Dd (Unix)
|
- The title of this article is incorrect because of technical limitations. The correct title is dd.
dd is a common Unix program whose primary purpose is the low-level copying and conversion of files.
Contents |
Introduction
dd has a different set of command line options than the ordinary cp command (which copies files in their entirety) that allow copying a fixed number of bytes or blocks, performing on-the-fly byte order conversions, as well as more esoteric EBCDIC to ASCII conversions. Nowadays dd is mostly used to copy regions of raw device files, e.g. backing up the boot sector of a hard disk, or to read fixed amounts of data from special files like /dev/zero or /dev/random. Because dd can copy entire partitions or disks (this is more due to Unix providing access to these devices than the functionality of dd per se), it is used in computer forensics when the contents of a partition need to be preserved in a byte-exact copy. Using cp would not be enough, since data from deleted files that may still be present on a disk are not visible through the file system interface.
The command line syntax of dd is unlike that of any other Unix program, resulting in widespread fear and loathing; it is rumored to have been based on IBM's JCL, and though the syntax may have been a joke there seems to have never been any effort to write a more Unix-like replacement.
The fear is due to the fact that dd is used for low-level operations on hard disks: one tiny mistake, and instead of restoring a boot sector one may have rendered an entire disk virtually unusable.
The loathing is triggered by the blatant violation of the Unix philosophy of using a common syntax for all command line tools. Generally, dd uses an "option=value" format whereas most Unix programs use a "-option value" format. Also, dd's input is specified using the "if" option, while most programs simply take the name by itself.
Usage
dd [options]
operands
- if=file
- Input File: Read from file instead from standard input.
- of=file
- Output File: Write to file instead to standard output. See also the keyword notrunc.
- ibs=bytes
- Input Block Size: Read bytes bytes at once.
- obs=bytes
- Output Block Size: Write bytes bytes at once.
- bs=bytes
- Block Size: A shortcut for ibs=bytes obs=bytes. If the user does not provide a block size, 512 bytes is used[1] (http://www.opengroup.org/onlinepubs/009695399/utilities/dd.html).
- count=blocks
- Count: copy only this many blocks from the input to the output, then stop.
- skip=blocks
- When starting to read from input, skip blocks number of blocks of size ibs.
- seek=blocks
- When starting to write to output, skip blocks number of blocks of size obs.
- conv=keywords
- Convert the file according to a comma-separated list of keywords.
- cbs=bytes
- Convert Block Size: Convert bytes bytes at once.
conv
When specifying conv as parameter the following keywords may be used:
- ascii
- Convert from EBCDIC to ASCII.
- ebcdic
- Convert from ASCII to EBCDIC.
- ibm
- Convert from ASCII to an alternative EBCDIC.
- block
- Fill datasets which are terminated by a newline-character with space-characters to fit size of cbs.
- unblock
- Replace trailing space-characters in datasets of size cbs with newline-characters.
- lcase
- Change uppercase characters to lowercase.
- ucase
- Change lowercase characters to uppercase.
- notrunc
- Do not truncate output file to zero bytes before writing to it. If the existing output file is shorter than the amount of data to be written to it, this will cause the written data to overwrite the initial portion, leaving the remainder intact.
- swab
- Swap every pair of input bytes.
- noerror
- Ignore reading errors and continue.
- sync
- Pad every input block with null bytes if it is shorter than the size specified. If used with block or unblock, pad with space characters instead.
Notes and units
On various systems the option --version is supported. dd will then output its version number and quit.
file may be any real file or any block-device file.
On certain systems bytes may be specified with multiplicative units. This units may then be[2] (http://www.mcsr.olemiss.edu/cgi-bin/man-cgi?dd+1):
- c
- Character: 1
- w
- Word: 2
- b
- Block: 512
- kB
- Kilo (decimal): 1000
- k
- kilobytes: 1024
- MB
- Mega (decimal): 1000000
- M
- megabytes: 1048576 (1024x1024)
This may be carried on similarly with G, T, P, E, Z, Y. The standard "IEEE Std 1003.1" only requires that the 'b' and 'k' multipliers be supported, and does not specify the meaning of any other multipliers. Also, multiple numbers may be provided separated by 'x'. These numbers are multiplied together.
Examples
To create an image file named floppy.img of a floppy disk in the drive whose block-device name is /dev/fd0 (as the first floppy device is on Linux), one may invoke dd in the following way:
- dd if=/dev/fd0 of=floppy.img
Note: To copy a floppy image to a disk (erasing any existing data on the disk), simply reverse of and if of the previous example.
To create a file with name reallylargefile with the size of 1 GB, filled with random data, do this:
- dd if=/dev/random of=reallylargefile count=1073741824
To fill the file with NULL characters, use /dev/zero instead of /dev/random.
To increase writing performance obs can be increased:
- dd if=/dev/random of=reallylargefile obs=4096
This will write the first partition of the first harddisk to the file mywindowspartition.image.
- dd if=/dev/hda1 of=mywindowspartition.image
Note that these examples are Linux-centric. On other platforms the device names may be different.
Anti-examples
WARNING: If you care for your data, do NOT try this.
The following examples are provided to warn about the dangers of dd, if used incorrectly. Trying any of these commands with the proper privileges will almost certainly result in major data loss, and may make the system unusable.
This overwrites the complete first hard disk with null bytes, erasing it:
- dd if=/dev/zero of=/dev/hda
This overwrites the first few blocks of the first hard disk with the file, resulting in a loss of the partition table:
- dd if=funnysong.mp3 of=/dev/hda
This will completely corrupt an entire hard disk:
- dd if=/dev/dsp of=/dev/hda
Note that these examples are Linux-centric. On other platforms the device names may be different.
Other meanings of dd
In the vi editor typing of dd in command mode deletes the current line.
External links
- The Open Group Base Specifications Issue 6 of the dd utility (http://www.opengroup.org/onlinepubs/009695399/utilities/dd.html)
- dd for Windows (http://uranus.it.swin.edu.au/~jn/linux/rawwrite/dd.htm)