>> Let's continue our study of Sleuthkit commands and functions.
让我们继续学习Sleuthkit命令和函数。
ILS can list all inodes, along with information stored in inodes,
including inodes of deleted file and inodes of unlinked but opened files.
ILS可以列出所有inode,以及存储在inode中的信息,包括已删除文件的inode和未链接但已打开文件的inode。
By default, ILS only lists the inodes of removed files, given a disc device or a disc image file.
默认情况下,对于给定的磁盘设备或磁盘映像文件,ILS只列出已删除文件的索引节点。
The output of ILS is not user-friendly.
盲降的输出不是用户友好的。
It is common to use -m option to generate a data file
for another Sleuthkit command called MACTIME to regenerate result.
通常使用-m选项为另一个称为MACTIME的Sleuthkit命令生成数据文件,以重新生成结果。
MACTIME will sort the ILS results to create a timeline of file activities.
MACTIME将对盲降结果进行排序,以创建文件活动的时间轴。
We will cover MACTIME in detail later.
稍后我们将详细介绍MACTIME。
Here is the example of using ILS with option -m to generate a body file.
下面是使用带选项-m的盲降生成主体文件的示例。
After running MACTIME, given this body file, we get a sorted timeline.
在运行MACTIME之后,给定这个主体文件,我们得到一个排序的时间轴。
Now, look at this timeline result.
现在,看看这个时间轴结果。
Each entry starts with the date and the time, followed by file size.
每个条目以日期和时间开始,然后是文件大小。
C means it was last changed.
C表示最后一次更改。
And followed by permission, uid, gid, and inode.
然后是权限、uid、gid和inode。
That 127 means this inode has been marked as deleted.
127意味着这个inode已被标记为已删除。
icat will dump out the content of a file whose inode number is given as an input.
icat将转储其inode编号作为输入给出的文件的内容。
We can use icat and ILS together to recover all deleted file content.
我们可以使用icat和ILS一起恢复所有已删除的文件内容。
First we use ILS and MACTIME.
首先我们用盲降和MACTIME。
Let's assume we got the deleted file's inode number 127 as shown.
让我们假设已删除文件的inode编号127如图所示。
Then we use icat to get the deleted file's content.
然后使用icat获取已删除文件的内容。
FLS displays file names and sub-directories in a directory,
including deleted files given an inode of a directory.
FLS显示目录中的文件名和子目录,包括给定目录的索引节点的已删除文件。
The output of FLS is similar to ILS
with additional piece of information -- the file name.
FLS的输出类似于带有附加信息(文件名)的ILS。
To list all deleted files and directories, we use FLS followed by -m and other options.
要列出所有已删除的文件和目录,我们使用FLS,然后是-m和其他选项。
Using FLS with MACTIME, you will get entry result, sorted result.
在MACTIME中使用FLS,你会得到输入结果,排序结果。
Please be aware that if the file name entry is overwritten, FLS will not be able
to list the deleted files; however, ILS may still be able to list a deleted entry
if the inode content is still available.
请注意,如果文件名项被覆盖,FLS将无法列出已删除的文件;但是,如果inode内容仍然可用,盲降可能仍然能够列出已删除的条目。
ffind finds the file name for a given inode number.
ffind查找给定inode编号的文件名。
This tool processes the full directory tree and then looks for an entry
that points to the given inode number.
该工具处理完整的目录树,然后查找指向给定inode编号的条目。
For file systems that do not delete the pointer from the file name structure
to the metadata structure, the deleted file name can also be found.
对于没有将指针从文件名结构删除到元数据结构的文件系统,也可以找到已删除的文件名。
If you are interested in file systems, you can read the paper System Forensic Analysis listed
in the additional resources section.
如果您对文件系统感兴趣,可以阅读附加参考资料部分中列出的论文系统取证分析。
In summary, we reviewed Linux/Unix file systems
to help us understand how forensic analysis tool Sleuthkit recover deleted files.
总之,我们回顾了Linux/Unix文件系统,以帮助我们理解法医分析工具Sleuthkit如何恢复被删除的文件。
In the next unit we will continue to learn how
to use forensic analysis technologies to examine Linux/Unix systems.
在下一单元中,我们将继续学习如何使用法医分析技术来检查Linux/Unix系统。
Sleuthkit Demo
>> In this demo, I will use the free virtual machine called SANS Investigative Forensic
Toolkit to demonstrate how to use Sleuth Kit command line to analyze a Linux image.
在这个演示中,我将使用免费的虚拟机SANS Investigative Forensic Toolkit来演示如何使用Sleuth Kit命令行来分析Linux映像。
Before we jump into Sleuth Kit tools, first let me show you what's the difference
between a hard link and soft link.
在我们开始介绍侦探工具之前,首先让我向您展示硬链接和软链接之间的区别。
So, currently I'm in the temp directory.
所以,现在我在临时目录中。
I need to move all of the--
Remove that.
我需要移动所有的。移动那个。
OK. So, currently we have two files here.
好的。现在我们有两个文件。
One is a file zero, one is a test.
一个是文件0,一个是测试。
Let's see what is in file zero.
让我们看看文件0中有什么。
So, current-- the content is welcome in file zero and then now let's use LS dash L,
the way usually do, and I-- but I also add an option called I which is for inode.
在文件0中,内容是受欢迎的,现在我们使用LS dash L,通常是这样做的,我还添加了一个选项,I,这是inode。
Now, in this case, now we will see for file zero this is a normal information you see from LS,
OK, but this-- the first one is the inode.
现在,在这种情况下,我们将看到对于文件0这是一个从LS中看到的正常信息,但是这个——第一个是inode。
OK? So, each file has an inode.
好吗?每个文件都有一个inode。
So, file zero has an inode.
文件0有一个inode。
This is the inode number and then here is the permission and the link count.
这是inode编号,这是权限和链接计数。
Link count means how many files point to the same inode
because I said each file has an inode, I did not say inode can only be used by one file.
链接计数是指有多少文件指向同一个inode,因为我说每个文件都有一个inode,我没有说inode只能被一个文件使用。
So, link count means how many files point to this inode.
所以,链接计数表示有多少文件指向这个inode。
Currently is one, so this inode is only pointed by file zero.
当前是1,因此这个inode仅由文件0指向。
So, so far so good.
到目前为止一切顺利。
And then here is another file called test and this is test this inode, which is different.
然后这里是另一个文件,叫做test,这是测试这个inode,这是不同的。
Now, you see there the inode close each other.
现在,你们看到inode相互关闭。
Actually, they are created at pretty much-- very close to each other time.
实际上,它们是在非常接近的时间被创造出来的。
All right.
好吧。
So, now let me create a link.
现在让我创建一个链接。
So, I say link.
所以我说link。
First I want to create a hard link.
首先,我想创建一个硬链接。
The hard link is called file zero hard link, so I want to say link to this file
and the hard link is called hard link.
这个硬链接叫做文件零硬链接,所以我想说链接到这个文件
硬链接叫做硬链接。
OK. If you cannot remember which file goes to first, it's very similar to the command to copy.
好的。如果您不记得先去哪个文件,它非常类似于要复制的命令。
Copy the original to the copy and then here is link the original file
and then the link file is the second file name.
将原始文件复制到副本,然后这里是链接原始文件,然后链接文件是第二个文件名。
OK. So, now let's look at dash LI again.
好的。现在我们再看一下dash LI。
OK. Now you see the file link.
好的。现在您看到了文件链接。
File zero link hard link.
文件零链接硬链接。
This hard link links to the file zero.
这个硬链接链接到文件0。
That's the original file.
这是原始文件。
If you look at the top two lines, you will notice those two files use the same inode.
如果您查看前两行,就会注意到这两个文件使用相同的inode。
Note this inode, actually, is pointed by two files.
注意,这个inode实际上是由两个文件指向的。
One is called file zero and one is called file zero HL.
一个叫做文件0另一个叫做文件0 HL。
Now it's link count increased to two now.
现在链接数增加到2。
So, after you create a hard link, actually the link count increment one.
因此,在创建硬链接之后,链接计数实际上增加了1。
Increment one.
增加一个。
So, now it's two.
现在是2。
If you link file zero again, create another hard link, this will increase to three.
如果您再次链接文件0,创建另一个硬链接,这将增加到3。
If you look at other information, exactly same.
如果你看其他信息,完全一样。
Look at the other information besides the file name, all the other information,
the permissions, the size, and owners, and all that, including timestamps, exactly same.
看看除了文件名之外的其他信息、所有其他信息、权限、大小和所有者,以及所有这些信息,包括时间戳,都完全相同。
Why? Because those information metadata for information reside inside of the inode.
为什么?因为这些信息元数据驻留在inode中。
If you use the same inode, certainly those information will be different.
如果使用相同的inode,那么这些信息肯定是不同的。
So, those two files, the only difference is the file name.
这两个文件,唯一的区别是文件名。
How about let me create soft link.
让我创建软链接。
So, create a soft link.
所以,创建一个软链接。
You use the link dash S. Again, the original file first and followed
by the soft link's file name and I called soft link.
您再次使用链接dash s,首先是原始文件,然后是软链接的文件名,我称之为软链接。
So, now let's look at that again.
现在我们再看一遍。
So, you-- now you see we have a soft link.
现在我们有了一个软链接。
A soft link, it is a pointer.
一个软链接,它是一个指针。
Points to the original file zero.
指向原始文件0。
OK? Points to the file zero.
好吗?指向文件0。
So, now in this case, the soft link, it has its own inode.
在这个例子中,软链接,有它自己的inode。
All right?
So, that's why the link count of file zero does not change.
这就是为什么文件0的链接计数没有改变。
It's two. It's two.
这是两个。这是两个。
Because the hard link point to it, the soft link does not point to it.
因为硬链接指向它,软链接不指向它。
And all information is different, so this L means this is a soft link
and the-- this is the link count.
所有的信息都是不同的,所以这个L表示这是一个软链接这是链接计数。
And file size, it's five.
文件大小是5。
Now, if we look at the original, file zero's file size, which is eight,
so that means the soft link does not copy the content of file zero.
现在,如果我们看一下原始文件0的文件大小,也就是8,这意味着软链接不会复制文件0的内容。
So, what is in soft link's content?
那么,软链接的内容是什么呢?
Soft link's content actually is the path and the file name for the file it point to.
软链接的内容实际上是它所指向的文件的路径和文件名。
In this case, is file zero.
在本例中,是文件0。
Even you look at the file name, it show you this is a pointer because five zero is--
has five characters, that's why the size is five.
即使你看文件名,它也会显示这是一个指针因为50有5个字符,这就是为什么它的大小是5。
And this is also why when you create-- if the content is large, then you create a short link.
这也是为什么当你创建——如果内容很大,你就会创建一个短链接。
The short link only stores the path information without store
or duplicate the original data content.
短链接只存储路径信息,不存储或复制原始数据内容。
So, now you should see the difference between hard link and soft link.
现在你应该看到硬链接和软链接的区别了。
Hard link-- in a summary, actually, it is share the same inode with the original file.
硬链接——在总结中,实际上,它与原始文件共享相同的inode。
And then the soft link does not share the same inode.
然后软链接不共享相同的inode。
It creates a new file, creates a new user, new inode,
but the content only is the path information.
它创建一个新文件,创建一个新用户,新的inode,但是内容只是路径信息。
Now let's look into Sleuth Kit command lines.
现在让我们看看侦探工具包命令行。
So, I have an image here.
这里有一个图像。
It's called Linux financial case dot zero zero one.
它叫做Linux金融案例。
The dot zero zero one means this is a DD image
and actually I used FTK Imager to create the USB dongle image.
点零零一意味着这是一个DD图像,实际上我使用FTK Imager创建USB加密狗图像。
Now, before I start, I need to find out the information for the partitions.
现在,在开始之前,我需要找出分区的信息。
Where does the partition start?
分区从哪里开始?
Because I need to point at the beginning of the partition, otherwise Sleuth Kit will not work.
因为我需要在分区的开始点,否则侦探工具包将无法工作。
To do that, we talk about two methods.
为此,我们讨论两种方法。
One is F disk and one is MMLS.
一个是F盘,一个是MMLS。
F disk will only give-- will give us the partition information based on cylinder,
so we said not easy to use, then we use MMLS from Sleuth Kit.
F盘只会给我们——会给我们基于柱面的分区信息,所以我们说不容易使用,然后我们使用MMLS从侦探工具包。
We just drag over this file to find out its partition information.
我们只要拖动这个文件,就可以找到它的分区信息。
Now, this is partition information, the starting point end point is based on sector.
这是分区信息,起始点和结束点是基于扇区的。
It says units is in sectors.
单位在扇区。
So, that's easy to use.
这很容易使用。
And then the primary table used one sector and then here is the Linux image we're interested in
and then this is the unallocated space.
然后主表使用了一个扇区这是我们感兴趣的Linux映像这是未分配的空间。
So, the Linux image, the starting point is at 2048 byte.
Linux镜像的起点是2048字节。
It's at 2048.
Now, we get this information and this is the offset we need to use for the other--
for all of the other Sleuth Kit because for Sleuth Kit to work, you have to give--
either carve out partition, use DD to carve out this Linux partition
and then you directly use it, or you provide the offset option, so then it tells Sleuth Kit
to look into this offset and then that's the beginning point of the partition.
现在,我们得到了这个信息,这是我们需要使用其他的抵消——所有其他的侦探设备因为侦探设备工作,你必须给——要么开拓分区,使用DD来开拓这个Linux分区,然后你直接使用它,或者你提供抵消选项,然后它告诉侦探设备调查这抵消然后开始的分区。
So, instead of carve this partition out and then we just use offset to work on that.
所以,我们不用把这个分割出来然后用偏移量来处理它。
Now, we need to find out what is the file system for this image.
现在,我们需要找出这个图像的文件系统是什么。
So, we use FS stat because that tells us the file system status information.
所以,我们使用FS stat,因为它告诉我们文件系统状态信息。
And once again, now we need to use this offset, 2048.
再一次,我们需要使用这个偏移量,2048。
Otherwise it would-- it cannot recognize because the beginning is the mas boot record
or other information, so it will not get into the partition.
否则,它将——它不能识别,因为开始是mas引导记录或其他信息,所以它不会进入分区。
So, in this case, and I will say this file and then look into based on this offset.
在这种情况下,我会说这个文件然后根据这个偏移量来查找。
Now, if you look over, it gives you F-- FS stat give you lots of information.
现在,如果你仔细看,它会给你F——FS stat给你很多信息。
OK? It start from here.
好吗?从这里开始。
So, yeah, this is-- this is our command.
这是我们的命令。
Yeah. And it says the file system is EXT2, OK, the volume name,
volume ID, and then the OS is Linux.
是的。文件系统是EXT2,卷名,卷ID,然后操作系统是Linux。
And then it start to tell you all the file system for--
file system information and then inode range and a free inode
and those are all covered in the lecture.
然后它开始告诉你所有的文件系统,文件系统信息,然后是inode range和一个免费的inode,这些都在这堂课上讲过。
This is the-- actually, they interpret superblock information in this.
实际上,它们在这里解释超块信息。
We-- when we're using this command.
当我们使用这个命令时。
OK. Now, we see-- for each group, they talk about the inode, have the superblock,
and then the inode bitmap, inode table, and all that information.
好的。现在,我们看到,对于每一组,它们讨论inode,有超块,然后是inode位图,inode表,以及所有这些信息。
And then the range.
然后是值域。
So, with this information, now we know the file system is EXT2.
有了这些信息,现在我们知道文件系统是EXT2。
EXT2. Now we can look further use other tools.
EXT2。现在我们可以进一步使用其他工具。
So, let's try-- how about let's use FLS to list all of the files,
including deleted files, from this image.
那么,让我们试试——让我们使用FLS来列出所有的文件,包括从这个图像中删除的文件。
And then FLS dash O. Again, so from now on we always have to provide this offset unless you--
if you use DD to carve out, it's easier.
然后是FLS dash o,所以从现在开始我们必须提供这个偏移量除非你——如果你用DD来切割,它会更容易。
Then you carve it out then you needn't provide this offset.
那么你把它切出来,那么你就不需要提供这个补偿了。
And then the file system, now we already know it's EXT2.
然后是文件系统,现在我们已经知道它是EXT2。
And I talk about that in the class.
我在课上讲过。
I say able to create a very-- it's a human readable view.
我说,能够创建一个非常——这是一个人类可读的视图。
You need to use dash M to create a body for MAC time.
您需要使用dash M为MAC时间创建一个body。
OK. And then we'll talk about MAC time in another video, but we will do that.
好的。然后我们会在另一个视频中讨论MAC时间,但是我们会那样做。
So, this is the file system and then dash M. It says create the MAC time version
and put all files in the slash-- in the slash-- and then recursively--
this dash R is recursively-- goes through all of the directory, sub directory to generate that.
这是文件系统,然后是dash m,它说创建MAC time版本,把所有文件放在斜杠中,然后递归地,这个dash R递归地,遍历所有目录,子目录,生成那个。
And then provide the file name.
然后提供文件名。
Oops. OK. Got the E. And then-- if you don't do anything, it will print out the stand
out on a screen, but now I want to redirect and I said I put it into the body
because later I will use MAC time to interpret that.
哦。好的。得到e,然后,如果你什么都不做,它会在屏幕上打印出来,但现在我想重定向,我说我把它放入body,因为稍后我会用MAC时间来解释。
OK? So, I create FLS body file for MAC time to work.
好吗?因此,我创建了FLS主体文件,以便在MAC时间工作。
That's good.
And what if for the deleted file if they do not have file name
and those file will not be listed in FLS body.
如果被删除的文件没有文件名,并且这些文件不会在FLS body中列出,又会怎样呢?
So, let me try to use ILS.
我试着用盲降。
We will also talk about ILS in the class.
我们也会在课堂上讨论盲降。
So, ILS, the difference-- only difference is
that ILS does not give you the file name information
because that's not at the inode level.
所以,ILS,唯一的区别是,ILS没有给你文件名信息,因为它不在inode级别。
The inode does not have file name information.
inode没有文件名信息。
So, it's all same, but if you-- here, because don't have file name--
so, we do not have this directory.
这是一样的,但这里,因为没有文件名,我们没有这个目录。
So, let me look over ILS.
让我看一下伊尔莎。
Start from offset and then here is the file system
and we want to generate a body for MAC time.
从偏移量开始,然后这里是文件系统,我们想要为MAC时间生成一个主体。
Oh, by the way, dash R is different.
哦,顺便说一下,dash R是不同的。
Dash R in ILS means only collect the deleted file.
在盲降中,破折号表示只收集已删除的文件。
It's not recursive, OK, meaning-- but it's default, so I don't even-- needn't--
I needn't use this dash R because it's by default.
它不是递归的,意思是,它是默认的,所以我不需要,我不需要用这个破折号R因为它是默认的。
So, ILS dash R dash O and then here's the file name and then definitely I want to do ILS.
那么,isr,然后这是文件名,然后我当然想做isl。
OK. All right.
So, we create both sets.
我们创建了两个集合。
Now, if you want to look at-- OK.
现在,如果你想看。
Oh, where is the file?
哦,档案在哪里?
It should be in-- currently is in temp.
它应该在,当前是在临时。
OK. So, the temp directory has a FLS body and ILS body.
好的。因此,临时目录具有FLS主体和ILS主体。
Those are not human readable, but-- human readable-- but I opened it anyway.
这些不是人类可读的,但是——人类可读的——但我还是打开了它。
In the next-- the-- next week's video will--
I want to show you how to generate a human readable MAC timeline,
but in this case I'm just open that up.
下周的视频中,我将向你们展示如何生成一个人类可读的MAC时间轴,但在这个例子中,我只是打开它。
So, this is what it looks like.
这就是它的样子。
It separates by bass [phonetic] and this is the format MAC time will use.
它用低音[语音]分开,这是MAC time将使用的格式。
MAC time will use this time format and take each field out to generate MAC timeline.
MAC time将使用这个时间格式,并将每个字段取出来生成MAC timeline。
Now, the inode actually is in this field.
现在,inode实际上在这个域中。
So, this is the inode and then here this is the file name here.
这是inode,这是文件名。
Sorry, not file name-- yeah.
抱歉,不是文件名。
It's the file name here because this is FLS has a file name.
这里是文件名,因为FLS有文件名。
Inode information and then all that is the inode information.
Inode信息然后所有这些都是Inode信息。
Now, with this file, now you know you can play around with some inode, OK, with some inode
and then we can use other tools because other tools in the--
at I level, we need to give an inode, but where are the inodes come from
and this file does give you information about the inode.
现在,这个文件,现在你知道你可以玩玩一些inode,好的,一些inode然后我们可以使用其他工具,因为其他工具——在我的层面上,我们需要给一个inode,但inode来自哪里,这个文件给你有关inode的信息。
And later, if you learn from MAC time and then that-- the format even--
the output is even clear to show you what is the inode, but the based on--
well, to my knowledge, yeah, this is the inode information.
然后,如果你从MAC time中学习然后,格式,输出会很清楚地告诉你什么是inode,但是根据我的知识,这是inode的信息。
OK. So, everything you see, this is directly followed by the file name, that's the inode.
好的。所以,你看到的每件事,后面都是文件名,这就是inode。
OK. Now we know some inode number I can play with.
好的。现在我们知道了一个可以使用的inode值。
Let's close that.
让我们接近。
Now let's practice, practice more, because we already know the inode and let's try I stat.
现在让我们练习,练习更多,因为我们已经知道了inode,我们来试试I stat。
I stat dash O again, 2048.
我再次统计,2048。
And file system EXT2.
和文件系统EXT2。
And then the file name.
然后是文件名。
Oops. Where is my image?
哦。我的形象在哪里?
OK. Sorry.
The image somehow moved to that place.
图像不知怎么就移到了那个地方。
OK. Moved it back.
好的。搬回去。
OK. So, that's the image name and then I-- for I stat, it says given an inode,
tell me what's the status of this inode.
好的。这是图像名,然后对于I stat,它说给定一个inode,告诉我这个inode的状态。
So, I pick an inode from previous file, the ILS and FLS I just ran.
我从之前的文件中选择一个inode,我刚刚运行的ILS和FLS。
That's why I ran first because I need to know what are the inodes I can play
around and I pick one from that list.
这就是我首先运行的原因,因为我需要知道我可以处理哪些inode,然后从列表中选择一个。
OK. So, given this inode, what is the information reside in this inode?
好的。给定这个inode,这个inode中的信息是什么?
Now, in the inode have all of the metadata information but without file name information.
We know that.
现在,inode中有所有元数据信息,但没有文件名信息。我们都知道。
So, this is the inode number.
这就是inode。
It tells you it's allocated.
它告诉你它被分配了。
It is in group six.
它在第六组。
OK. If you'll remember when we did the FS stat, it tells you group-- several groups.
好的。如果你还记得我们做FS stat的时候,它会告诉你分组——几个组。
And the general information and this is the UID, GID, and then the permissions.
一般信息,这是UID, GID,然后是权限。
And size, number of link, link count, OK, and the MAC time-- MAC time.
还有大小,链接数,链接数,还有MAC时间,MAC时间。
Now, this is the one interesting.
这是一个有趣的问题。
I want to know what are the data blocks.
我想知道数据块是什么。
In this case, because the size is 43 only, so only need one data block.
在这种情况下,因为大小只有43,所以只需要一个数据块。
If-- for large size files, you will see all the data blocks is listed here as a list.
如果——对于大文件,您将看到所有数据块都作为列表列在这里。
OK? So, now I get it.
好吗?现在我明白了。
OK. This is a 197122.
This is-- this is the data block used by this inode.
这是这个inode使用的数据块。
Lots of great information.
很多很棒的信息。
All right.
Next, I want to try another tool called I stat.
接下来,我想尝试另一个名为I stat的工具。
I stat says I needn't know-- I don't want to know the status, but just dump out information.
我说我不需要知道——我不想知道状态,只需要输出信息。
Dump out the content of the file.
转储文件的内容。
All right?
So, I stat-- OK.
Let me just be zero.
让它等于0。
Let me just be lazy a little bit and I--
because most of the information is pretty much same, so I just do I cat here.
我偷懒一点,因为大部分信息都是一样的,所以我在这里只写cat。
Let me go through it.
让我过一遍。
I cat this offset and then that for the same inode.
对于相同的inode,我取这个偏移量和那个偏移量。
Now, in this case, it will dump out the content.
现在,在本例中,它将转储内容。
How does it know that?
它是怎么知道的?
It's easy.
Given the inode, it knows the data block and then it dump
out the information from the data block.
给定inode,它知道数据块,然后从数据块中转储信息。
OK? So, all right.
好吗?所以,好的。
So, this is actually the content of inside of that file.
这就是那个文件里面的内容。
You can verify later once we find out if there's a file name or not.
当我们发现是否有文件名时,您可以稍后进行验证。
If there's a file name, we can-- you can-- you can verify that.
如果有文件名,我们可以验证。
So, here's a financial statement and this is the information.
这是一份财务报表,这是信息。
The content.
内容。
So, I stat and I cat, they are different.
所以,我和我的猫,他们是不同的。
Now, since we already find out one data block and we can play around with data block command.
现在,因为我们已经找到了一个数据块,我们可以使用数据块命令。
So, we do block cat-- again, let me--
lazy little bit and instead of that I do block cat concatenate--
this is same information, but this is a data block.
所以,我们做block cat,再一次,让我偷懒一点,我做block cat连接,这是相同的信息,但这是一个数据块。
Data block and then I need to give out not inode number.
数据块,然后我需要给出非inode编号。
Have to give out a data block number and we already know the data block--
we know one data block number, it's 19710-- 22.
必须给出一个数据块号我们已经知道了这个数据块,我们知道一个数据块号,是19710- 22。
This is from previous-- let's pick-- yeah, 197122.
这是之前的,我们选一个,197122。
OK. So, that's a data block we know.
好的。这是我们知道的一个数据块。
So, this command basically says dump out information from this block.
这个命令基本上是说从这个块中转储信息。
Be careful.
小心些而已。
In this case, there's only one data block.
在这种情况下,只有一个数据块。
OK? When we use I cat, if that file use multiple data blocks, it will chain them together
to give you the whole data, but this one it's always give you the data block pointed
to by this number.
好吗?当我们使用I cat时,如果那个文件使用多个数据块,它会把它们链接在一起给你整个数据,但是这个文件总是给你这个数字指向的数据块。
In this case, it's same because that inode only use the same-- only use one data block.
在这种情况下,它是相同的,因为inode只使用相同的——只使用一个数据块。
All right.
Now, next, let's try another command called I find.
现在,接下来,让我们尝试另一个命令I find。
What does I find do?
我发现了什么?
I always read it the-- read it the way-- reverse way to find inode.
我总是用逆向的方法来求inode。
To find inode given what?
为了得到给定的inode ?
Given data block.
给定的数据块。
OK? Given data block.
好吗?给定的数据块。
OK. So, let me again cheat a little bit and I'm using this one.
好的。我再做个小弊我用的是这个。
So, I modify this.
我对它做了修改。
Called I find.
叫我发现。
So, I want to find an inode given the data block.
我想要找到给定数据块的inode。
Again, this is a data block number.
同样,这是一个数据块号。
That's good.
Given the data block, can you tell me what is the inode number?
给定数据块,你能告诉我inode号是多少吗?
Use I find.
我发现使用。
OK. So, if everything runs correctly, it should give me the inode number is the 46082.
好的。所以,如果一切运行正常,它应该会给我的inode编号是46082。
OK? So, let's try that.
好吗?我们来试试。
Oops. I did something wrong here.
哦。我做错了什么。
No. The-- see-- I said I'd cheat a little bit, but actually I shouldn't.
不。我说过我会作弊,但实际上我不应该。
I cannot cheat.
我不能作弊。
The-- the command line thinks it's different and I cannot put the data block until at the end.
命令行认为这是不同的,我不能把数据块放在最后。
I have to say this is the data block number 197122.
我得说这是197122号数据块。
OK. So, here it-- again, so given the data block number and then to find inode number.
好的。这里,给定数据块号,然后求inode号。
OK. Let's do it.
好的。让我们做它。
It's 46082.
That's good.
That's good.
So, here is how do you from the data block to identify inode.
下面是如何从数据块识别inode。
Why this is important?
为什么这很重要?
Because if this inode uses multiple data blocks and then you use one of the data block
to identify the inode, now you can use I stat.
因为如果这个inode使用多个数据块,然后使用其中一个数据块来标识inode,那么现在可以使用I stat。
Now, if you use I stat followed by this inode number, you can get rest of other data blocks,
then you identify other data blocks.
现在,如果使用I stat和这个inode编号,就可以获得其他数据块,然后标识其他数据块。
So, that's fantastic.
所以,这太棒了。
At last, let's try one more, F find.
最后,我们再试一个,F。
Should I be brave enough to use the previous one?
我是否应该勇敢地使用前一个?
Let's try the previous one.
让我们试试前一个。
OK. I think it's similar to this one.
好的。我想它和这个很相似。
Yeah. So, I want to use I find.
是的。所以,我想用I find。
Oh, sorry.
F find. Now, what does f find mean?
F。f的值是什么意思呢?
So, it's-- again, read backwards.
所以,再一次,倒着读。
Find file name.
Find file name.
找到文件名。
OK?
But given what?
但考虑到什么?
Given inode.
Given inode to find file name.
给定inode以查找文件名。
So, those information is all same and you have to give an inode.
所以,这些信息是相同的,你必须给出一个inode。
OK? Now, in this case, if this inode has a file, it's allocated, right?
好吗?在这种情况下,如果这个inode有一个文件,它就被分配了,对吧?
Early on we have seen.
我们早就看到了。
It's allocated, so should have file name.
它被分配了,所以应该有文件名。
OK. So, this is the file name corresponding to this inode.
好的。这就是这个inode对应的文件名。
By the way, this information-- where does the mapping information reside?
顺便问一下,这个信息——映射信息驻留在哪里?
The file name map to the inode?
文件名映射到inode?
This is the content of a parent directory.
这是父目录的内容。
OK. The directory's content stores all of the information of the mapping
between files and subdirectories to inode.
好的。目录的内容存储了文件和子目录之间映射到inode的所有信息。
So, that's the information.
这就是信息。
So, from here, we have-- we try the data layer and then the inode layer--
file system layer and the file name layer commands.
从这里开始,我们尝试数据层然后是inode层文件系统层和文件名层命令。
There are more commands, you can play around with it.
有更多的命令,你可以玩它。
Now, I use this virtual machine because this SIFT virtual machine has all the
tools installed.
现在,我使用这个虚拟机,因为这个SIFT虚拟机已经安装了所有的工具。
I needn't install anything.
我不需要安装任何东西。
If you like to know which tool is there or not,
usually I use which, so let's say which file find.
如果你想知道哪个工具存在或者不存在,我通常使用哪个工具,那么我们说找到哪个文件。
It tells me where the-- where-- whether this command exists
or not and then where does it located.
它告诉我——where——这个命令是否存在,然后它位于哪里。
So, I really encourage you to be able to take advantage of this free virtual machine
and then it's a fantastic one to practice forensics tools.
所以,我真的很鼓励你能够利用这个免费的虚拟机,然后它是一个神奇的练习取证工具。
Hopefully you enjoy it.
希望你喜欢。
5585
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
