Using dd — Get Certified Get Ahead

You can use this lab to familiarize yourself with the dd (data duplicator) command on a Kali Linux system.

Prerequisites. Launch a terminal within a Linux operating system.

Warning: The dd command can be a data destroyer command if not used properly. When doing this lab, it’s best to do it within a non-production environment. For example, if you perform the command after booting to Kali Linux from a USB, you can easily rebuild it.

This lab is in two parts.

Part I Identify your Disk Partitions in Kali Linux.
Part II Run the dd Command.

Identify your Disk Partitions in Kali Linux

Warning: You can destroy the partition with fdisk. When done using these instructions, you will not make any changes. However, it’s still best to do this lab within a non-production environment, such as Kali Linux running as a virtual machine.

1. Start fdisk with this command:

/sbin/fdisk /dev/sda

Note that there is a space between /sbin/fdisk and /dev/sda.

2. Enter i and press Enter to view information about partitions.

Notice that the figure shows three partitions, numbered 1, 2, and 5.

3. Enter 1 and press Enter to view information about partition 1.

You’ll see that the device is /dev/sda2 and the size is 510M (indicating 510 MB).

5. Type i and press Enter again. This time type 5 and press Enter . This will show you the details of /dev/sda5.

6. Type q and press Enter to exit fdisk.

7. Keep terminal open to run the dd command.

Run the dd Command

Note that dd has the following standards:

if indicates input file (or input source)
of indicates output file (or output destination)

1. Enter the following command to see the contents of the current folder.

ls

Note: You can get help on the ls command by querying the manual with the following command:

man ls

2. Enter the following command to create an image file (named sd2disk.img) from the /dev/sda2 partition:

dd if=/dev/sda2 of=sd2disk.img

Note that this creates a clone of the partition without modifying it.

3. Calculate the SHA1 hash of the file with the following command: sha1sum sd2disk.img

4. Make a copy of the image file with the following command:

cp sd2disk.img analyzethis.img

Forensic professionals don’t analyze the cloned image because the analysis process can modify the data. Instead, they make a copy of the cloned image and analyze it.

5. Calculate the hash on the copied file with the following command:

sha1sum analyzethis.img

Note that the hash of the copied file (analyzethis.img) is the same as the hash of the file created by dd (sd2disk.img).

Using dd Command