How to Disk Dump dd

Disk Dump is nothing less than a life saviour when we're talking about disk disaster recovery or even data forensics.

Here's a quick list of the main uses for the dd tool.

· Create a backup

dd if=/dev/sda of=/opt/backup_sda.img

· Restore a backup

dd if=/opt/backup_sda.img of=/dev/sda

· Clone a hard disk

dd if=/dev/sdb of=/dev/sdc

· Transfer a disk image

dd if=/dev/sdb | ssh root@target "(cat >backup.img)"

· Create an iso image of a CD/DVD

dd if=/dev/cdrom of=cdimage.iso

· Burn an iso image of a CD/DVD

dd if=cdimage.iso of=/dev/cdrom obs=32k seek=0

· Rescue a file that contains bad blocks

dd if=movie.avi of=rescued_movie.avi conv=noerror

· Create your own bootloader

dd conv=notrunc if=bootloader of=qemu.img

· Create a backup of your MBR

dd if=/dev/sdb of=mbr_backup bs=512 count=1

· Restore a backup of your MBR

dd if=mbr_backup of=/dev/sdb bs=512 count=1

· Mount dd image of and entire disk

You must use the start number of the partition.

fdisk -u -l disk_image

Disk /mnt/storage/disk_image: 0 MB, 0 bytes
255 heads, 63 sectors/track, 0 cylinders, total 0 sectors
Units = sectors of 1 * 512 = 512 bytes
Disk identifier: 0x41172ba5

Device Boot Start End Blocks Id System
/mnt/storage/disk_image1 63 64259 32098+ de Dell Utility
/mnt/storage/disk_image2 * 64260 78108029 39021885 7 HPFS/NTFS
Partition 2 has different physical/logical endings:

phys=(1023, 254, 63) logical=(4861, 254, 63)

Then take the start of the partition that you want to edit 64260 in this case and multiply it by 512 ie 512*64260=32901120

mount -o loop,offset=32901120 -t auto /mnt/storage/disk_image /mnt/drive_image

· When the hard disk has errors

Get the dd_rescue tool

dd_rescue /dev/sdb /opt/backup_sdb.img