< Back
Invoke-ForensicDD
Post
NAME Invoke-ForensicDD
SYNOPSIS
Gets a byte-for-byte copy of a file, disk, or partition.
SYNTAX
Invoke-ForensicDD -InFile <String> [-OutFile <String>] -Offset <UInt64> [-BlockSize <UInt32>] -Count <UInt32>
[<CommonParameters>]
DESCRIPTION
The Invoke-DD cmdlet generates and returns an exact copy of a file, disk, or partition.
Use the Offset (starting point), BlockSize (bytes/operation), and Count (# blocks) parameters to determine the
segment of the InFile that is copied.
This cmdlet designed to work just like the popular dd Unix utility. For information about the dd utility, see "dd
(Unix)" (https://en.wikipedia.org/wiki/Dd_%28Unix%29) in Wikipedia.
Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the
Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.
PARAMETERS
-InFile <String>
Specifies the file, disk or partition to be copied, for example \\\\.\\PHYSICALDRIVE0, \\\\.\\HARDDISKVOLUME1, or
\\\\.\\C:. This parameter is required.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-OutFile [<String>]
Writes the output to the specified file or directory.
This parameter is optional. But default, Invoke-ForensicDD writes the output to standard ouptut ("stdout"),
which is the Windows PowerShell console, but you can use this parameter or redirect the output.
Required? false
Position? named
Default value Stdout
Accept pipeline input? false
Accept wildcard characters? false
-Offset [<UInt64>]
Specifies the starting point in the file for the copy operation as a byte offset. This parameter is required.
Required? false
Position? named
Default value 0
Accept pipeline input? false
Accept wildcard characters? false
-BlockSize [<UInt32>]
Specifies the number of bytes to read/write in each operation. The default value is 512 (1 disc sector).
When reading from a device, such as \\\\.\\PHYSICALDRIVE0 or \\\\.\\C:, the value of BlockSize must be divisible by
512.
Required? false
Position? named
Default value 512
Accept pipeline input? false
Accept wildcard characters? false
-Count <UInt32>
Specifies the number of blocks that Invoke-ForensicDD reads from the file, disk, or partition. This parameter
is required.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
None
You cannot pipe input to this cmdlet.
OUTPUTS
System.Byte[]
-------------------------- EXAMPLE 1 --------------------------
[ADMIN]: PS C:\\>Invoke-ForensicDD Invoke-DD -InFile \\\\.\\PHYSICALDRIVE0 -Offset 0 -Count 1
This command copies the first sector of the Master Boot Record of the
\\\\.\\PHYSICALDRIVE0 disk to the console.
The command uses the default values for OutFile (stdout; the Windows PowerShell console) and BlockSize (512; 1
sector).
-------------------------- EXAMPLE 2 --------------------------
[ADMIN]: PS C:\\>Invoke-ForensicDD Invoke-DD -InFile \\\\.\\HARDDISKVOLUME1 -OutFile C:\\Users\\Public\\Desktop\\MBR
-Offset 512 -BlockSize 1024 -Count 3
This command copies three 1024-size blocks of the specified volume to a file in the C:\\Users\\Public\\Desktop\\MBR
directory. It begins copying at the second sector (after the 512-byte offset).
It uses the Offset parameter to specify the starting point of the copy operation, the BlockSize parameter to
specify the bytes per copy operation, and the Count parameter to specify the number of copy operations.
It also uses the OutFile parameter to specify a location for the output. The default is writing to the Windows
PowerShell console (stdout).
RELATED LINKS
SYNOPSIS
Gets a byte-for-byte copy of a file, disk, or partition.
SYNTAX
Invoke-ForensicDD -InFile <String> [-OutFile <String>] -Offset <UInt64> [-BlockSize <UInt32>] -Count <UInt32>
[<CommonParameters>]
DESCRIPTION
The Invoke-DD cmdlet generates and returns an exact copy of a file, disk, or partition.
Use the Offset (starting point), BlockSize (bytes/operation), and Count (# blocks) parameters to determine the
segment of the InFile that is copied.
This cmdlet designed to work just like the popular dd Unix utility. For information about the dd utility, see "dd
(Unix)" (https://en.wikipedia.org/wiki/Dd_%28Unix%29) in Wikipedia.
Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the
Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.
PARAMETERS
-InFile <String>
Specifies the file, disk or partition to be copied, for example \\\\.\\PHYSICALDRIVE0, \\\\.\\HARDDISKVOLUME1, or
\\\\.\\C:. This parameter is required.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-OutFile [<String>]
Writes the output to the specified file or directory.
This parameter is optional. But default, Invoke-ForensicDD writes the output to standard ouptut ("stdout"),
which is the Windows PowerShell console, but you can use this parameter or redirect the output.
Required? false
Position? named
Default value Stdout
Accept pipeline input? false
Accept wildcard characters? false
-Offset [<UInt64>]
Specifies the starting point in the file for the copy operation as a byte offset. This parameter is required.
Required? false
Position? named
Default value 0
Accept pipeline input? false
Accept wildcard characters? false
-BlockSize [<UInt32>]
Specifies the number of bytes to read/write in each operation. The default value is 512 (1 disc sector).
When reading from a device, such as \\\\.\\PHYSICALDRIVE0 or \\\\.\\C:, the value of BlockSize must be divisible by
512.
Required? false
Position? named
Default value 512
Accept pipeline input? false
Accept wildcard characters? false
-Count <UInt32>
Specifies the number of blocks that Invoke-ForensicDD reads from the file, disk, or partition. This parameter
is required.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
None
You cannot pipe input to this cmdlet.
OUTPUTS
System.Byte[]
-------------------------- EXAMPLE 1 --------------------------
[ADMIN]: PS C:\\>Invoke-ForensicDD Invoke-DD -InFile \\\\.\\PHYSICALDRIVE0 -Offset 0 -Count 1
This command copies the first sector of the Master Boot Record of the
\\\\.\\PHYSICALDRIVE0 disk to the console.
The command uses the default values for OutFile (stdout; the Windows PowerShell console) and BlockSize (512; 1
sector).
-------------------------- EXAMPLE 2 --------------------------
[ADMIN]: PS C:\\>Invoke-ForensicDD Invoke-DD -InFile \\\\.\\HARDDISKVOLUME1 -OutFile C:\\Users\\Public\\Desktop\\MBR
-Offset 512 -BlockSize 1024 -Count 3
This command copies three 1024-size blocks of the specified volume to a file in the C:\\Users\\Public\\Desktop\\MBR
directory. It begins copying at the second sector (after the 512-byte offset).
It uses the Offset parameter to specify the starting point of the copy operation, the BlockSize parameter to
specify the bytes per copy operation, and the Count parameter to specify the number of copy operations.
It also uses the OutFile parameter to specify a location for the output. The default is writing to the Windows
PowerShell console (stdout).
RELATED LINKS