(No relation to the Linux DD command.)
PURPOSE OPERATION COMMAND LINES OPTIONS RELATED PROGRAMS
To examine contents of a hard or floppy disk, using low level disk read calls. (Superseded by the program hex_sect)
The program will read sectors off of a floppy or hard disk and display the sectors on the screen. If the output (-o) option is used, it will place the sector into an output file of your choosing. The individual sectors can also be placed to an output file a sector at a time by entering a w when viewing the sector.
When operating without options, the program will ask you which disk you wish to analyze, A, B, C, or D. Choose the A option if you want to analyze the disk in the first or A floppy disk drive.
Choose the C option if you wish to analyze the first physical hard disk (usually referred to as disk 0). A physical hard disk can have up to 4 partitions, and in most cases this is the choice you will make. If you have a second physical hard disk, then you can use the D option. Do not mistake the C and D options for the normal logical disk partitions that may be present on the disk.
If you choose the hard disk, the next screen will show you the partition information. This will help you in determining how many actual sectors the hard disk contains. Remember that each logical partition can contain a different number of sectors.
Next you will be asked the number of the sector you want to start the search at. A range will be displayed from 0 to the total number of sectors on the disk minus one. The first sector of the disk is 0.
You may find that other programs number their sector searches differently. DD starts with the first physical sector and counts from there. Some other programs start with the 1st logical sector after the partition information. Since this can leave as many as 33 sectors of head 0 unavailable, DD provides 2 logical sector numbers. The 1st is the counters, and the second is the adjusted value using some other software.
The next thing you will be asked is how many sectors to search. You can choose a predefined number or use 999 for the entire disk. The 999 eliminates you having to do arithmetic. I suggest using the 999.
Each sector is shown on the screen. To proceed you hit the return key, page up or page down, to see the next sector. There are other key options available which provide different output(explained below).
The screen shows each character in the sector as its printable ASCII graphic symbol. If you have chosen to place sectors to the printer, the unprintable characters are replaced by a ^ (carrot) symbol.
DD has two very important enhancements that are useful to law enforcement personnel when dealing with floppy disks.
The first is concerned with disks that may have been surreptitiously formatted with more than the standard number of sectors per track. For instance, on a standard 360K floppy disk there should be 9 sectors per track. However, when examining suspect disks you cant be certain. If the -x option is used the program will proceed normally until it detects an abnormal number of formatted sectors on a track. If it detects more sectors than are expected, it produces a beep, and waits for the user to hit the enter key before showing the contents of the additional sector(s). If the track is formatted properly, nothing unusual happens. Do not use the -x option on hard disks.
The second useful enhancement of DD is that when you choose to display a number of sectors greater than the disk reportedly has (ex., asking for 20 sectors when you started 5 before the theoretical last sector) the program will continue to read formatted sectors until there are none left. For instance, suppose you have a 360K disk which normally should have 720 sectors. You ask for DD to begin at sector 715 (leaving 5 sectors to show). You ask DD to display 10 sectors, or some number greater than the 5 remaining. When DD passes sector 720 (the expected end) it goes on to check the next sector (721). If there is one, indicating that someone is trying to hide data, it will continue its operation. It will then do one of three things: (1) continue operating until it cannot read any more formatted sectors; (2) continue until it has shown the amount of sectors you have asked for (in our example, 5 additional ones); or (3) the disk drive will die because its heads have been placed out of the normal operating range while continuing to read formatted data.(This is possible if the disk was formatted on a drive that is substantially more rugged than the drive you are reading it on.)
While viewing the data, if you enter a W the program will ask the user for an output file name, and will write the current sector to an output file. The output file, if it exists, will ALWAYS be appended to.
Be careful not to write the output file to the same drive that you are examining.
If you use the G goto option from the screens, you will be prompted to go to a sector or cluster number. On hard disks, because the program works on physical sectors, the cluster number is valid only when there is a single partition. If you need this feature changed contact Mares and Company for assistance.
Some special keys are:
TAB key will switch display from ASCII to HEX (toggle)
Space bar will stop the scrolling; return key will continue
UP ARROW will go back one sector
PG UP key will go back one sector
HOME key will go to sector 1 of the disk
W (W)rite: Will write current sector contents to file. User is asked for name of file to write to.
ESC and/or Control C (^C) will generally abort the program
DD will not work on disks that require a driver in the config.sys file, such as external 3 1/2" disks or a CD. If your 3 1/2 is an internal native disk of an A or B designation then it will work. If you have a 3 1/2" disk to evaluate you must do it on a machine with a 3 1/2" disk drive as its A or B drive.
WARNING: BECAUSE OF THE CAPACITY OF THIS PROGRAM TO READ ABNORMAL DISKS AND THE STRAIN IT MAY PUT ON DISK DRIVES THE AUTHOR CANNOT ASSUME ANY RESPONSIBILITY FOR ANY DAMAGE CAUSED TO DISKS OR DRIVES.
C:> dd
C:> dd -h
C:> dd -options
OPTIONS: [-aAhoOs]
-a: ascii Indicates that you want to show only those sectors that contain a majority of printable ASCII characters. This tends to eliminate all sectors that hold programs. The default for both the -a and -A options is to show all sectors that have at least 25% printable characters, between HEX 19 and 7e.
-A:ASCII Indicates that you want to show only those sectors that contain a majority of printable ASCII characters and those containing a hex 00(NULL). This will cause all directory sectors to be listed, plus others.
-p+# Use this option to adjust the default used by the -aA option. Replace the # with a percentage (exs., 10, 20, 30, 80 etc) to restrict the ascii test. This will then show only those sectors containing at least this # percentage ascii characters. (-p 30).
-h (h)elp: Asks for a help screen.
-s Scroll through the disk without stopping. While the program is processing, a TAB or space bar will stop the scrolling and allow you to view the sector. When placing sectors to an output file, the program will stop and ask for a disk change when there is less than 2K of free space on the output disk.
-o (o)utput: Tells the program you want to place selected output to an output file you will name. This options prompts the user for permission to write each sector, while -O does not.
-O Same as -o except this automatically writes each selected sector to the output without prompting for permission to write.
Norton's Diskeditor
top