How to examine a DD image on Windows or Linux

In my last technical tip, I explained how to create an exact bit-image copy of a live server using the open source tool DD. That approach is particularly useful for incident response purposes where you want to preserve evidence (the state of the computer) before, or in lieu of, any corrective actions. The result of this process is, obviously, an image of one or more disk drives. The remaining question is: now what?

    Requires Free Membership to View

For incident response situations you may want to examine that image with a forensic tool. Almost every forensic tool will read a DD image; it's a defacto-standard alongside Guidance Software's Encase format. Some of these products are The Sleuth Kit /Autopsy (open source), Encase, Forensic Toolkit (FTK), Nuix Forensic Desktop, Paraben P3 Explorer, and a slew of other products ranging from free to very expensive. Access Data offers a standalone imaging product for Windows that will create DD and Encase-formatted disk images, also dumping memory to a file if needed.

Beyond forensic examination there are many other ways to examine and use the DD image you created. You could also convert the DD image into a VMware image and then start it as a virtual system using the open source Live View application. Additionally, you could mount the image from any Linux distribution and explore it as though it were a physical drive. If you don't have Linux installed somewhere you could boot from a live CD, such as Ubuntu, and then mount the image. You can mount a Windows NTFS-formatted drive from Linux, although not every distribution will have that support enabled by default. To load an image file you need to use mount in loop-back mode. You also probably want to use read-only (ro) mode. Keep in mind that your image was probably an image of a physical disk which itself contains one or more partitions. The drive image does not have a file system, the partition within does. You can use a tool such as sfdisk or fdisk to view the partitions and then mount the partition(s) you are interested in. This post on the Ubuntu forums shows someone going through this process.

Lastly, you can also take the image and apply it to a hard drive. This is a simple process identical to the imaging process but reversing the input file (if) and output file (of). To write the contents of my_image.dd to the device /dev/sdc you would run the command:

dd if=./my_image.dd of=/dev/sdc

That will, of course, overwrite the contents of the drive /dev/sdc so be sure to use the correct drive. An interesting, but unrelated, use of DD is to overwrite a hard drive with random data. There are many other ways to do that, but dd on a Linux system can do it too. The following command would write the pseudo-random output of /dev/random onto the drive "dev/sdc:"

dd if=/dev/urandom of=/dev/sdc

Hopefully this gave you a few useful ideas of what to do with a DD-formatted bit image of your Windows or Linux server. Be cautious downloading software from the Internet -- the links I provided are safe as far as I know, but that can change in an instant.
Tom Chmielarski is a senior consultant with GlassHouse Technologies, Inc.
Send comments on this technical tip to editor@searchmidmarketsecurity.com
Join our IT Knowledge Exchange discussion forum; please use the midmarket security tag.

This was first published in November 2009

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.