) will usually work properly, but MS Windows CDs are fussy. Here is how to make a perfect copy of a CD to a HDD image file:
Sync is the key.

Begin Linux dd

The basic command is structured as follows:
Source is the data being read. Target is where the data gets written.

Warning!! If you reverse the source and target, you can wipe out a lot of data. This feature has inspired the nickname "dd" Data Destroyer.

Warning!! Caution should be observed when using dd to copy encrypted partitions.

How to make a swap file, or another swapfile on a running system:
This can solve out of memory issues due to memory leaks on servers that cannot easily be rebooted.

New How to pick proper block size:

This method can also be used as a drive benchmark, to find strengths and weaknesses in hard drives:
Read:
Write:
The output looks like this:
Your output may have different figures. The format is what I'm referring to. If you play with 'bs=' and 'count=', always having them multiply out to the same figure, you can calculate bytes/second like this: 1Gb/total seconds = Gb/s. You only use the 'real' timing figure from above. You can get more realistic results using a 3Gb file.

How to rejuvenate a hard drive
This will sometimes cure input/output errors experienced when using dd. Over time the data on a drive, especially a drive that hasn't been used for a year or two grows into larger magnetic flux points than were originally recorded. This makes it hard for the drive heads to decipher these magnetic flux points. This results in read/write errors. Also, sometimes sector 1 goes bad resulting in a useless drive. All you need to do is:
to rejuvenate the drive. The process rewrites all the data on the drive in nice tight magnetic patterns that can then be read properly. The procedure is perfectly safe, and saves one a lot of money on HDDs.

Examples: Copy one hard disk partition to another hard disk:
sda2 and sdb2 are partitions. You want to copy sda2 to sdb2. If sdb2 doesn't exist, dd will start at the beginning of the disk, and create it. Be careful with order of if and of. You can write a blank disk to a good disk if you get confused. The only difference between a big partition and a small partition, besides size, is the partition table. If you are copying sda to sdb, an entire drive with a single partition, sdb being smaller than sda, then you have to do:
Skip skips input blocks at the beginning of the media (sda). Seek skips over so many blocks on the output media before writing (sdb). By doing this, you leave the first 4k bytes on each drive untouched. You don't want to tell a drive it is bigger than it really is by writing a partition table from a larger drive to a smaller drive. The first 63 sectors of a drive are empty, except sector 1, the MBR. If you are copying a smaller partition to a larger one, the larger partition will read the correct size with:
, but not with:
This is because fdisk reads the partition table and df reads the format info. If you dd a smaller partition to a larger one the larger one will now be formatted the same as the smaller one and there won't be any space left on the drive. The way around this is to build a partition image file.
Mount the image like a drive using:
Cp has an -r switch for recursive copy. Now, if you are copying sda3 to sda2, this is different. What you want to do is this:
The very last part of the drive is usually zeroes. So, if you have room for the data, and the zeroes get truncated that's ok.
Make an iso image of a CD:
This copies sector for sector. The result will be a hard disk image file of the CD. You can mount the image with: , this line in fstab:
Save fstab,
Then the file system will be viewable as files and directories in the directory
Copy a floppy disk:
or
The 18b specifies 18 sectors of 512 bytes, the 2x multiplies the sector size by the number of heads, and the 80x is for the cylinders--a total of 1474560 bytes. This issues a single 1474560-byte read request to /dev/fd0 and a single 1474560 write request to
.
This makes a hard drive image of the floppy, with bootable info intact. The second example uses default "bs=" of 512, which is the sector size of a floppy.If you're concerned about spies with superconducting quantum-interference detectors you can always add a "for" loop for government level secure disk erasure: copy and paste the following two lines into a text editor.
Now you have a shell script for seven passes of random characters over the whole disk Do:
to make it executable.
To make a bootable USB thumb drive: Download 50 MB Debian based distro here:
http://sourceforge.net/projects/insert/
Plug in the thumb drive to a USB port. Do:
Look where the new drive is, sdb, or something similar. Do:
Now set the BIOS to USB boot, plug in the thumb drive, and boot the machine.
Copy just the MBR and boot sector of a floppy to hard drive image:
This copies the first 2 sectors of the floppy.
Cloning an entire hard disk:[/color]
In this example, sda is the source. Sdb is the target. Do not reverse the intended source and target. Surprisingly many people do. Notrunc means 'do not truncate the output file'. Noerror means to keep going if there is an error. Normally dd stops at any error.
Copy MBR only of a hard drive: [/color]
This will copy the first 446 bytes of the hard drive to a file. If you haven't already guessed, reversing the objects of if and of, in the dd command line reverses the direction of the write.
Wipe a hard drive of all data (you would want to boot from a cd to do this)[/color] http://www.efense.com/helix
is a good boot cd. The helix boot environment contains the DoD version of dd called dcfldd. It works the same way, but is has a progress bar.
This is useful for making the drive almost like new. Most drive have 0x0000ffh written to every sector from the factory.
Overwrite all the free space on a partition (deleted files you don't want recovered)[/color] When dd says no room left on device, all the free space has been overwritten with random characters. Then, delete the big file with .
To view your virtual memory:
use PgUp, PgDn, up arrow, down arrow to navigate in less. Less is my favorite editor. Or I should say it would be my favorite editor if it allowed editing.
What filesystems are installed:
all loaded modules:
interrupt table: How many seconds has the system been up:
partitions and sizes in kb:
Memory stats:
I put two identical drives in every one of my machines. Before I do anything which might be disasterous, I do:
and copy my present working sda drive system to the sdb drive. If I wreck the installation on sda, I just boot with the helix cd and:
and I get everything back exactly the same as before whatever boneheaded thing I was trying to do didn't work. You can really, really learn linux this way, because you absolutely can't wreck what you have an exact copy of. You also might consider making the root partition separate from /home, and make /home big enough to hold the root partition, plus more. Then you can do:
To make a backup of root, and :
To write the image of root back to the root partition if you messed up and can't launch the X server anymore, or edited /etc/fstab and can't figure out what you did wrong. It only takes a few minutes to restore a 15 GB root partition from an image file.
To make a file of 100 random bytes:
/dev/random produces only as many random bits as the entropy pool contains. This yields quality randomness for kryptographic keys. If more random bytes are required, the process stops until the entropy pool is refilled (waggling your mouse helps). /dev/urandom does not have this restriction. If the user demands more bits than currently in the entropy pool, it produces them using a pseudo random number generator. Here, /dev/urandom is the Linux random byte device. myrandom is a file.
Write random data over a file before deleting it:
first do an to find filesize.
In this case it is 3769 This will write random characters over the entire file.
Copy a disk partition to a file on a different partition.

Warning!! Do not copy a partition to the same partition.

This will make a file that is an exact duplicate of the sdb2 partition. You can substitue hdb, sda, hda, or whatever the disk is called. Or
Makes a gzipped archive of the entire partition. To restore use:for bzip2(slower,smaller), substitute bzip2 and bunzip2, and name the file Restore a disk partition from an image file.
This way you can get a large hard drive and partition it so you can back up your root partition. If you mess up your root partition, you just boot from the helix cd and restore the image. To covert a file to all uppercase:[/color]
Make a ramdrive:
The Linux kernel usually makes a number a ramdisks you can make into ramdrives. You have to populate the drive with zeroes like so:
Makes a 16 MB ramdisk full of zeroes.
puts a file system on the ramdisk turning it into a ramdrive. Watch this puppy smoke.
You only to do the timing once because it's cool. Make the drive again because hdparm is a little hard on ramdrives. You can mount the ramdrive with:
Now you can use the drive like a hard drive. This is particularly superb for working on large documents or programming. You can copy the large file or programming project to the ramdrive, which on my machine is at least 27 times as fast as /dev/sda, and ever time you save the huge document, or need to do a compile it's like your machine is running on nitromethane. The only thing is the ramdrive is volatile. If you lose power, or lock up the data on the ramdrive is lost. Use a reliable machine during clear skies if you use a ramdrive.
Copy ram memory to a file:
The device is your system memory. You can actually copy any block or character device to a file using dd. Memory capture on a fast system, with bs=1024 takes about 60 seconds, a 120 GB HDD about an hour, a CD to hard drive about 10 minutes, a floppy to a hard drive about 2 minutes. With dd, your floppy drive images will not change at all. If you have a bootable DOS diskette, and you save it to your HDD as an image file, when you restore that image to another floppy it will be bootable.
dd will print to the terminal window if you omit the part.
will print the file myfile to the terminal window.
To search the system memory:
[/color]If you need to cover your tracks quickly, put the following commands in a script to overwrite system ram with zeroes. Don't try this for fun.
This will overwrite all unprotected memory structures with zeroes, and freeze the machine so you have to reboot (Caution, this also prevents committment of the file system journal and could trash the file system).
If you are just curious about what might be on you disk drive, or what an MBR looks like, or maybe what is at the very end of your disk:
Will show you sector 1, or the MBR. The bootstrap code and partition table are in the MBR.
To see the end of the disk you have to know the total number of sectors for the disk, and the disk has to be set up with Maximum Addressable Sector equal to Maximum Native Address. The helix CD has a utility to set this correctly. In the dd command your seek value will be one less than MNA of the disk. For a 120 GB Seagate SATA drives
,
So this reads sector for sector, and writes the last sector to myfile. Even with LBA addressing Disks still secretly are read in sectors, cylinders, and heads.
There are 63 sectors per cylinder, and 255 heads per cylinder. Then there is a total cylinder count for the disk. You multiply out 512x63x255=bytes per cylinder. 63x255=sectors per cylinder. With 234441647 total sectors, and 16065 sectors per cylinder, you get some trailing sectors which do not make up an entire cylinder, 14593.317584812. This leaves you with 5102 sectors which cannot be partitioned because to be in a partition you have to be a whole cylinder. It's like having part of a person. That doesn't really count as a person. So, what happens to these sectors? They become surplus sectors after the last partition. You can't ordinarily read in there with an operating system. But, dd can. It is really a good idea to check for anything writing to surplus sectors. For our Seagate 120 GB drive you subtract total sectors(234441647)-(5102) which don't make up a whole cylinder=234436545 partitionable sectors.
This writes the last 5102 sectors to myfile. Launch midnight commander (mc) to view the file. If there is something in there, you do not need it for anything. In this case you would write over it with random characters:
Will overwrite the 5102 surplus sectors on our 120 GB Seagate drive.

Block size:
One cylinder in LBA mode = 255 heads * 63 sectors per track = 16065 sectors = 16065 * 512 bytes = 16065b. The b means '* 512'. 32130b represents a two cylinder block size. When using cylinder sized block sizes you never need to worry about that last fraction of a block not being copied because partitions are made of a whole number of cylinders. Partitions cannot contain partial cylinders. One cylinder is 8,225,280 bytes.

If you want to check out some random area of the disk:
Will give you 8,000 sectors in myfile, after the first 16,000 sectors. You can open that file with a hex editor, edit some of it, and write the edited part back to disk:
So there you got yourself a disk editor. It's not the best, but it works.
You can make a boot floppy:With the
,
which is pretty easy to get. You just need a program that will literally start writing at sector 1.
dd if=boot.img of=/dev/fd0 bs=1440k
This makes a bootable disk you can add stuff to. If you want to make a partition image on another machine: on source machine:
Boot both machines with the helix CD just to be extra sure. Then,
On target machine:
Netcat is a program, available by default, on almost every linux installation. It is like a swiss army knife of networking. In the preceding example netcat and dd are piped to one another. One of the functions of the linux kernel is to make pipes. The pipe character looks like two little lines on top of one another, both vertical. Here is how this command behaves: This byte size is a cylinder. bs=16065b equals one cylinder on an LBA drive. The dd command is piped to netcat, which takes as its arguments the IP address of the target(like 192.168.0.1, or any IP address with an open port) and what port you want to use(1234).

Alert!! Don't hit enter yet. Hit enter on the target machine, hit enter on the source machine.

CONTINUES...SEE NEXT POST

dd will not copy or erase an HPA or host protected area. If used properly dd will erase a disk completely, but not as well as using the hardware secure erase, security erase unit command

Dd need not be black boxed like other inexpensive forensic software. See the following link:
http://www.cftt.nist.gov/
For a low cost bootable CD based professional ghosting solution, that supports all operating systems and file systems:
http://www.feyrer.de/g4u/

Dd is like Symantec Norton Ghost, Acronis True Image, Drive Image, . You can perform disk drive backup, restore, imaging, disk image, cloning, clone, drive cloning, transfer image, transfer data, clone to another drive or clone to another machine, move Windows XP to a new hard drive, clone Windows XP, clone Windows, transfer Windows, hard drive upgrade, copy a boot drive, copy a bootable drive, upgrade your operating system hard drive, Tired of reinstalling WinXP Windows XP?