# Clone a hard drive on Ubuntu

Whether it is following the purchase of a new disk, to make a backup, or any other reason, you want to copy, identically, the contents of a hard disk or a USB key. But, as you can never be too careful, your best bet is to make sure that you don't touch the original. We show you how to do it on Ubuntu Desktop.

During an expertise, when we have to carry out an investigation on a part of a file, it is important to keep it intact.

Imagine ... You open your seal, plug in the hard drive it contained. A false manipulation, and presto! Evidence disappears ...

Before any action, it is therefore essential to copy hard disks and other USB keys, in order to be able to work on these copies with peace of mind.

So we'll show you how to do it using Ubuntu.

# Disable automount

In order to avoid modifying anything without doing it on purpose, the first thing to do is to turn off automount. For that, we need to install the dconf-editor package

sudo apt-get install dconf-editor

Start dconf-editor. Navigate to org.gnome.desktop.media-handling. From here you can disable automatic mounting of removable media, by changing automount from I to O.

You are now sure that your drive will not mount on its own, and that improper handling will not affect anything. You can therefore plug in your disk.

You will need to identify which device your disk corresponds to. For that, we use fdisk, which we ask to list all existing partitions.

sudo fdisk -l

SATA and SSD hard drives are in /dev/sd…, IDE drives /dev/hd…. Use what you know about your hard drive to find it (using its size, installed OS, etc.).

# Calculate the checksum

In order to be able to check if data has been modified, we will calculate the checksum. By comparing the result before and after the manipulation, it will be checked that no data has been altered.

We will use the hash function sha256sum, coupled todd. On the one hand, because it is installed by default on Ubuntu, and on the other hand, because ANSSI (French National Agency for the Security of Information Systems) recommends it for cryptographic fingerprints.

HashRule-2. For use beyond 2020, the minimum size of fingerprints generated by a hash function is 256 bits.

The SHA-256 hash mechanism defined in FIPS 180-2 complies with the standard .

Référenciel Général de Sécurité, ANSSI

By putting in (if) your device and sending the output to sha256sum, we get the SHA-256 fingerprint of the device.

sudo dd if=device |sha256sum 

# Cloning the hard drive

We plugged in the device, making sure we couldn't do anything stupid and made a fingerprint, all we have to do is clone it. For that, we use again dd with the following command:

sudo dd if=device of=fichier.iso conv=notrunc,noerror status=progress

Where the parameters have the following meaning:

• device is your device, in the case of my USB key, /dev/sdb
• fichier.iso is the image file where my device will be cloned,
• conv=notrunc,noerror mean not to truncate the output file and to continue in case of error,
• status=progress lets me know where I am in my copy.

# Check integrity

Our copy is made, we will calculate a new device footprint, in order to verify that it was not altered during the copy. Let's also check that the copy conforms to the original.

To do this, we simply reuse the command for everything on time, on the device, then on its copy. And finally we compare the fingerprints.

sudo dd if=device |sha256sum 

Altered data would be detected by a different sha256:

• If that of the iso file is different, I advise you to redo the copy.
• If that of the disc after copying is different, your disc has been corrupted, you could use ISO to overwrite the original disc.
• If the two differ, it is too late and if it matters, you may have to look at where they differ.

# And after ?

Now that you have a beautiful copy of your device, you will be able to replace your original in its small bag and close your seal.

If you are not a forensic expert and don’t have to deal with seals, you can still be proud that you didn’t change anything on your original record.