Image Creation

From CGSecurity
Jump to navigation Jump to search

En.png English It.png Italiano

In the Advanced menu, Image Creation lets you image a partition to a file named image.dd. This command can be use for

  • forensics purpose
  • dealing with damaged hard disk


  • Destination filesystem must have enough space to store the file. Note that the size of the image is equal to the size of the partition, but storing a file require more space than the filesize because of the filesystem overhead.
  • Avoid to choose a FAT filesystem for destination if the partition to copy is bigger than 2GB.
  • If the original hard disk have bad sectors, prefer a SATA or PATA connection instead of USB.

How to use the image ?

TestDisk and PhotoRec can work on disk image and partition image, you only need to supply the filename in parameter, example under Windows: run cmd and at the command prompt, type

cd testdisk-6.11.3/win
testdisk_win.exe image.dd

There is no difference in the functions offered by TestDisk and PhotoRec when working on a copy instead of the original media. In example, TestDisk Advanced menu can be used to list and copy the files from FAT, NTFS and ext2/ext3/ext4 partitions or PhotoRec to carve data from damaged filesystem.

If the filesystem isn't damaged (or too damaged), it's also possible to access the content using native Linux or Mac OS X commands:

  • Linux.png mount -o loop,ro image.dd directory
  • Macosx.png rename image.dd to image.img or image.dmg and double-click on the file

How to restore the image ?

It is possible to restore a partition using the file image, but it's a risky operation. In the following example, the content of partition /dev/hdb1 will be overwritten with the image using the dd tool (It's a standard Linux/Unix/Mac OS X command, dd for Windows also exists).

dd if=image.dd of=/dev/hdb1


  • The destination should be of equal size or bigger than the image file.
  • The content of the destination will be lost.
  • This operation can't be reversed