救機用dd
The classic method using ‘dd’
dd is very powerful and can be used to write from disks to files and files to partitions or volumes. However, it is recommended that you try using ddrescue or dd_rescue first, as dd was not conceived to work with damaged and may use suboptimal ways to recover the data, if at all possible, skip to one of the ddrescue section.
To copy a disk as root, run:
dd if=/dev/old_disk of=/dev/new_disk conv=noerror,sync
conv=noerror,sync is used for disks with bad blocks, where the intent is to replace bad blocks with zero placeholders and continue copying.
To copy the disk to an image file:
dd if=/dev/old_disk of=image_file conv=noerror
conv=sync tells dd to pad each block to the left with nulls, so that if, due to error, the full block cannot be read, the full length of the original data is preserved, even though not all of the data itself can be included in the image. that way you at least know how damaged the data is, which might provide you with forensic clues, and if you can’t take an image at all due to bad blocks or whatever, you can’t analyze any of the data. some is better than none.
conv=sync,noerror is necessary to prevent dd from stopping on error and performing a dump. conv=sync is largely meaningless without noerror.
information:
dd:
dd is the baseline version – its the generic product, so to speak. DD is designed to make a bit perfect copy. Its what you use when you want to make a disk image, with no fancy addons.dd does one thing well, and absolutely nothing else. While there’s distinct gnu and bsd versions, their functionality and commands are identical to both the unix dd, and a previous software made for the IBM JCL
dd_rescue:
gnu ddrescue is optimised for data recovery – it will note down where bad sectors are, and will attempt to fill in those areas with data from subsequent runs.As a result, the aim is to get files that are readable, as opposed to bit perfect. You will want to use it to recover data from a drive you suspect is damaged. To confuse things, there’s an older ddrescue which is not as advanced or easy to use, so check which one you’re using. On ubuntu, gnu ddrescue is installed by the package gddrescue (and you want this, not the older ddrescue package) and is invoked by the command ddrescue.
From the DD Rescue Webpage
Ddrescue does not write zeros to the output when it finds bad sectors in the input, and does not truncate the output file if not asked to. So, every time you run it on the same output file, it tries to fill in the gaps without wiping out the data already rescued.
Automatic merging of backups: If you have two or more damaged copies of a file, cdrom, etc, and run ddrescue on all of them, one at a time, with the same output file, you will probably obtain a complete and error-free file. This is so because the probability of having damaged areas at the same places on different input files is very low. Using the logfile, only the needed blocks are read from the second and successive copies.
dcfldd and other forensic dd varients are designed to make forensic copies. These need to be bit perfect AND verifiable. Use this when you absolutely need to know that a copy and subsequent copies are identical to the original – forensic dd varients add additional features such as hashing
From the website, additional features of dcfldd are
Hashing on-the-fly – dcfldd can hash the input data as it is being transferred, helping to ensure data integrity.
Status output – dcfldd can update the user of its progress in terms of the amount of data transferred and how much longer operation will take. Flexible disk wipes – dcfldd can be used to wipe disks quickly and with a known pattern if desired.
Image/wipe Verify – dcfldd can verify that a target drive is a bit-for-bit match of the specified input file or pattern. Multiple outputs – dcfldd can output to multiple files or disks at the same time.
Split output – dcfldd can split output to multiple files with more configurability than the split command. Piped output and logs – dcfldd can send all its log data and output to commands as well as files natively.