差分

この文書の現在のバージョンと選択したバージョンの差分を表示します。

この比較画面にリンクする

両方とも前のリビジョン 前のリビジョン
forensics:dd [2012/08/14 08:02]
kikuzou
forensics:dd [2012/08/14 08:16] (現在)
kikuzou
ライン 23: ライン 23:
 > dd if=\\.\e: of=usb.dd conv=noerror bs=512 --localwrt > dd if=\\.\e: of=usb.dd conv=noerror bs=512 --localwrt
 </​code>​ </​code>​
 +
 +
 +==== Usage ====
 +<​file>​
 +Usage: dd if=[SOURCE] of=[DESTINATION] [OPTIONS]
 +
 +Copy a device or one or more files or streams, converting and formatting
 +according to the options specified:
 +
 +  bs=[BYTES] ​      Set '​ibs'​ and '​obs'​ equal to BYTES.
 +  conv=[KEYWORDS] ​ Convert the input as per the comma separated keyword
 +                   ​list. ​ The following are valid keywords:
 +
 +                    noerror ​ Continue reading after errors.
 +                    comp     ​Compress the output.
 +                    decomp ​  ​Decompress the output.
 +                    swab     Swap each pair of bytes.
 +                    notrunc ​ Don't truncate the output file.
 +                    resume ​  ​Resume a broken copy operation (Enterprise
 +                             level only).
 +
 +  count=[BLOCKS] ​  Copy only the specified number of input blocks.
 +  ibs=[BYTES] ​     Sets the input block size.
 +  if=[SOURCE] ​     Specifies the source for input; the default is stdin.
 +  obs=[BYTES] ​     Sets the output block size.
 +  of=[DESTINATION] Specifies the destination for output; the default is stdout.
 +  seek=[BLOCKS] ​   Skip the specified number of obs-sized blocks at start of output.
 +  skip=[BLOCKS] ​   Skip the specified number of ibs-sized blocks at start of input.
 +
 +   ​--iport {PORT] ​ Send output to the specified tcpip PORT.
 +   ​--lport {PORT] ​ Send log output to the specified tcpip PORT.
 +   ​--tport {PORT] ​ Send cryptographic hash output to the
 +                   ​specified tcpip PORT.
 +
 +If --iport or --lport are specified, the OUTPUT_FILE specified with the
 +'​of'​ option will be interpreted as an IP address.
 +
 +    -g --gather ​  ​Append multiple input files to a single output file.
 +    -a --append ​  ​Append input to the output file.
 +    -r --recursive ​  ​Recursively search subdirectories for files
 +                      to copy.  Valid only if '​if'​ specifies a
 +                      search pattern.
 +        --help ​       Display this help and exit.
 +    -v  --verbose ​ Output verbose information.
 +        --cryptsum [ALGORITHM] ​   Includes one or more cryptographic
 +                  checksums in the output. ​ "​md2",​ "​md4",​ "​md5""​
 +                  and "​sha"​ or "​sha1"​ are supported on all platforms
 +                  "​sha_256",​ "​sha_384"​ and "​sha_512"​ are supported
 +                  on Windows Server 2003 and later.
 +        --cryptout [FILE] Write cryptographic checksum to the specified file.
 +        --verify ​     Verifies the cryptographic checksum of the output file.
 +        --verify_original Verifies whether the input has changed while being
 +                                  copied.
 +        --sparse ​     Makes the output file sparse (ntfs only).
 +        --log [FILE] ​ Write log output to FILE.
 +        --lockin ​     Lock input file while copying.
 +        --lockout ​    Lock output file while copying.
 +        --volumelabel [VOLUME_LABEL] ​   Send output to a volume on a removable
 +                drive with the specified volume label. ​ If '​--volumelabel'​ is
 +                specified, the volume name is prepended to the path specified
 +                by '​of'​.
 +        --eject ​      ​Dismount and, if possible, eject the volume specified
 +                by the '​--volumelabel'​ option.
 +        --localwrt ​       Enables writing output to a local fixed drive.
 +        --restore_access_times Restores file access times on the source.
 +        --locale [LANG] ​ Specifies the output locale.
 +        --seek [BYTES] ​  Skip the specified number of bytes at start of
 +                         ​output.
 +        --skip [BYTES] ​  Skip the specified number of bytes at start of
 +                         ​input.
 +        --count [BYTES] ​ Stop after acquiring the specified number of bytes.
 +        --chunk [BYTES] ​ Set the maximum size of the output file.  If the
 +                 ​output file exceeds the specified size, the file is split into
 +                 ​multiple fragments of BYTES bytes in size.
 +        --comp [ALGORITHM] Compress output using the specified algorithm.
 +        --decomp [ALGORITHM] Decompress output using the specified algorithm.
 +
 +        --allvolumes ​    Copy all mounted volumes with optional user prompts
 +                for each volume.
 +        --alldrives ​     Copy all local drives with optional user prompts for
 +                each disk.
 +        --random_output_dir Append a random-named output directory to the
 +                specified output path.
 +
 +BYTES may be suffixed: by xN for multiplication by N, by c for x1,
 +by w for x2, by b for x512, by KB for x1000, by KiB for x1024,
 +by MB for x1,000,000, by MiB for x1,048,576,
 +by GB for x1,​000,​000,​000,​ by GiB for x1,​073,​741,​824
 +by TB for x1,​000,​000,​000,​000,​ by TiB for x1,​099,​511,​627,​776
 +
 +BYTES may be prefixed by "​0x"​ or "​x"​ to indicate a hexadecimal value.
 +
 +The following options may be used in conjunction with a search pattern
 +to select the files or streams that are to be processed:
 +
 +   -A, --attributes ​      ​hashes files with specified attributes:
 +
 +        attributes ​ D  Directories ​               R  Read-only files
 +                    H  Hidden files               ​A ​ Files ready for archiving
 +                    C  Compressed files           ​E ​ Encrypted files
 +                    O  Offline files              P  Sparse files
 +                    S  System files               ​~ ​ Prefix meaning not
 +                    T  Temporary files
 +
 +        --any   ​Specifies how the -A --attribute option is to be
 +                interpreted. ​ With '​--any'​ files or streams with
 +                any one of the specified attributes will be processed.
 +                The default is to hash files with all of the specified
 +                attributes.
 +
 +The following are used to select files based upon file times:
 +   ​--modified [FILETIME] ​  ​selects files based upon the file
 +                           ​modification time.
 +   ​--accessed [FILETIME] ​  ​selects files based upon the file access time.
 +   ​--created ​ [FILETIME] ​  ​selects files based upon the file creation
 +                           time.
 +
 +The format of the FILETIME string is specified according to the locale
 +of the current user.  For example, 10:00PM June 6, 2003 is specified
 +as "​6/​10/​2003 10:​00PM"​ in the United States and "​10/​6/​2003 10:​00PM"​
 +in most european countries. ​ The file time string may be pre-pended by <, = or >
 +to search for file times that are less than, equal or greater than
 +the specified time string. ​ The FILETIME string may include multiple conditions
 +separated by a semi-colon (;).  Multiple conditions are evaluated in pairs.
 +An un-paired condition is evaluated individually.
 +
 +The following may be used to select directories,​ files or streams
 +based upon specified regular expressions:​
 +
 +   ​--directoryfilter [EXPRESSION] ​  ​selects directories based upon an
 +                                    expression.
 +   ​--filefilter ​  ​[EXPRESSION] ​     selects files based upon an expression.
 +   ​--streamfilter [EXPRESSION] ​     selects alternate streams based upon an
 +                                    expression
 +   ​--magicfilter [EXPRESSION] ​      ​selects files or alternate streams based
 +                                    upon the binary contents at the start of
 +                                    the data stream as evaluated by an
 +                                    expression.
 +
 +EXPRESSION may be any regular expression. ​ Double quotes (""​)
 +may be used to prevent the command interpreter from splitting
 +a single expression into two or more pieces. ​ With respect
 +to the --magicfilter option, EXPRESSION is limited to a regular
 +expression that may be converted to a single byte character set.
 +
 +The following may be used to select files or streams
 +based upon the entropy of the initial data stream:
 +
 +   ​--entropy [THRESHOLD] ​  ​selects files or streams whose initial
 +                           data streams have an entropy greater than THRESHOLD.
 +
 +The following may be used in conjunction with output in xml format:
 +   ​--case [CASE NUMBER] includes the specified case number in xml output.
 +   ​--evidence [EVIDENCE NUMBER] includes the specified evidence number in
 +               XML output.
 +   ​--description [DESCRIPTION] includes an optional description in xml output.
 +
 +The following option may be used to set the thread priority of the program:
 +
 +   ​--thread_priority [PRIORITY] sets the priority of the thread processing.
 +
 +        The thread priority may be set to any of the following values:
 +                idle, lowest, belownormal,​ highest
 +                abovenormal,​ timecritical
 +
 +     ​--ata_unlock [PASSWORD] unlocks an ATA drive using the provided password.
 +     ​--ata_master specifies that the password provided with --ata_unlock is a
 +                  master password.
 +     ​--ata_hpa temporarily disables the ATA host protected area if it exists
 +                  and sets the starting offset to skip the user accessible
 +                  bytes.
 +     ​--ata_restore_configuration resets an ATA device configuration overlay
 +                 (DCO) and restores the original drive configuration.
 +
 +Enterprise level options:
 +
 +  --cryptvolumes ​  Copy all mounted encrypted volumes with optional user
 +                   ​prompts for each volume.
 +
 +  --ssl [CERTIFICATE] ​  Make TCP connections using the TLS 1.0
 +         ​protocol and the specified certificate. ​ The certificate,​ which is
 +         ​optional for client connections,​ must be in PFX (PKCS#12) file
 +         ​format,​ if it exists.
 +  --encrypt [ALGORITHM] ​ Specifies the encryption algorithm that will be
 +         used to encrypt output. ​ The default algorithm is AES-256 on
 +         ​Microsoft Windows XP and later and 3DES on Windows 2000.
 +  --cert [PATH] Provides the path to an X-509/​PKCS#​7 encoded file.  The
 +         ​certificate will be used to encrypt the encryption key
 +         used to encrypt output.
 +   ​--ignore_invalid_cert ​ Ignore errors that may occur due to use of an
 +         ​unsigned or expired certificate.
 +
 +      Report bugs to <​gmgarner@erols.com>​
 +</​file>​
  
forensics/dd.txt · 最終更新: 2012/08/14 08:16 by kikuzou
 
特に明示されていない限り、本Wikiの内容は次のライセンスに従います: CC Attribution-Share Alike 4.0 International
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki