差分

このページの2つのバージョン間の差分を表示します。

--- forensics:dd [2012/08/14 08:02]
kikuzou
+++ forensics:dd [2012/08/14 08:16] (現在)
kikuzou
@@ 行 23: / 行 23: @@
 > dd if=\\.\e: of=usb.dd conv=noerror bs=512 --localwrt
 </code>
+==== Usage ====
+<file>
+Usage: dd if=[SOURCE] of=[DESTINATION] [OPTIONS]
+Copy a device or one or more files or streams, converting and formatting
+according to the options specified:
+  bs=[BYTES]       Set 'ibs' and 'obs' equal to BYTES.
+  conv=[KEYWORDS]  Convert the input as per the comma separated keyword
+                   list.  The following are valid keywords:
+                    noerror  Continue reading after errors.
+                    comp     Compress the output.
+                    decomp   Decompress the output.
+                    swab     Swap each pair of bytes.
+                    notrunc  Don't truncate the output file.
+                    resume   Resume a broken copy operation (Enterprise
+                             level only).
+  count=[BLOCKS]   Copy only the specified number of input blocks.
+  ibs=[BYTES]      Sets the input block size.
+  if=[SOURCE]      Specifies the source for input; the default is stdin.
+  obs=[BYTES]      Sets the output block size.
+  of=[DESTINATION] Specifies the destination for output; the default is stdout.
+  seek=[BLOCKS]    Skip the specified number of obs-sized blocks at start of output.
+  skip=[BLOCKS]    Skip the specified number of ibs-sized blocks at start of input.
+   --iport {PORT]  Send output to the specified tcpip PORT.
+   --lport {PORT]  Send log output to the specified tcpip PORT.
+   --tport {PORT]  Send cryptographic hash output to the
+                   specified tcpip PORT.
+If --iport or --lport are specified, the OUTPUT_FILE specified with the
+'of' option will be interpreted as an IP address.
+    -g --gather   Append multiple input files to a single output file.
+    -a --append   Append input to the output file.
+    -r --recursive   Recursively search subdirectories for files
+                      to copy.  Valid only if 'if' specifies a
+                      search pattern.
+        --help        Display this help and exit.
+    -v  --verbose  Output verbose information.
+        --cryptsum [ALGORITHM]    Includes one or more cryptographic
+                  checksums in the output.  "md2", "md4", "md5""
+                  and "sha" or "sha1" are supported on all platforms
+                  "sha_256", "sha_384" and "sha_512" are supported
+                  on Windows Server 2003 and later.
+        --cryptout [FILE] Write cryptographic checksum to the specified file.
+        --verify      Verifies the cryptographic checksum of the output file.
+        --verify_original Verifies whether the input has changed while being
+                                  copied.
+        --sparse      Makes the output file sparse (ntfs only).
+        --log [FILE]  Write log output to FILE.
+        --lockin      Lock input file while copying.
+        --lockout     Lock output file while copying.
+        --volumelabel [VOLUME_LABEL]    Send output to a volume on a removable
+                drive with the specified volume label.  If '--volumelabel' is
+                specified, the volume name is prepended to the path specified
+                by 'of'.
+        --eject       Dismount and, if possible, eject the volume specified
+                by the '--volumelabel' option.
+        --localwrt        Enables writing output to a local fixed drive.
+        --restore_access_times Restores file access times on the source.
+        --locale [LANG]  Specifies the output locale.
+        --seek [BYTES]   Skip the specified number of bytes at start of
+                         output.
+        --skip [BYTES]   Skip the specified number of bytes at start of
+                         input.
+        --count [BYTES]  Stop after acquiring the specified number of bytes.
+        --chunk [BYTES]  Set the maximum size of the output file.  If the
+                 output file exceeds the specified size, the file is split into
+                 multiple fragments of BYTES bytes in size.
+        --comp [ALGORITHM] Compress output using the specified algorithm.
+        --decomp [ALGORITHM] Decompress output using the specified algorithm.
+        --allvolumes     Copy all mounted volumes with optional user prompts
+                for each volume.
+        --alldrives      Copy all local drives with optional user prompts for
+                each disk.
+        --random_output_dir Append a random-named output directory to the
+                specified output path.
+BYTES may be suffixed: by xN for multiplication by N, by c for x1,
+by w for x2, by b for x512, by KB for x1000, by KiB for x1024,
+by MB for x1,000,000, by MiB for x1,048,576,
+by GB for x1,000,000,000, by GiB for x1,073,741,824
+by TB for x1,000,000,000,000, by TiB for x1,099,511,627,776
+BYTES may be prefixed by "0x" or "x" to indicate a hexadecimal value.
+The following options may be used in conjunction with a search pattern
+to select the files or streams that are to be processed:
+   -A, --attributes       hashes files with specified attributes:
+        attributes  D  Directories                R  Read-only files
+                    H  Hidden files               A  Files ready for archiving
+                    C  Compressed files           E  Encrypted files
+                    O  Offline files              P  Sparse files
+                    S  System files               ~  Prefix meaning not
+                    T  Temporary files
+        --any   Specifies how the -A --attribute option is to be
+                interpreted.  With '--any' files or streams with
+                any one of the specified attributes will be processed.
+                The default is to hash files with all of the specified
+                attributes.
+The following are used to select files based upon file times:
+   --modified [FILETIME]   selects files based upon the file
+                           modification time.
+   --accessed [FILETIME]   selects files based upon the file access time.
+   --created  [FILETIME]   selects files based upon the file creation
+                           time.
+The format of the FILETIME string is specified according to the locale
+of the current user.  For example, 10:00PM June 6, 2003 is specified
+as "6/10/2003 10:00PM" in the United States and "10/6/2003 10:00PM"
+in most european countries.  The file time string may be pre-pended by <, = or >
+to search for file times that are less than, equal or greater than
+the specified time string.  The FILETIME string may include multiple conditions
+separated by a semi-colon (;).  Multiple conditions are evaluated in pairs.
+An un-paired condition is evaluated individually.
+The following may be used to select directories, files or streams
+based upon specified regular expressions:
+   --directoryfilter [EXPRESSION]   selects directories based upon an
+                                    expression.
+   --filefilter   [EXPRESSION]      selects files based upon an expression.
+   --streamfilter [EXPRESSION]      selects alternate streams based upon an
+                                    expression
+   --magicfilter [EXPRESSION]       selects files or alternate streams based
+                                    upon the binary contents at the start of
+                                    the data stream as evaluated by an
+                                    expression.
+EXPRESSION may be any regular expression.  Double quotes ("")
+may be used to prevent the command interpreter from splitting
+a single expression into two or more pieces.  With respect
+to the --magicfilter option, EXPRESSION is limited to a regular
+expression that may be converted to a single byte character set.
+The following may be used to select files or streams
+based upon the entropy of the initial data stream:
+   --entropy [THRESHOLD]   selects files or streams whose initial
+                           data streams have an entropy greater than THRESHOLD.
+The following may be used in conjunction with output in xml format:
+   --case [CASE NUMBER] includes the specified case number in xml output.
+   --evidence [EVIDENCE NUMBER] includes the specified evidence number in
+               XML output.
+   --description [DESCRIPTION] includes an optional description in xml output.
+The following option may be used to set the thread priority of the program:
+   --thread_priority [PRIORITY] sets the priority of the thread processing.
+        The thread priority may be set to any of the following values:
+                idle, lowest, belownormal, highest
+                abovenormal, timecritical
+     --ata_unlock [PASSWORD] unlocks an ATA drive using the provided password.
+     --ata_master specifies that the password provided with --ata_unlock is a
+                  master password.
+     --ata_hpa temporarily disables the ATA host protected area if it exists
+                  and sets the starting offset to skip the user accessible
+                  bytes.
+     --ata_restore_configuration resets an ATA device configuration overlay
+                 (DCO) and restores the original drive configuration.
+Enterprise level options:
+  --cryptvolumes   Copy all mounted encrypted volumes with optional user
+                   prompts for each volume.
+  --ssl [CERTIFICATE]   Make TCP connections using the TLS 1.0
+         protocol and the specified certificate.  The certificate, which is
+         optional for client connections, must be in PFX (PKCS#12) file
+         format, if it exists.
+  --encrypt [ALGORITHM]  Specifies the encryption algorithm that will be
+         used to encrypt output.  The default algorithm is AES-256 on
+         Microsoft Windows XP and later and 3DES on Windows 2000.
+  --cert [PATH] Provides the path to an X-509/PKCS#7 encoded file.  The
+         certificate will be used to encrypt the encryption key
+         used to encrypt output.
+   --ignore_invalid_cert  Ignore errors that may occur due to use of an
+         unsigned or expired certificate.
+      Report bugs to <gmgarner@erols.com>
+</file>