Mike J. Kreuzer, Ph.D, MCSE, MCT
Call me at: 831-675-MCSE
Silicon Valley and International Networks since 1984.
- Mirror Sites:
Mike J. Kreuzer, Ph.D, MCSE, MCT
Call me at: 831-675-MCSE
Silicon Valley and International Networks since 1984.
dd is a utility to create a disk dump by reading every single block on a disk, e.g. your hard drive. However, its architecture is laid out so it can do much more than creating a dump. See the table of contents:
Say we have a harddisk /dev/sda that we want to backup entirely (sector-by-sector) to a USB volume /dev/sdb1, mounted on /mnt/sdb1. We call this a dump or an image of /dev/sda. The dump shall be named backup.img. Here is the dd command:
dd if=/dev/sda of=/mnt/sdb1/backup.imgIn this command, if stands for input file and of for output file.
To restore this backup, we boot from a live CD and do the command vice versa. This can overwrite all content on your harddisk, this is the intention.
dd if=/mnt/sdb1/backup.img of=/dev/sda
To clone a disk A to B, both disks need to have the same capacity. It is very convenient for USB disks. Say our USB disk source is called /dev/sdb and the target is called /dev/sdc. Do it like this:
dd if=/dev/sdb of=/dev/sdcNow if sdc has a bigger capacity, this capacity will be lost because the file system is not aware of it.
To transfer a disk image over the network to a computer named target, use
dd if=/dev/sdb | ssh [email protected]''target'' "(cat >backup.img)"
To create an iso image of a CD, read it block-by-block and save the blocks to a file:
dd if=/dev/cdrom of=cdimage.iso
If your favorite movie or song cannot be played any longer because the file is corrupt, you can use dd to ignore the corrupt part:
dd if=movie.avi of=rescued_movie.avi conv=noerror
DD is great to learn about your system. To analyze your disk by displaying selected blocks, in this case block 1001 of /dev/sdc1 use:
dd if=''/dev/sdc1'' count=1 skip=1000
To see the first 40 bytes of your first harddisk as a hexdump use
dd if=/dev/sda bs=1 count=40 [[piping||]] [[hexdump]] -CHere, bs stands for blocksize.
To create your own operating system by dumping your bootloader to the boot sector of a bootable disk image use
dd conv=notrunc if=bootloader of=[[qemu]].img
# dd if=/dev/sdg1 of=/dev/null bs=512 count=1000000 1000000+0 records in 1000000+0 records out 512000000 bytes (512 MB) copied, 4.25186 s, 120 MB/s # dd if=/dev/sdg1 of=/dev/null bs=4096 count=1000000 1000000+0 records in 1000000+0 records out 4096000000 bytes (4.1 GB) copied, 29.8747 s, 137 MB/sHowever, make sure you have read How caching works first otherwise you will be surprised by a mysterious accelleration like this:
# dd if=/dev/sdg1 of=/dev/null bs=512 count=1000000 1000000+0 records in 1000000+0 records out 512000000 bytes (512 MB) copied, 4.25186 s, 120 MB/s # dd if=/dev/sdg1 of=/dev/null bs=512 count=1000000 1000000+0 records in 1000000+0 records out 512000000 bytes (512 MB) copied, 0.417317 s, 1.2 GB/sIt is best to circumvent the file system cache completely using direct I/O:
# dd iflag=direct if=/dev/sdg1 of=/dev/null bs=512 count=100000 100000+0 records in 100000+0 records out 51200000 bytes (51 MB) copied, 5.01053 s, 10.2 MB/s
The WinDos pendant of dd is rawrite.
can also read and/or write from/to these files, provided that function is implemented in their respective driver. As a result,
can be used for tasks such as backing up the boot sector of a hard drive, and obtaining a fixed amount of random data. The
</ref> in which the initials stand for “Data Definition”.<ref>
</ref> The command's syntax resembles the JCL statement more than it does other Unix commands, so the syntax may have been a joke.<ref name=“jargon-dd”/>
first appeared in Version 5 Unix.<ref>
The command line syntax of
differs from many other Unix programs, in that it uses the syntax
value}} for its command line options, rather than the more-standard
value}} formats. By default,
(input file) and
(output file) options.
Usage varies across different operating systems. Also, certain features of
will depend on the computer system capabilities, such as
's ability to implement an option for direct memory access. Sending a SIGINFO signal (or a USR1 signal on Linux) to a running
process makes it print I/O statistics to standard error once and then continue copying.
(the usual Unix EOF) and MKS Toolkit uses <ctrl-z> (the usual Windows EOF).
The GNU variant of
as supplied with coreutils on Linux does not describe the format of the messages displayed on standard output on completion. However, these are described by other implementations, e.g. that with BSD.
Each of the “Records in” and “Records out” lines shows the number of complete blocks transferred + the number of partial blocks, e.g. because the physical medium ended before a complete block was read, or a physical error prevented reading the complete block.
) compared to output/writing (
), though the block size (
) option will override both
. The default value for both input and output block sizes is 512 bytes (the traditional block size of disks, and POSIX-mandated size of “a block”). The
option for copying is measured in blocks, as are both the
count for reading and
count for writing. Conversion operations are also affected by the “conversion block size” (
For some uses of the
command, block size may have an effect on performance. For example, when recovering data from a hard disk, a small block size will generally cause the most bytes to be recovered. Issuing many small reads is an overhead and may be non-beneficial to execution performance. For greater speed during copy operations, a larger block size may be used. However, because the amount of bytes to copy is given by bs×count, it is impossible to copy a prime number of bytes in a single
command without making one of two bad choices,
1}} (memory use) or
N}} (read request overhead). Alternative programs (see below) permit specifying bytes rather than blocks. When
The value provided for block size options is interpreted as a decimal (base 10) integer and can also include suffixes to indicate multiplication. The suffix
means multiplication by 2,
means 1024 × 1024,
means 1024 × 1024 × 1024, and so on. Additionally, some implementations understand the
character as a multiplication operator for both block size and count parameters.
For example, a block size such as
2x80x18b}} is interpreted as 2 × 80 × 18 × 512 = 1474560 bytes, the exact size of a 1440 KiB floppy disk.
command can be used for a variety of purposes.
can duplicate data across files, devices, partitions and volumes. The data may be input or output to and from any of these; but there are important differences concerning the output when going to a partition. Also, during the transfer, the data can be modified using the
options to suit the medium.
An attempt to copy the entire disk using
may omit the final block if it is of an unexpected length
may succeed. The source and destination disks should have the same size.
|<source lang=“bash”>dd if=/dev/sr0 of=myCD.iso bs=2048 conv=noerror,sync</source>|| Creates an ISO disk image from a CD-ROM; in some cases the created ISO image may not be the same as the one that was used to burn the CD-ROM.<ref>
|<source lang=“bash”>dd if=system.img of=/dev/sdc bs=4096 conv=noerror</source>||Restores a hard disk drive (or an SD card, for example) from a previously created image.|
|<source lang=“bash”>dd if=/dev/sda2 of=/dev/sdb2 bs=4096 conv=noerror</source>||Clones one partition to another.|
|<source lang=“bash”>dd if=/dev/ad0 of=/dev/ad1 bs=1M conv=noerror</source>||Clones a hard disk drive “ad0” to “ad1”.|
option means to keep going if there is an error, while the
option causes output blocks to be padded.
It is possible to repair a master boot record. It can be transferred to and from a repair file.
To duplicate the first two sectors of a floppy drive: <source lang=“bash”> dd if=/dev/fd0 of=MBRboot.img bs=512 count=2 </source>
To create an image of only the boot code of the master boot record (without the partition table and without the magic bytes required for booting): <source lang=“bash”> dd if=/dev/sda of=MBR_boot.img bs=446 count=1 </source>
can modify data in place. For example, this overwrites the first 512 bytes of a file with null bytes:
<source lang=“bash”> dd if=/dev/zero of=path/to/file bs=512 count=1 conv=notrunc </source>
conversion option means do not truncate the output file — that is, if the output file already exists, just replace the specified bytes and leave the rest of the output file alone. Without this option,
would create an output file 512 bytes long.
To duplicate a disk partition as a disk image file on a different partition: <source lang=“bash”> dd if=/dev/sdb2 of=partition.image bs=4096 conv=noerror </source>
For security reasons, it is sometimes necessary to have a disk wipe of a discarded device.
To wipe a disk by writing zeros to it,
can be used this way:
<source lang=“bash”> dd if=/dev/zero of=/dev/sda bs=4k </source>
Another approach could be to wipe a disk by writing random data to it:
<source lang=“bash”> dd if=/dev/urandom of=/dev/sda bs=4k </source>
When compared to the data modification example above,
conversion option is not required as it has no effect when the dd's output file is a block device.<ref>
4k}} option makes dd read and write 4 kilobytes at a time. For modern systems, an even greater block size may be beneficial due to the transport capacity (think RAID systems). Note that filling the drive with random data will always take a lot longer than zeroing the drive, because the random data must be rendered by the CPU and/or HWRNG first, and different designs have different performance characteristics. (The PRNG behind /dev/urandom may be slower than libc's.) On most relatively modern drives, zeroing the drive will render any data it contains permanently irrecoverable.<ref>
Zeroing the drive will render any data it contains irrecoverable by software; however it still may be recoverable by special laboratory techniques.
The shred program provides an alternate method for the same task, and finally, the wipe<ref>
</ref> program present in many Linux distributions provides an elaborate tool (the one that does it “well”, going back to the Unix philosophy mentioned before) with many ways of clearing.
, whose copyright notice starts in 1985,<ref>
| accessdate = January 21, 2015 | website = git.savannah.gnu.org}}</ref> with one block size per
process, and no recovery algorithm other than the user's interactive session running one form of
after another. Then, a C program called
</ref> was written in October 1999, having two block sizes in its algorithm. However, the author of the 2003 shell script
, which enhances
's data recovery algorithm, recommends GNU
</ref> a data recovery program unrelated to
that was initially released in 2004.
To help distinguish the newer GNU program from the older script, alternate names are sometimes used for GNU's
(the name on freecode.com and freshmeat.net),
(Debian package name), and
(openSUSE package name). Another open-source program called
uses a sophisticated algorithm, but it also requires the installation of its own programming-language interpreter.
To make drive benchmark test and analyze the sequential (and usually single-threaded) system read and write performance for 1024-byte blocks: <source lang=“bash”> dd if=/dev/zero bs=1024 count=1000000 of=file_1GB dd if=file_1GB of=/dev/null bs=1024 </source>
To make a file of 100 random bytes using the kernel random driver: <source lang=“bash”> dd if=/dev/urandom of=myrandom bs=100 count=1 </source>
To convert a file to uppercase: <source lang=“bash”> dd if=filename of=filename1 conv=ucase,notrunc </source>
As stated in a part of documentation provided by Seagate, “certain disc
utilities, such as DD, which depend on low-level disc
uses the kernel to read or write to raw device files instead of accessing hardware directly.
At the same time, support for 48-bit LBA has been present since version 2.4.23 of the kernel, released in 2003.<ref>
</ref><ref>Linux-2.4.23 released Linux kernel mailing list, 2003.</ref>
is a fork of
that is an enhanced version developed by Nick Harbour, who at the time was working for the United States' Department of Defense Computer Forensics Lab.<ref>
</ref> Compared to dd, dcfldd allows for more than one output file, supports simultaneous multiple checksum calculations, provides a verification mode for file matching, and can display the percentage progress of an operation.