Raw Disk Definition
The term raw disk refers to the accessing of the data on a hard disk drive (HDD) or other disk storage device or media directly at the individual byte level instead of through its filesystem as is usually done.
A filesystem is the hierarchy of directories (also referred to as the directory tree) and files that is used to organize information on a computer. On Linux and and other Unix-like operating systems, the directories start with the root directory (designated by a forward slash), which contains a series of subdirectories, each of which, in turn, contains further subdirectories, etc.
The use of filesystems offers some important advantages for computers as compared with just using the HDD as a raw disk. In particular, it provides a very intuitive means for organizing and finding files. Also, it provides a convenient means of hiding metadata (i.e., information about information, or about files in this case) that is of little interest to most users and would also be incomprehensible to most of them.
One of the most common reasons for accessing a raw disk is to retrieve files that were accidentally or deliberately deleted. Deleting files does not actually remove them from the disk, it merely makes them invisible through the filesystem and allows them to be overwritten at some future data when their disk space is reclaimed for new files.
Another use is making image copies of disks or sections thereof, including partitions (i.e., logically independent sections of HDDs), such as for backup of forensic use. The term image copy means an exact (i.e., bit for bit) copy, and it does not refer to graphic images.
It is easy to examine raw disks using Linux. All that is necessary is to locate the appropriate device in the /dev directory and then use standard read, search and copying commands. For example, to begin examining the HDD on a computer (or the first HDD if there are more than one), which is designated by /dev/hda, the cat command could be used by the root (i.e., administrative) user as follows:
Because of the huge amount of data on a disk drive, it is convenient to be able to read it one page at a time rather than have it all fly down the screen at high speed. Thus, the output of cat /dev/hda is piped (which is designated by the vertical bar character) to the less command, which allows it to be displayed one screenful at a time.
It is also easy to work with raw disks on computers on which other operating systems, such as Microsoft Windows systems, are installed. This can be accomplished by booting (i.e., starting the computer) from a liveCD version of Linux such as Knoppix instead of from the operating system installed on the HDD. A liveCD is a CDROM that contains an operating system that is configured so that a computer can boot directly from it instead of from the installed system.
Attempting to edit raw disks is very risky and should be avoided if at all possible. This is because even a single byte out of place can cause a computer to malfunction, and it could result in the need to reinstall the operating system and the possible loss of data.
Created April 26, 2006.