You can use this lab to familiarize yourself with the dd (data duplicator) command on a Kali Linux system.
Prerequisites. Launch a terminal within a Linux operating system.
Warning: The dd command can be a data destroyer command if not used properly. When doing this lab, it’s best to do it within a non-production environment. For example, if you perform the command within a Kali Linux virtual machine and things go wrong, you can easily rebuild it.
This lab is in two parts.
- Part I Identify your Disk Partitions in Kali Linux.
- Part II Run the dd Command.
Identify your Disk Partitions in Kali Linux
Warning: You can destroy the partition with fdisk. When done using these instructions, you will not make any changes. However, it’s still best to do this lab within a non-production environment, such as Kali Linux running as a virtual machine.
1. Start fdisk with this command:
Note that there is a space between /sbin/fdisk and /dev/sda.
2. Enter i and press Enter to view information about partitions.
Notice that the figure shows three partitions, numbered 1, 2, and 5.
3. Enter 1 and press Enter to view information about partition 1.
This shows you the details of device /dev/sda1. If you followed earlier labs to create Kali Linux as a virtual machine (VM), the size of this partition will show as 19.5G (indicating 19.5 GB).
4. Enter i and press Enter again. This time type 2 and press Enter .
You’ll see that the device is /dev/sda2 and the size is 510M (indicating 510 MB).
5. Type i and press Enter again. This time type 5 and press Enter . This will show you the details of /dev/sda5.
6. Type q and press Enter to exit fdisk.
7. Keep terminal open to run the dd command.
Run the dd Command
Note that dd has the following standards:
- if indicates input file (or input source)
- of indicates output file (or output destination)
1. Enter the following command to see the contents of the current folder.
Note: You can get help on the ls command by querying the manual with the following command:
2. Enter the following command to create an image file (named sd2disk.img) from the /dev/sda2 partition:
dd if=/dev/sda2 of=sd2disk.img
Note that this creates a clone of the partition without modifying it.
3. Calculate the SHA1 hash of the file with the following command:
4. Make a copy of the image file with the following command:
cp sd2disk.img analyzethis.img
Forensic professionals don’t analyze the cloned image because the analysis process can modify the data. Instead, they make a copy of the cloned image and analyze it.
5. Calculate the hash on the copied file with the following command:
Note that the hash of the copied file (analyzethis.img) is the same as the hash of the file created by dd (sd2disk.img).