Tag Archives: windows hacking

How To Use DD On Windows Systems

DD is a forensic imaging tool. It’s been around for quite a while and sometimes is referred to as GNU dd. It is a command line program that accepts certain arguments to control its imaging functionality. If not used wisely you can accidentally destroy the media that you are trying to duplicate. So, it must be used with caution. When done correctly it creates raw image files that can then be further used by other forensic tools such as ENCase and FTK.

To get a copy of the dd utility for windows go to: http://www.chrysocome.net/downloads/dd-0.5.zip. It’s a free program distributed under a GPL (General Public License).

Then you can unzip the download onto your desktop or whichever directory you prefer.

For my demonstration, I created a couple of test partitions and then used the dd utility to do a volume copy of one partition to another. So I created a “G:” and  a “H:”.

Each partition had the exact same space for my first attempt but for my second attempt I gave the H partition an extra 1GB. Any time you wish to create an image using dd you need to make sure your output file storage area has enough capacity for the copy.

From there you open a command prompt as administrator. This requirement is most likely dictated by the security configuration of your PC so it may not be necessary depending on your security settings.

Navigate to the directory containing the unzipped dd executable.

After that you can use dd –list to get a list of the devices on your computer.

The basic structure of dd is:

dd if= of= bs=

Where “if” is your input file, “of” is your output file, and “bs” is your block size.

You can use null inputs such as /dev/zero to write zeros to a partition. This effectively wipes that partition or drive.

One note on block size. 512 Bytes is as low as it goes. The lower the block size the slower it takes so if you plan on copying a large drive the lower block size might dramatically increase the time it takes. A lower block size will be more accurate. You can chose sizes such as 512, 1024, 2048, 4096.

For my example I simply copied one partition to another.

This should have effectively copied one directory to another.

I repeated the process extending the size of the H: partition to 3GB and instead created an image with the dd command.

This worked as expected.

dd is an easy to user tool and provides effective imaging of a drive or partition bit-by-bit.