When you delete a file from a device, let's say an USB stick, then (without doing any further stuff) only the entry in the filesystem is deleted, the raw bytes of this file are still on the device (that's why file recovery tools work by scanning the physical sectors on the drive one by one).
Now, if I do
dd if=/path/to/usbdrive of=/backup/usbdrive.img
the content of USB drive will be copied to the specified file.
When arriving at the location where the deleted file was, will dd copy zeros or will it copy the file content that physically is still there?
Answer
dd merely copies an input stream of bytes to an output stream of bytes. Both input and output must be an actual file. It won't operate on a directory. So in your example above, if /path/to/usbdrive is a device node (i.e. /dev/usb or whatever) then it does a block-level copy since /dev/usb is a block device. It will copy the file content that was still there in that case. But you wouldn't be able to point the input stream to the file you just deleted because you wouldn't have the handle to it anymore.
No comments:
Post a Comment