L in u X ba sics for h acke rs g e t t I n g s t a r t e d w I t h
Chapter 9 Creating Bit-by-Bit or Physical Copies of Storage Devices
Download 7.3 Mb. Pdf ko'rish
|
linuxbasicsforhackers
|
98
Chapter 9 Creating Bit-by-Bit or Physical Copies of Storage Devices Within the world of information security and hacking, one Linux archiving command stands above the rest in its usefulness. The dd command makes a bit-by-bit copy of a file, a filesystem, or even an entire hard drive. This means that even deleted files are copied (yes, it’s important to know that your deleted files may be recoverable), making for easy discovery and recovery. Deleted files will not be copied with most logical copying utili- ties, such as cp . Once a hacker has owned a target system, the dd command will allow them to copy the entire hard drive or a storage device to their system. In addition, those people whose job it is to catch hackers—namely, forensic investigators—will likely use this command to make a physical copy of the hard drive with deleted files and other artifacts that might be useful for finding evidence against the hacker. It’s critical to note that the dd command should not be used for typical day-to-day copying of files and storage devices because it is very slow; other commands do the job faster and more efficiently. It is, though, excellent when you need a copy of a storage device without the filesystem or other logical structures, such as in a forensic investigation. The basic syntax for the dd command is as follows: dd if=inputfile of=outputfile So, if you wanted to make a physical copy of your flash drive, assuming the flash drive is sdb (we’ll discuss this designation more in Chapter 10), you would enter the following: kali >dd if=/dev/sdb of=/root/flashcopy 1257441=0 records in 1257440+0 records out 7643809280 bytes (7.6 GB) copied, 1220.729 s, 5.2 MB/s Let’s break down this command: dd is your physical “copy” command; if designates your input file, with /dev/sdb representing your flash drive in the /dev directory; of designates your output file; and /root/flashcopy is the name of the file you want to copy the physical copy to. (For a more com- plete explanation of the Linux system designation of drives within the /dev directory, see Chapter 10.) Numerous options are available to use with the dd command, and you can do a bit of research on these, but among the most useful are the noerror option and the bs (block size) option. As the name implies, the noerror option continues to copy even if errors are encountered. The bs option allows you to determine the block size (the number of bytes read/written per block) of the data being copied. By default, it is set to 512 bytes, but it can be changed to speed up the process. Typically, this would be set to the sector size of the Compressing and Archiving 99 device, most often 4KB (4,096 bytes). With these options, your command would look like this: kali >dd if=/dev/media of=/root/flashcopy bs=4096 conv:noerror As mentioned, it’s worth doing a little more research on your own, but this is a good introduction to the command and its common usages. Summary Linux has a number of commands to enable you to combine and compress your files for easier transfer. For combining files, tar is the command of choice, and you have at least three utilities for compressing files— gzip , bzip2 , and compress —all with different compression ratios. The dd command goes above and beyond. It enables you to make a physical copy of storage devices without the logical structures such as a filesystem, allowing you to recover such artifacts as deleted files. Download 7.3 Mb. Do'stlaringiz bilan baham: 
|