Forensicsdata recoverydisk imagingio errorsdata protectionsecure deletion

dd_rescue

dd_rescue is a data recovery tool that copies data from failing disks without aborting on I/O errors, unlike standard Unix tools. It also supports secure data deletion by overwriting files or disks multiple times.

Description

dd_rescue is designed for recovering data from crashed or damaged disks where standard tools like cp, cat, and dd fail by aborting on errors. It continues copying despite I/O issues, optimizing with large blocks when possible and falling back to smaller ones on errors. This makes it ideal for forensic data extraction from unreliable media.

Key use cases include disk imaging for data recovery, approaching bad sectors from multiple directions, sparse copying, and preallocating space. It bypasses kernel pagecache with O_DIRECT and supports splice zerocopy for efficiency. Additionally, it provides data protection through multiple overwrite passes with random numbers.

With plugins like ddr_hash, it can compute hashes such as SHA256 or HMAC during copying. The tool handles files, devices, or pipes as input/output, making it versatile for partitions and full disks in cybersecurity and forensics workflows.

How It Works

dd_rescue uses adaptive block sizes: large softbs (default 131072 bytes) for error-free areas, falling back to hardbs (default 4096 bytes) on errors. It supports reverse copying to approach bad spots, sparse file handling, and direct I/O to skip pagecache. For secure deletion, it generates pseudo-random data via PRNG from seeds, /dev/urandom, or frandom, applying 1-4 passes (e.g., random, inverse random, zero). Progress tracking shows ipos/opos, transfer rates, errors, and ETA. Features like O_DIRECT, splice, fallocate, and plugins for hashing/compression enhance performance and integrity.

Installation

bash

sudo apt install ddrescue

Flags

-s iposstart position in input file (default=0)

-S oposstart position in output file (def=ipos)

-b softbsblock size for copy operation (def=131072, 1048576 for -d)

-B hardbsfallback block size in case of errs (def=4096, 512 for -d)

-e maxerrexit after maxerr errors (def=0=infinite)

-m maxxfermaximum amount of data to be transferred (def=0=inf)

-Mavoid extending outfile

-xcount opos from the end of outfile (eXtend)

-y syncszfrequency of fsync calls in bytes (def=512*softbs)

Examples

Start at position 100 of the input file and write beginning at position 0 of the destination file

dd_rescue -s 100 /var/log/messages -S 0 /tmp/ddrescue-out

Show help and version information with available options

dd_rescue -h

Use PRNG from libc with SEED for input instead of infile for random data generation

dd_rescue -z SEED infile outfile

Use /dev/urandom as SEEDFILE for good pseudo random numbers as input

dd_rescue -z /dev/urandom infile outfile

Overwrite outfile 3 times (r,ir,0, BSI M7.15) using SEED

dd_rescue -3 SEED outfile

Overwrite outfile 4 times with additional random pass (r,ir,r2,0) using SEEDFILE

dd_rescue -4 SEEDFILE outfile

Overwrite outfile once with random pass then zero (r,0) using SEED

dd_rescue -2 SEED outfile

Updated 2026-04-16kali.org ↗