Disk Imaging?

Nicholas Leippe nick at byu.edu
Tue Sep 6 10:27:43 MDT 2005

On Tuesday 06 September 2005 10:19 am, Matthew Ross Walker wrote:
> I just discovered a compromized server on my network at work, and I want
> to get the disk imaged so that I have a forensic copy around for further
> investigation, without having to keep the server isolated.
> I'm pretty sure 'dd' is the utility I need to use, but I'm having
> trouble finding the exact syntax for making a mirror of an existing
> drive. Any help?

dd if=$a of=$b bs=$c count=$d

$a = drive to image, eg /dev/hdb (or partition /dev/hdb1)
$b = target drive or file, eg /dev/hdc or /path/to/image/file
$c = 512 (block size)
$d = number of blocks, or leave off the count parameter entirely and
     dd will read until EOF

fdisk -l can tell you how many blocks there are


Nicholas Leippe
Sales Team Automation, LLC
1335 West 1650 North, Suite C
Springville, UT  84663 +1 801.853.4090

More information about the PLUG mailing list