Extract strings from raw disk device or image #

After filling a hard drive with zeroes (followed by a quick format), I wanted to ensure that no sensitive data remained. My first thought was to use a disk editor/viewer like iBored or Disk Investigator, but scrolling through millions of blocks gets dull pretty quickly. So I tried piping dd to strings - bingo:

$ sudo dd if=/dev/rdisk2 bs=512 | strings -a
QpQp
EFI PART
BSD  4.4
pEFI        FAT32   
Non-system disk
Press any key to reboot
RRaA
rrAaA'
...

Initially, I used sudo kill -s SIGINFO dd_pid to check on dd's progress, but then remembered dcfldd, an enhanced version of dd with a much better progress indicator (among many other improvements):

$ sudo dcfldd if=/dev/rdisk2 bs=512 | strings -a
QpQp
EFI PART
...
6144 blocks (3Mb) written.EFI        (
124928 blocks (61Mb) written.
...

UPDATE: While looking for a hex editor that would search for non-matching patterns, I stumbled upon an even simpler solution: use hexdump or od (syntax is the same for both):

$ hexdump /dev/rdisk2
0000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*

Duplicate lines are truncated (as indicated by the asterisk) unless the -v option is specified:

$ od -v /dev/rdisk2
0000000 0000 0000 0000 0000 0000 0000 0000 0000
0000010 0000 0000 0000 0000 0000 0000 0000 0000
0000020 0000 0000 0000 0000 0000 0000 0000 0000
...

/mac | Apr 14, 2010

Subscribe or visit the archives.