Windows上でddイメージを取得 (dd - Forensic Acquisition Utilities)

  • Windows上でddイメージを取得する場合は、以下ツールを使用する。

Forensic Acquisition Utilities


  • 「e:」ドライブに割り当てられたリムーバブルメディアのイメージを取得
> dd if=\\.\e: of=usb.dd conv=noerror --localwrt
  • ディスクにエラーがある可能性がある場合は、ブロックサイズを指定する
    • エラーがあった場合、スキップするデータ量を最小限にする
    • イメージ取得に時間が掛かるので注意が必要
> dd if=\\.\e: of=usb.dd conv=noerror bs=512 --localwrt



Copy a device or one or more files or streams, converting and formatting
according to the options specified:

  bs=[BYTES]       Set 'ibs' and 'obs' equal to BYTES.
  conv=[KEYWORDS]  Convert the input as per the comma separated keyword
                   list.  The following are valid keywords:

                    noerror  Continue reading after errors.
                    comp     Compress the output.
                    decomp   Decompress the output.
                    swab     Swap each pair of bytes.
                    notrunc  Don't truncate the output file.
                    resume   Resume a broken copy operation (Enterprise
                             level only).

  count=[BLOCKS]   Copy only the specified number of input blocks.
  ibs=[BYTES]      Sets the input block size.
  if=[SOURCE]      Specifies the source for input; the default is stdin.
  obs=[BYTES]      Sets the output block size.
  of=[DESTINATION] Specifies the destination for output; the default is stdout.
  seek=[BLOCKS]    Skip the specified number of obs-sized blocks at start of output.
  skip=[BLOCKS]    Skip the specified number of ibs-sized blocks at start of input.

   --iport {PORT]  Send output to the specified tcpip PORT.
   --lport {PORT]  Send log output to the specified tcpip PORT.
   --tport {PORT]  Send cryptographic hash output to the
                   specified tcpip PORT.

If --iport or --lport are specified, the OUTPUT_FILE specified with the
'of' option will be interpreted as an IP address.

    -g --gather   Append multiple input files to a single output file.
    -a --append   Append input to the output file.
    -r --recursive   Recursively search subdirectories for files
                      to copy.  Valid only if 'if' specifies a
                      search pattern.
        --help        Display this help and exit.
    -v  --verbose  Output verbose information.
        --cryptsum [ALGORITHM]    Includes one or more cryptographic
                  checksums in the output.  "md2", "md4", "md5""
                  and "sha" or "sha1" are supported on all platforms
                  "sha_256", "sha_384" and "sha_512" are supported
                  on Windows Server 2003 and later.
        --cryptout [FILE] Write cryptographic checksum to the specified file.
        --verify      Verifies the cryptographic checksum of the output file.
        --verify_original Verifies whether the input has changed while being
        --sparse      Makes the output file sparse (ntfs only).
        --log [FILE]  Write log output to FILE.
        --lockin      Lock input file while copying.
        --lockout     Lock output file while copying.
        --volumelabel [VOLUME_LABEL]    Send output to a volume on a removable
                drive with the specified volume label.  If '--volumelabel' is
                specified, the volume name is prepended to the path specified
                by 'of'.
        --eject       Dismount and, if possible, eject the volume specified
                by the '--volumelabel' option.
        --localwrt        Enables writing output to a local fixed drive.
        --restore_access_times Restores file access times on the source.
        --locale [LANG]  Specifies the output locale.
        --seek [BYTES]   Skip the specified number of bytes at start of
        --skip [BYTES]   Skip the specified number of bytes at start of
        --count [BYTES]  Stop after acquiring the specified number of bytes.
        --chunk [BYTES]  Set the maximum size of the output file.  If the
                 output file exceeds the specified size, the file is split into
                 multiple fragments of BYTES bytes in size.
        --comp [ALGORITHM] Compress output using the specified algorithm.
        --decomp [ALGORITHM] Decompress output using the specified algorithm.

        --allvolumes     Copy all mounted volumes with optional user prompts
                for each volume.
        --alldrives      Copy all local drives with optional user prompts for
                each disk.
        --random_output_dir Append a random-named output directory to the
                specified output path.

BYTES may be suffixed: by xN for multiplication by N, by c for x1,
by w for x2, by b for x512, by KB for x1000, by KiB for x1024,
by MB for x1,000,000, by MiB for x1,048,576,
by GB for x1,000,000,000, by GiB for x1,073,741,824
by TB for x1,000,000,000,000, by TiB for x1,099,511,627,776

BYTES may be prefixed by "0x" or "x" to indicate a hexadecimal value.

The following options may be used in conjunction with a search pattern
to select the files or streams that are to be processed:

   -A, --attributes       hashes files with specified attributes:

        attributes  D  Directories                R  Read-only files
                    H  Hidden files               A  Files ready for archiving
                    C  Compressed files           E  Encrypted files
                    O  Offline files              P  Sparse files
                    S  System files               ~  Prefix meaning not
                    T  Temporary files

        --any   Specifies how the -A --attribute option is to be
                interpreted.  With '--any' files or streams with
                any one of the specified attributes will be processed.
                The default is to hash files with all of the specified

The following are used to select files based upon file times:
   --modified [FILETIME]   selects files based upon the file
                           modification time.
   --accessed [FILETIME]   selects files based upon the file access time.
   --created  [FILETIME]   selects files based upon the file creation

The format of the FILETIME string is specified according to the locale
of the current user.  For example, 10:00PM June 6, 2003 is specified
as "6/10/2003 10:00PM" in the United States and "10/6/2003 10:00PM"
in most european countries.  The file time string may be pre-pended by <, = or >
to search for file times that are less than, equal or greater than
the specified time string.  The FILETIME string may include multiple conditions
separated by a semi-colon (;).  Multiple conditions are evaluated in pairs.
An un-paired condition is evaluated individually.

The following may be used to select directories, files or streams
based upon specified regular expressions:

   --directoryfilter [EXPRESSION]   selects directories based upon an
   --filefilter   [EXPRESSION]      selects files based upon an expression.
   --streamfilter [EXPRESSION]      selects alternate streams based upon an
   --magicfilter [EXPRESSION]       selects files or alternate streams based
                                    upon the binary contents at the start of
                                    the data stream as evaluated by an

EXPRESSION may be any regular expression.  Double quotes ("")
may be used to prevent the command interpreter from splitting
a single expression into two or more pieces.  With respect
to the --magicfilter option, EXPRESSION is limited to a regular
expression that may be converted to a single byte character set.

The following may be used to select files or streams
based upon the entropy of the initial data stream:

   --entropy [THRESHOLD]   selects files or streams whose initial
                           data streams have an entropy greater than THRESHOLD.

The following may be used in conjunction with output in xml format:
   --case [CASE NUMBER] includes the specified case number in xml output.
   --evidence [EVIDENCE NUMBER] includes the specified evidence number in
               XML output.
   --description [DESCRIPTION] includes an optional description in xml output.

The following option may be used to set the thread priority of the program:

   --thread_priority [PRIORITY] sets the priority of the thread processing.

        The thread priority may be set to any of the following values:
                idle, lowest, belownormal, highest
                abovenormal, timecritical

     --ata_unlock [PASSWORD] unlocks an ATA drive using the provided password.
     --ata_master specifies that the password provided with --ata_unlock is a
                  master password.
     --ata_hpa temporarily disables the ATA host protected area if it exists
                  and sets the starting offset to skip the user accessible
     --ata_restore_configuration resets an ATA device configuration overlay
                 (DCO) and restores the original drive configuration.

Enterprise level options:

  --cryptvolumes   Copy all mounted encrypted volumes with optional user
                   prompts for each volume.

  --ssl [CERTIFICATE]   Make TCP connections using the TLS 1.0
         protocol and the specified certificate.  The certificate, which is
         optional for client connections, must be in PFX (PKCS#12) file
         format, if it exists.
  --encrypt [ALGORITHM]  Specifies the encryption algorithm that will be
         used to encrypt output.  The default algorithm is AES-256 on
         Microsoft Windows XP and later and 3DES on Windows 2000.
  --cert [PATH] Provides the path to an X-509/PKCS#7 encoded file.  The
         certificate will be used to encrypt the encryption key
         used to encrypt output.
   --ignore_invalid_cert  Ignore errors that may occur due to use of an
         unsigned or expired certificate.

      Report bugs to <>
forensics/dd.txt · 最終更新: 2012/08/14 08:16 by kikuzou
特に明示されていない限り、本Wikiの内容は次のライセンスに従います: CC Attribution-Share Alike 4.0 International
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki