User Tools

Site Tools


Dd (Unix)

dd is a utility to create a disk dump by reading every single block on a disk, e.g. your hard drive. However, its architecture is laid out so it can do much more than creating a dump. See the table of contents:

Disk Backup

Create a backup

Say we have a harddisk /dev/sda that we want to backup entirely (sector-by-sector) to a USB volume /dev/sdb1, mounted on /mnt/sdb1. We call this a dump or an image of /dev/sda. The dump shall be named backup.img. Here is the dd command:

dd if=/dev/sda of=/mnt/sdb1/backup.img
In this command, if stands for input file and of for output file.

Restore a backup

To restore this backup, we boot from a live CD and do the command vice versa. This can overwrite all content on your harddisk, this is the intention.

dd if=/mnt/sdb1/backup.img of=/dev/sda

Clone a harddisk

To clone a disk A to B, both disks need to have the same capacity. It is very convenient for USB disks. Say our USB disk source is called /dev/sdb and the target is called /dev/sdc. Do it like this:

dd if=/dev/sdb of=/dev/sdc
Now if sdc has a bigger capacity, this capacity will be lost because the file system is not aware of it.

Transfer a disk image

To transfer a disk image over the network to a computer named target, use

dd if=/dev/sdb | ssh [email protected]''target'' "(cat >backup.img)"

create an iso image of a CD

To create an iso image of a CD, read it block-by-block and save the blocks to a file:

dd if=/dev/cdrom of=cdimage.iso

rescue a file that contains bad blocks

If your favorite movie or song cannot be played any longer because the file is corrupt, you can use dd to ignore the corrupt part:

dd if=movie.avi of=rescued_movie.avi conv=noerror

analyze your disk

DD is great to learn about your system. To analyze your disk by displaying selected blocks, in this case block 1001 of /dev/sdc1 use:

dd if=''/dev/sdc1'' count=1 skip=1000

To see the first 40 bytes of your first harddisk as a hexdump use

dd if=/dev/sda bs=1 count=40 [[piping||]] [[hexdump]] -C
Here, bs stands for blocksize.

Create your own bootloader

To create your own operating system by dumping your bootloader to the boot sector of a bootable disk image use

dd conv=notrunc if=bootloader of=[[qemu]].img

benchmark the throughput of your disks

To benchmark the throughput of your disk /dev/sda1, e.g. for different block sizes, proceed like this:

# dd if=/dev/sdg1 of=/dev/null bs=512 count=1000000
1000000+0 records in
1000000+0 records out
512000000 bytes (512 MB) copied, 4.25186 s, 120 MB/s
# dd if=/dev/sdg1 of=/dev/null bs=4096 count=1000000
1000000+0 records in
1000000+0 records out
4096000000 bytes (4.1 GB) copied, 29.8747 s, 137 MB/s
However, make sure you have read How caching works first otherwise you will be surprised by a mysterious accelleration like this:
# dd if=/dev/sdg1 of=/dev/null bs=512 count=1000000
1000000+0 records in
1000000+0 records out
512000000 bytes (512 MB) copied, 4.25186 s, 120 MB/s
# dd if=/dev/sdg1 of=/dev/null bs=512 count=1000000
1000000+0 records in
1000000+0 records out
512000000 bytes (512 MB) copied, 0.417317 s, 1.2 GB/s
It is best to circumvent the file system cache completely using direct I/O:
# dd iflag=direct if=/dev/sdg1 of=/dev/null bs=512 count=100000
100000+0 records in
100000+0 records out
51200000 bytes (51 MB) copied, 5.01053 s, 10.2 MB/s

Windows pendant

The WinDos pendant of dd is rawrite.

Provided by

Most (all?) Linux distributions incorporate this from the GNU Coreutils: man page

See also

External Links

Related Commands

  • cp - copies files
  • dd_rescue - recover media with errors on it.
  • mv - Moves or renames files
  • rm - Removes files
  • mkdir - Creates a directory
  • install - Copy and set permissions
  • shred - Remove files securely

Command Filehandling

dd is a command-line utility for Unix and Unix-like operating systems whose primary purpose is to convert and copy files.<ref name=“OpenGroup-dd-man”>


On Unix, device drivers for hardware (such as hard disk drives) and special device files (such as /dev/zero and /dev/random) appear in the file system just like normal files;

can also read and/or write from/to these files, provided that function is implemented in their respective driver. As a result,

can be used for tasks such as backing up the boot sector of a hard drive, and obtaining a fixed amount of random data. The

program can also perform conversions on the data as it is copied, including byte order swapping and conversion to and from the ASCII and EBCDIC text encodings.<ref name=“tfl-dd”>


The name

is an allusion to the DD statement found in IBM's Job Control Language (JCL),<ref name=“jargon-dd”>


</ref> in which the initials stand for “Data Definition”.<ref>

</ref> The command's syntax resembles the JCL statement more than it does other Unix commands, so the syntax may have been a joke.<ref name=“jargon-dd”/>

Originally intended to convert between ASCII and EBCDIC,

first appeared in Version 5 Unix.<ref>

</ref> The

command is specified by IEEE Std 1003.1-2008, which is part of the Single UNIX Specification.


The command line syntax of

differs from many other Unix programs, in that it uses the syntax

value}} for its command line options, rather than the more-standard


value}} formats. By default,

reads from stdin and writes to stdout, but these can be changed by using the

(input file) and

(output file) options.

Usage varies across different operating systems. Also, certain features of

will depend on the computer system capabilities, such as

's ability to implement an option for direct memory access. Sending a SIGINFO signal (or a USR1 signal on Linux) to a running

process makes it print I/O statistics to standard error once and then continue copying.

can read standard input from the keyboard. When end-of-file (EOF) is reached,

will exit. Signals and EOF are determined by the software. For example, Unix tools ported to Windows vary as to the EOF: Cygwin uses

(the usual Unix EOF) and MKS Toolkit uses <ctrl-z> (the usual Windows EOF).

Output messages

The GNU variant of

as supplied with coreutils on Linux does not describe the format of the messages displayed on standard output on completion. However, these are described by other implementations, e.g. that with BSD.

Each of the “Records in” and “Records out” lines shows the number of complete blocks transferred + the number of partial blocks, e.g. because the physical medium ended before a complete block was read, or a physical error prevented reading the complete block.

Block size

A block is a unit measuring the number of bytes that are read, written, or converted at one time. Command line options can specify a different block size for input/reading (

) compared to output/writing (

), though the block size (

) option will override both


. The default value for both input and output block sizes is 512 bytes (the traditional block size of disks, and POSIX-mandated size of “a block”). The

option for copying is measured in blocks, as are both the

count for reading and

count for writing. Conversion operations are also affected by the “conversion block size” (


For some uses of the

command, block size may have an effect on performance. For example, when recovering data from a hard disk, a small block size will generally cause the most bytes to be recovered. Issuing many small reads is an overhead and may be non-beneficial to execution performance. For greater speed during copy operations, a larger block size may be used. However, because the amount of bytes to copy is given by bs×count, it is impossible to copy a prime number of bytes in a single

command without making one of two bad choices,

N count

1}} (memory use) or

1 count

N}} (read request overhead). Alternative programs (see below) permit specifying bytes rather than blocks. When

is used for network transfers, the block size may have also an impact on packet size, depending on the network protocol used.

The value provided for block size options is interpreted as a decimal (base 10) integer and can also include suffixes to indicate multiplication. The suffix

means multiplication by 2,

means 512,

means 1024,

means 1024 × 1024,

means 1024 × 1024 × 1024, and so on. Additionally, some implementations understand the

character as a multiplication operator for both block size and count parameters.

For example, a block size such as

2x80x18b}} is interpreted as 2 × 80 × 18 × 512 = 1474560 bytes, the exact size of a 1440 KiB floppy disk.



command can be used for a variety of purposes.

Data transfer

can duplicate data across files, devices, partitions and volumes. The data may be input or output to and from any of these; but there are important differences concerning the output when going to a partition. Also, during the transfer, the data can be modified using the

options to suit the medium.

An attempt to copy the entire disk using

may omit the final block if it is of an unexpected length

; whereas

may succeed. The source and destination disks should have the same size.

Data transfer forms of

<source lang=“bash”>dd if=/dev/sr0 of=myCD.iso bs=2048 conv=noerror,sync</source> Creates an ISO disk image from a CD-ROM; in some cases the created ISO image may not be the same as the one that was used to burn the CD-ROM.<ref>


<source lang=“bash”>dd if=system.img of=/dev/sdc bs=4096 conv=noerror</source> Restores a hard disk drive (or an SD card, for example) from a previously created image.
<source lang=“bash”>dd if=/dev/sda2 of=/dev/sdb2 bs=4096 conv=noerror</source> Clones one partition to another.
<source lang=“bash”>dd if=/dev/ad0 of=/dev/ad1 bs=1M conv=noerror</source> Clones a hard disk drive “ad0” to “ad1”.


option means to keep going if there is an error, while the

option causes output blocks to be padded.

Master boot record backup and restore

It is possible to repair a master boot record. It can be transferred to and from a repair file.

To duplicate the first two sectors of a floppy drive: <source lang=“bash”> dd if=/dev/fd0 of=MBRboot.img bs=512 count=2 </source>

To create an image of the entire x86 master boot record (including a MS-DOS partition table and MBR magic bytes): <source lang=“bash”> dd if=/dev/sda of=MBR.img bs=512 count=1 </source>

To create an image of only the boot code of the master boot record (without the partition table and without the magic bytes required for booting): <source lang=“bash”> dd if=/dev/sda of=MBR_boot.img bs=446 count=1 </source>

Data modification

can modify data in place. For example, this overwrites the first 512 bytes of a file with null bytes:

<source lang=“bash”> dd if=/dev/zero of=path/to/file bs=512 count=1 conv=notrunc </source>


conversion option means do not truncate the output file — that is, if the output file already exists, just replace the specified bytes and leave the rest of the output file alone. Without this option,

would create an output file 512 bytes long.

To duplicate a disk partition as a disk image file on a different partition: <source lang=“bash”> dd if=/dev/sdb2 of=partition.image bs=4096 conv=noerror </source>

Disk wipe

For security reasons, it is sometimes necessary to have a disk wipe of a discarded device.

To wipe a disk by writing zeros to it,

can be used this way:

<source lang=“bash”> dd if=/dev/zero of=/dev/sda bs=4k </source>

Another approach could be to wipe a disk by writing random data to it:

<source lang=“bash”> dd if=/dev/urandom of=/dev/sda bs=4k </source>

When compared to the data modification example above,

conversion option is not required as it has no effect when the dd's output file is a block device.<ref>



4k}} option makes dd read and write 4 kilobytes at a time. For modern systems, an even greater block size may be beneficial due to the transport capacity (think RAID systems). Note that filling the drive with random data will always take a lot longer than zeroing the drive, because the random data must be rendered by the CPU and/or HWRNG first, and different designs have different performance characteristics. (The PRNG behind /dev/urandom may be slower than libc's.) On most relatively modern drives, zeroing the drive will render any data it contains permanently irrecoverable.<ref>


Zeroing the drive will render any data it contains irrecoverable by software; however it still may be recoverable by special laboratory techniques.

The shred program provides an alternate method for the same task, and finally, the wipe<ref>

</ref> program present in many Linux distributions provides an elaborate tool (the one that does it “well”, going back to the Unix philosophy mentioned before) with many ways of clearing.

Data recovery

The early history of open-source software for data recovery and restoration of files, drives and partitions included the GNU

, whose copyright notice starts in 1985,<ref>



| accessdate = January 21, 2015
| website =
}}</ref> with one block size per

process, and no recovery algorithm other than the user's interactive session running one form of

after another. Then, a C program called


</ref> was written in October 1999, having two block sizes in its algorithm. However, the author of the 2003 shell script

, which enhances

's data recovery algorithm, recommends GNU



</ref> a data recovery program unrelated to

that was initially released in 2004.

To help distinguish the newer GNU program from the older script, alternate names are sometimes used for GNU's

, including

(the name on and,

(Debian package name), and

(openSUSE package name). Another open-source program called

uses a sophisticated algorithm, but it also requires the installation of its own programming-language interpreter.

Benchmarking drive performance

To make drive benchmark test and analyze the sequential (and usually single-threaded) system read and write performance for 1024-byte blocks: <source lang=“bash”> dd if=/dev/zero bs=1024 count=1000000 of=file_1GB dd if=file_1GB of=/dev/null bs=1024 </source>

Generating a file with random data

To make a file of 100 random bytes using the kernel random driver: <source lang=“bash”> dd if=/dev/urandom of=myrandom bs=100 count=1 </source>

Converting a file to upper case

To convert a file to uppercase: <source lang=“bash”> dd if=filename of=filename1 conv=ucase,notrunc </source>


As stated in a part of documentation provided by Seagate, “certain disc

utilities, such as DD, which depend on low-level disc

access may not support 48-bit LBAs until they are updated”.<ref>Windows 137GB (128 [[GiB]) Capacity Barrier - Seagate Technology] (March 2003)</ref>

Using ATA hard disk drives over 128&nbsp;GiB in size requires system support 48-bit LBA; however, in Linux,

uses the kernel to read or write to raw device files instead of accessing hardware directly.

At the same time, support for 48-bit LBA has been present since version 2.4.23 of the kernel, released in 2003.<ref>

</ref><ref>Linux-2.4.23 released Linux kernel mailing list, 2003.</ref>


is a fork of

that is an enhanced version developed by Nick Harbour, who at the time was working for the United States' Department of Defense Computer Forensics Lab.<ref>



</ref> Compared to dd, dcfldd allows for more than one output file, supports simultaneous multiple checksum calculations, provides a verification mode for file matching, and can display the percentage progress of an operation.

See also



External links

dd.txt · Last modified: 2016/10/26 23:23 by Mike J. Kreuzer PhD MCSE MCT Microsoft Cloud Ecosystem