On Sat, Aug 23, 2014 at 3:32 AM, Per Jessen
Bernhard Voelker wrote:
On 08/22/2014 09:18 PM, Per Jessen wrote:
I doubt if very many poeple use 'dd' for backups [...]
I can't claim that I'm "many" ... but I did - several times. I'm using it especially when moving/cloning Windows partitions, because it makes a 100% copy of the original.
Oh, there are a good few purposes for dd, but moving/cloning != backup, IMO.
dd is the core of computer forensic evidence preservation. Used to get full physical images (backups / copies) of drives. It is used in both legal situations where a full copy of the potential evidence must be preserved and in incident response situations where a external hack is suspected. For instance, if you want to do an intense malware investigation, you want to make sure you get every possible sector into your image to make sure you have all the possible remnants at hand at the start of your investigation. The classic 20-year ago approach was: dd if=/dev/sdx of=image_file conv=sync,noerror Today that is not used so much because of the poor bad block handling of dd*. My personal preference is ewfacquire which I've recommended in various dd threads. ewfacquire does allow a "raw" copy to be made which would be the same what dd does. It also allows various forenicic image formats to be used. Those tend to have embedded metadata that speaks to the verification and chain-of-custody. Anyway, I have likely make 100 ewfacquire style disk backups in the last year. It is why I maintain if for the opensuse distro. *The poor bad block handling of dd can be seen by how this command treats bad blocks: dd if=/dev/sda of=image_file bs=1M conv=noerror,sync If on any given 1 megabyte block a media read error is experienced in the middle of the 1 MB block, then dd will fill that sector and the tail of the block after the media error with nulls (or zeros). Thus a media error in the first sector of a 1MB block would cause the failure to preserve the full 1MB of data even though only 512 bytes were failed. Using a smaller blocksize helps, but the reality is that dd as it currently exists (to my knowledge) is not designed to operate optimally in the presence of real world media errors. ewfacquire on the other hand can to be told to read those same 1MB blocks, but if media errors occur to retry the read with ever smaller reads until only the bad sectors actually fail to be copied. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org