Difference between revisions of "Dd - Destroyer of Disks"

From Noah.org
Jump to navigationJump to search
Line 69: Line 69:
 
== Image a drive ==
 
== Image a drive ==
  
This is the most basic usage of `dd:
+
This is the most basic usage of `dd`:
  
 
<pre>
 
<pre>
dd if=/dev/sda of=disk_image
+
dd if=/dev/sda of=drive.img
 
</pre>
 
</pre>
  

Revision as of 12:29, 30 March 2010

These notes cover useful things you can do with `dd`.

Securely erase a drive

This will destroy all data on a drive using `dd`. If you are in a hurry then just drill a hole through the top of case into the platters.

# faster to fill with zeros
dd if=/dev/zero of=/dev/sda bs=1M
# nearly ten times slower, pseudorandom data
dd if=/dev/urandom of=/dev/sda bs=1M

Alternatively, you can do this:

# faster to fill with zeros
cp /dev/zero /dev/sda
# nearly ten times slower, pseduorandom data
cp /dev/urandom /dev/sda

Tinfoil hat paranoia

It takes about 15 minutes to destroy a 1GB file using GNU `shred` (default options). It takes 30 seconds to destroy the file using 'dd if=/dev/zero of=somefile bs=1024 count=1M'. This is on a laptop with a 1.6Ghz dual core, 2GB RAM machine with a Seagate Momentus ST9160823AS laptop drive with ext3 filesystem -- in other words, nothing fancy.

Some people say that this isn't really secure because they heard that it's possible to read data that has been overwritten. This myth of the necessity for using multiple random overwrites for security came about because Dr. Peter Gutmann theorized that overwritten data could be recovered through the use of Scanning transmission electron microscopy. This is all theory -- no one has ever demonstrated this. No commercial data recovery or forensics firms offer any services that can recover overwritten data. Somehow this became accepted as fact and now everyone believes that supposedly the NSA and maybe space aliens can read overwritten bits on a drive. If your data is so sensitive that the government has to call the NSA or hire space aliens then you don't need my advice. Most drive erasure tools use very slow methods to prevent recovery of erased data. These tools overwrite each byte repeatedly with random data. This can take hours to erase a whole drive! Yet there is not a single example of overwritten data having ever been recovered using any exotic, theoretical method.

If you still prefer to use the GNU `shred` command then you may want to put this in your ~/.bashrc or alias file to make it a little more sane:

alias shred='shred --iterations=1'

One step disk wipe tool

This is useful if you want to reuse a lot of drives: Darik's Boot and Nuke

Erase MBR

I had Linux with GRUB installed on a machine. I needed to get rid of it and put Windows on the machine. I used a Ghost recovery disk to restore Windows on it, but Ghost didn't restore the MBR. GRUB was still lurking in the Master Boot Record. On boot GRUB would try to start but would error out. Wiping out the MBR fixed the problem. This will wipe out the MBR of a disk (sda in this example) but keep the partition table and disk signature:

dd if=/dev/zero of=/dev/sda bs=440 count=1

It you also wish to totally erase the entire MBR include disk signature and partition table then use this:

dd if=/dev/zero of=/dev/sda bs=512 count=1

disk signature of boot disk

Disk signature is an obscure topic. These are the 4 bytes in the MBR starting after the first 440 bytes (offset 0x01B8 through 0x01BB). Often you can mess with it without problems, but in certain circumstances Linux may need to see a specific disk signature on the boot disk. The most critical fact is that the disk signature of the primary BOOT disk must be unique. In days past, I did not know the significance of the disk signature so I would often zero it out along with the MBR boot code using `dd if=/dev/zero of=/dev/sda bs=446 count=1`. That is not guaranteed to be harmless. It may cause problems; although, usually it is harmless. It is also bad to COPY a disk image including the MBR and then mount both copies on the same system. The system may not boot or nothing will go wrong at all!

Do not confuse disk signature with MBR signature. The MBR signature is always 0xAA55 starting at offset 0x01FE. It is stored little endian, so 0x01FE:0x55 and 0x01FF:0xAA.

ms-sys

The `ms-sys` command may be helpful in working with the MBR and disk signatures.

See also

EDD
Bios Enhanced Disk Drive Services (EDD) 3.0. This protocol determines which disk BIOS tries boot from. This uses the Disk Signature bytes. These are the 4 bytes in the MBR starting after the first 440 bytes (offset 0x01B8 through 0x01BB).

Image a drive

This is the most basic usage of `dd`:

dd if=/dev/sda of=drive.img

Image a CD or DVD

Note that /dev/cdrom, /dev/dvd, /dev/cdrw, and /dev/scd0 are usually just sym links to /dev/sr0 or some other optical disc device.

The following shows the lame way to a CD-ROM or DVD to an iso file. This works, but it will usually grab a few extra null blocks which will throw off the checksum of the disc image.

dd if=/dev/cdrom of=disk_image.iso

This will precisely create an image a CD-ROM or DVD. This ensures that the image will have exactly the same md5sum or checksum no matter what burning device or operating system is used.

isoinfo -d -i /dev/cdrom
# Take Logical Block Size and Volume Space Size from isoinfo and plug the values into '''bs''' and '''count''' below:
dd if=/dev/cdrom bs=2048 count=326239 conv=notrunc,noerror > disc_image.iso

You can use `isosize` to get the number of blocks Volume Space Size to set count in one-line:

dd if=/dev/dvd bs=2048 count=`isosize -d 2048 /dev/dvd` conv=notrunc,noerror > disc_image.iso

Finally, I alias the following commands. The `cdgen` alias generates an ISO from a directory tree and dumps the image to stdout. The `cddump` alias dumps a disc ISO image to stdout. The `cdburn` alias reads an ISO image from stdin and burns it to a disc.

alias cdgen='genisoimage -quiet -iso-level 3 -J -force-rr -l -N -d -allow-leading-dots -allow-multidot -V "`date --rfc-3339=seconds`" -r '
alias cddump='dd if=/dev/dvd bs=2048 count=`isosize -d 2048 /dev/dvd` conv=notrunc,noerror'
alias cdburn='cdrecord fs=16m speed=8 padsize=63s -pad -dao -v -'

Here are some examples of how these can be used:

cddump | md5sum

Steve Litt's `rawread` script does this automatically with the added advantage this it gets the Logical Block Size as reported by the drive instead of assuming that it is 2048; although, almost all CDs and DVDs use 2048 for the Logical Block Size. I usually just use the alias above.

#!/bin/sh
device=$1

blocksize=`isoinfo -d -i $device | grep "^Logical block size is:" | cut -d " " -f 5`
if test "$blocksize" = ""; then
	echo catdevice FATAL ERROR: Blank blocksize >&2
	exit
fi

blockcount=`isoinfo -d -i $device | grep "^Volume size is:" | cut -d " " -f 4`
if test "$blockcount" = ""; then
	echo catdevice FATAL ERROR: Blank blockcount >&2
	exit
fi

command="dd if=$device bs=$blocksize count=$blockcount conv=notrunc,noerror"
echo "$command" >&2
$command

Steve Litt's `rawread` script can be used to do things like the following. Create an ISO disk dump:

rawread /dev/cdrom > disk_image.iso

check the md5sum of the physical optical disk:

rawread /dev/cdrom | md5sum

Image a drive with compression

Backup
dd if=/dev/sda conv=sync,noerror| gzip -c > drive.img.gz
Restore
gunzip -c drive.img.gz | dd of=/dev/sda conv=sync,noerror

Save drive geometry info because cylinder size helps determine where a partition is stored.
fdisk -l /dev/sda > drive.img./mnt/sda1/hda_fdisk.info
       
Help the drive image compress more by filling unallocated space with zeros. Do this before you create the backup image. Don't do this on images to be used for forensic recovery! This creates a file filled with zeros and then deletes it.
dd if=/dev/zero of=/tmp/delete.me && rm delete.me

Image a drive over a network

You can image a drive and have it stored directly on a remote server. Here are two ways to do this.

Image a drive over a network with `dd` and `ssh`

I like this method better because this does it all from a single command on the sending side and the traffic is encrypted:

dd if=/dev/sda | gzip -c - | ssh user@example.com "dd of=disk_image.iso.gz"

Image a drive over a network with `dd` and `nc` (netcat)

This example uses 192.168.1.100 for the receiving machine's IP address. Port 2222 is used as the listening port on the receiving machine. You may substitute any free port.

First, on the receiving machine start the Netcat listener:

nc -l 2222 > disk_image.gz

Then on the sending side start the pipeline for dd|gzip|nc:

dd bs=1M if=/dev/sda | gzip -c - | nc 192.168.1.100 2222

Notes

If you are doing this on a live server you will need to unmount the drive or switch to single user mode (reboot and set single for boot option in GRUB) or you can boot from a live CD. If you boot into single user mode, don't forget to manually start the network. I have not done a lot of testing with copying a mounted drive in single user mode. This is not the ideal way, but it seems to work. It's better if the drive is not mounted.

Show progress status statistics of `dd`

Operations with `dd` can take a long time. Unfortunately, there is no command-line option to have `dd` print progress, but you can send the `dd` process a USR1 signal to have it print the progress statistics. For example, say you started `dd` and you know its PID is 15045. Example:

kill -USR1 15045

Here is a fancier example this will update every 10 seconds:

dd if=/dev/sda | gzip -c - | ssh user@example.com "dd of=disk_image.gz" &
pid=$!
while ps -p $pid > /dev/null; do kill -USR1 $pid; sleep 10; done