ddrescue & dd_rescue

From: http://www.forensicswiki.org/wiki/Dd_rescue

兩者是完全不同的專案,但用途目地是一致的。最大的不同在於 ddrescue 無法與管線命令串接處理它僅能處理block裝置及檔案,而 dd_rescue可以串接管線命令。

dd_rescue, is an an advanced evolution of dd, a command line program that has been ported only for UNIX/Linux. The program uses a complex series of flags to allow the user to image or write data from and to raw image files. Like dcfldd, the program makes an effort to keep the user apprised of the status of the current operation.

ddrescue and dd_rescue are completely different programs which share no development between them. The two projects are not related in any way except that they both attempt to enhance the standard dd tool and coincidentally chose similar names for their new programs.

Sample usage

Here is a common dd_rescue command:


$ dd_rescue /dev/hda myfile.img


A large difference between ddrescue and dd_rescue is that dd_rescue can pipe output to STDOUT whereas ddrescue can only transfer block/file to block/file.

One example of this usage would be transfering a disk image over the network using ssh.

dd_rescue /dev/sda1 - | ssh user@remote.host "cat - > /remote/destination/file.img"

Another example would be adding compression to an image file on the fly.

dd_rescue /dev/sda1 - | bzip2 > /dir/file.img.bz2

openfiler 安裝 pv(pipe viewer)、trickle 限制和監控 dd 執行時的讀取寫入速度

openfiler 安裝 pv 及 trickle 限制流量與監控

pv download: http://www.ivarch.com/programs/pv.shtml
trickle download: http://monkey.org/~marius/pages/?page=trickle

工具及函式庫gcclibevent:devel 套件函式庫。libevent:devel 為 trickle 編譯中所需要的函式庫。

編譯安裝:下載 source code , 解壓縮並進入目錄中。
執行 configure run command : ./configure
執行安裝 make install

Wiping a Hard Drive With DD

Wiping a Hard Drive With DD

from: http://www.marksanborn.net/howto/wiping-a-hard-drive-with-dd/

A common assumption is that deleting or formatting a hard drive will be enough but in fact the data is still recoverable. In fact is fairly trivial and the process is quite easy to restore them. For this reason security is a great concern, especially for those who are selling or donating their old computers. I am going to show you a simple technique for erasing the entire drive. This is the same procedure that the US Government DoD uses to secure their own drives.

When you delete a file or format a hard drive you are basically just telling the computer that it can use this portion of the disk again if it is needed. If that portion of the disk is not every written over again. The data will remain indefinitely. So, in order to make deleted data unrecoverable we must write over it.

Wiping the Drive
Using dd to write over your entire drive with 0s:

dd if=/dev/zero of=/dev/hda

This would effectively write over the entire drive with ascii code 0x00 characters.

At this point the chances for recovering any data would be almost hopeless to most data recovering techniques.

Due to the way hard drives are made it is often possible to determine what was written beneath the most current write operation. If you write the entire drive with zeros, it will be quite easy to see what data was written before. It will be the one that is not a zero!

To further complicate the recovering process we will write over the entire drive with random data.

dd if=/dev/urandom of=/dev/hda

This will write over drive ’hda’ with random data. Now the recovering process is hopeless.

If you are really paranoid or just want to be ultra secure you could write over the drive 7 times with random data. This is the same procedure the US Government uses to secure its own data.

for n inseq 7;
 dd if=/dev/urandom of=/dev/sda bs=8b conv=notrunc;

# chmod a+x wipeIt sh wipeIt

Notrunc means ‘do not truncate the output file’.

Pipe Viewer – is a terminal-based tool for monitoring the progress of data through a pipeline.

Install Pipe Viewer on Ubuntu:

apt-get install pv

pv Command syntax:

pv filename
pv filename > /path/to/output
pv options filename | command1
pv options filename | command1 > output.file
pv filename | command1
command1 | pv | command2
pv -options input.file | command1 | pv -options > output.file

example command:

jerry@jerry-P5Q-office:/media/fileZone500G/software/作業系統/LINUX$ dd if=drbl-live-xfce-1.0.8-7-amd64.iso |pv -s 378M|ssh jerry@ "dd of=/home/jerry/test.iso"
755620+0 records in1MB/s] [=================================================================>   ] 96% ETA 0:00:02
755620+0 records out
386877440 bytes (387 MB) copied, 85.2052 s, 4.5 MB/s
 369MB 0:01:25 [4.33MB/s] [=================================================================>   ] 97%
755620+0 records in
755620+0 records out
386877440 bytes (387 MB) copied, 84.7891 s, 4.6 MB/s

使用 trickle 限制 dd over ssh 的流量

使用 “trickle" 限制 dd 複製 block level device over ssh bandwidth of translation 。有效的降低網路上 IO delay 的情況發生。

dd if=/dev/sda | trickle -u 10240 ssh root@ “dd of=/mnt/backup_jerry/sda.img"

利用 trickle 指令限制上傳的速度為 10240KB 透過 ssh 協定傳送 dd 資料串流。


此次的問題是日本機台內的 Windows XP home edition 系統掛點,出現 hal.dll 損毀或檔案移漏。為了安全起見在修復安裝之前,先作整顆硬碟的 clone ,使用 clonezilla 執行 Disk clone 的工作。開始一切都很順利,但運行到一半發現 disk i/o error 的錯誤訊息,之後隨即中斷 clone 工作。