dd (Raw Disk Image)
What is dd (Raw Disk Image)?
dd (Raw Disk Image)A flat, bit-for-bit copy of a storage device produced by the Unix dd utility (or compatible tools), without compression, metadata or per-block hashing.
A dd image is the simplest possible forensic acquisition: a sector-by-sector raw copy of a disk, partition or memory device written to one or more files. The name comes from the venerable Unix dd command, and the format is essentially defined by what dd writes: no header, no metadata, no compression and no embedded hashes. Variants such as dcfldd, dc3dd and ewfacquire add logging, hashing and split output but keep the same raw layout. Every forensic tool can read a dd image, which makes it ideal for archival and tool-agnostic analysis, but examiners typically pair it with an external hash list and chain-of-custody record.
● Examples
- 01
Acquiring /dev/sda from a Linux box with `dcfldd if=/dev/sda hash=sha256 of=case01.dd`.
- 02
Loading a dd image into Autopsy or The Sleuth Kit for partition and file-system analysis.
● Frequently asked questions
What is dd (Raw Disk Image)?
A flat, bit-for-bit copy of a storage device produced by the Unix dd utility (or compatible tools), without compression, metadata or per-block hashing. It belongs to the Forensics & IR category of cybersecurity.
What does dd (Raw Disk Image) mean?
A flat, bit-for-bit copy of a storage device produced by the Unix dd utility (or compatible tools), without compression, metadata or per-block hashing.
How does dd (Raw Disk Image) work?
A dd image is the simplest possible forensic acquisition: a sector-by-sector raw copy of a disk, partition or memory device written to one or more files. The name comes from the venerable Unix dd command, and the format is essentially defined by what dd writes: no header, no metadata, no compression and no embedded hashes. Variants such as dcfldd, dc3dd and ewfacquire add logging, hashing and split output but keep the same raw layout. Every forensic tool can read a dd image, which makes it ideal for archival and tool-agnostic analysis, but examiners typically pair it with an external hash list and chain-of-custody record.
How do you defend against dd (Raw Disk Image)?
Defences for dd (Raw Disk Image) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for dd (Raw Disk Image)?
Common alternative names include: Raw image, .dd, .img, .raw.
● Related terms
- forensics-ir№ 366
E01 (EnCase Evidence) Image Format
A forensic disk image format originally introduced by Guidance Software for EnCase, storing acquired data in compressed, segmented files with embedded metadata and checksums.
- forensics-ir№ 578
KAPE (Kroll Artifact Parser and Extractor)
A Windows triage tool from Kroll that collects forensic artifacts from live systems or images and then runs parser modules to produce ready-to-review output.
- forensics-ir№ 388
Eric Zimmerman's EZ Tools
A free suite of Windows DFIR command-line and GUI tools by Eric Zimmerman for parsing common forensic artifacts and building timelines.
- forensics-ir№ 162
Chain of Custody
The chronological, documented trail showing every person, location, and action affecting a piece of evidence from seizure through final disposition.