The Old Joel on Software Forum: Part 2 (of 5) - "DD"-like util for Windows??

"DD"-like util for Windows??

Hi all!!

Just a quick question: I'm looking for a tool (freeware, if possible ;) that gives me the same functionality on Windows that dd does on linux...

Specifically, I want to be able to read the first sectors (partition table, MBR, etc) off a Hard Disk and save them to a file (or read them from a file and write them to the disk).

Under linux, I could do something like:

dd if=/dev/hda of=bootsect.file bs=512 count=1

I have a port of dd for windows from the GNUtils ( http://unxutils.sf.net ), but I don't know how to point it to the "raw" physical disk (or to any specific device, for that matter)...

I'm pretty sure that there has to be a way to do that.... Mainly, I'm interested in a way to save the MBR of the HDD to/from a file, but the sort of control dd gives would be nice to have.

Thanks a lot

Javier Jarava
Monday, May 19, 2003

The "dd" from UnxUtils works fine under Windows 2000/XP. It's just the syntax that is different. For example, I use the following command to create an ISO from a CD-ROM:

dd if=\\.\r: of=x.iso

Ryan

Ryan Mitchell
Monday, May 19, 2003

Hi!

Thanks for the dd if=\\.\letter: tip

The thing I don't (quite) get is, what am I accessing to?

I mean, I have 4 partitions on my "HDA" disk (IDE 0:0), with letters C:, E. and H:
I have ~8 Gigs unpartitioned space _before_ my c: partition (for a soon-to-come Linux install, hopefully ;)

Gdisk32 says about my "1" drive:

K:\temp>gdisk32 1 /lba
Disk Partitions Cylinders Heads Sectors Mbytes Sectors
1 4 9726 255 63 76293.9 156250000

ID Parent Slot Sys Type Starts Ends Offset Sectors
00 -- 0 07 PRIMARY 16386363 47118644 16386363 30732282
01 -- 1 07 PRIMARY 47118645 88084394 47118645 40965750
02 -- 2 0F EXTENDED 88084395 156232124 88084395 68147730
03 02 0 07 LOGICAL 88084458 156232124 63 68147667

so, if I understand properly, when I do:

K:\temp>dd if=\\.\c: of=bootsect.dat bs=512 count=1
1+0 records in
1+0 records out

I am copying the first 512 bytes... of the "c:" partition?? Or is it from the underlying physical drive?

(it must be, becuse running similar commands for the E: and H: partitions gives me different output files, so the "origin" must be different)

so, what is the "device name" to use to access the "drive"?

Thanks a lot

Javier Jarava
Monday, May 19, 2003

Seems to me it's HardDisk0, HardDisk1, etc., but I'm not sure if that's exactly right.

Brad Wilson (dotnetguy.techieswithcats.com)
Monday, May 19, 2003

Apparently you can use the syntax \\.\PhysicalDrive0\Partition0. This is a result of some Google searching and I have no experience with it myself, so don't blame me if things go bad...

Lots of neat Windows dd tricks about halfway down this page: http://users.erols.com/gmgarner/forensics/. Looks like you can also dump physical memory, which is kind of cool.

Do a Google search on "PhysicalDrive0" for other reference pages.

Ryan

Ryan Mitchell
Monday, May 19, 2003

Thanks to everybody for the input...

The \\.\PhysicalDrive0 syntax looks like it did the trick ;)

At least, the command:
dd if=\\.\PhysicalDrive0 of=bootsec.dat bs=512 count=1
gives me a file that (at fist look; have to look into it carefully :) seems to be what I needed

Thanks all for the help & tips (BTW, very interesting page on forensics ;)

Javier Jarava
Thursday, May 22, 2003