>> In last unit, we reviewed Linux/Unix file systems and used Sleuthkit as an example to find
out how a forensic analysis tool retrieves data in Linux/Unix file systems.
>>在上一单元中,我们回顾了Linux/Unix文件系统,并以Sleuthkit为例了解了法医分析工具如何检索Linux/Unix文件系统中的数据。
This week we will study where data commonly hides in Linux/Unix file systems
and how to utilize forensic analysis technologies to find evidence for investigation.
本周,我们将学习数据通常隐藏在Linux/Unix文件系统中的位置,以及如何利用法医分析技术寻找证据进行调查。
We will focus on Linux/Unix files such as password file, log files, history files,
hidden files, set UID/set GID files, recently modified binaries,
recently created and deleted files, among others.
我们将重点介绍Linux/Unix文件,如密码文件、日志文件、历史文件、隐藏文件、设置UID/set GID文件、最近修改的二进制文件、最近创建和删除的文件等。
I will also introduce analysis utilities, including keyword search,
hash analysis, and the data carving.
我还将介绍分析实用程序,包括关键词搜索、散列分析和数据雕刻。
Remember, we will always work on image copies of the original drive.
记住,我们总是在原始驱动器的映像副本上工作。
We start an analysis by examining the partition table on a suspect drive
to learn how many partitions exist on the drive, whether each partition is mounted,
and if there are any data hidden in between the partitions.
我们通过检查可疑驱动器上的分区表开始分析,以了解驱动器上存在多少个分区,是否装载每个分区,以及分区之间是否隐藏了任何数据。
We then examine all pertinent information, including files, deleted files, emails,
pictures, visited websites, etc. We will put the MACTIMEs in a timeline sequence
to tie events together, to get a better understanding of what has happened.
然后我们检查所有相关的信息,包括文件、删除的文件、电子邮件、图片、访问过的网站等。我们将把MACTIMEs按时间顺序排列,将事件联系在一起,以便更好地理解发生了什么。
Whenever we have a keyword, for example, names of the suspects who are involved in the case
or IP addresses that the suspect machine connected and communicated with,
we conduct a keyword search using these terms to search for clues.
当我们有一个关键字时,例如,案件中涉及的嫌疑人的姓名或与嫌疑人的计算机连接和通信的IP地址,我们就使用这些词进行关键字搜索以寻找线索。
There are many sophisticated forensic analysis tools to facilitate analysis.
有许多先进的法医分析工具,以促进分析。
Forensic investigation demands not only knowledge but also experience,
reasoning, and communication skills.
法医调查不仅需要知识,而且需要经验、推理和沟通技巧。
Before we directly dive into GUI-based advanced forensic analysis tools,
let's go through some basic tools and the steps to understand what is going
on behind this well-known GUI-based forensic tools.
在我们直接深入到基于gui的高级法医分析工具之前,让我们先来了解一些基本工具和步骤,以了解这个著名的基于gui的法医工具背后发生了什么。
When we seize a suspect machine or laptop, how do we know the drive has not been swapped?
当我们截获可疑的机器或笔记本电脑时,如何知道驱动器没有被交换?
CyanLine LLC discovered that most of hard drives have a built-in self-monitoring analysis
reporting tool, short for SMART.
CyanLine LLC发现,大多数硬盘都有内置的自我监控分析报告工具,简称SMART。
They can reveal the exact number of times that the examined hard drive has been turned on
and the exact number of hours that the suspect hard drive has been used inside computer.
它们可以揭示被检查的硬盘被打开的确切次数,以及被怀疑的硬盘在计算机中被使用的确切小时数。
SMART was developed by hard drive manufacturers to help drive owners
to assess their drive's physical usage; however, it can provide computer forensic examiners
with crucial information in some scenarios.
SMART由硬盘制造商开发,帮助硬盘所有者评估硬盘的物理使用情况;然而,在某些情况下,它可以为计算机法医审查员提供关键信息。
For example, assume you seize a two-year-old laptop and you found
that the hard drive disc does not contain a reasonable amount
of data for a two-year-old drive.
例如,假设您没收了一台使用了两年的笔记本电脑,并且发现硬盘驱动器磁盘不包含用于使用了两年的驱动器的合理数量的数据。
Although the suspect explained, "I reinstalled my computer," it becomes pretty clear
that the owner had swapped out the hard drive if you use SMART tool.
尽管嫌疑人解释说,“我重新安装了电脑”,但很明显,如果你使用智能工具,电脑的主人已经换掉了硬盘。
We start our forensic analysis by identifying partitions from a drive image.
我们通过从驱动器映像中识别分区来开始法医分析。
We could use the Linux/Unix tool FDISK to show the partition information; however,
FDISK displays the start and endpoint of a partition in the unit of cylinders.
我们可以使用Linux/Unix工具FDISK来显示分区信息;但是,FDISK以柱面为单位显示分区的开始和结束。
In our example /dev/hda1 starts at the first cylinder and ends at 990 cylinder.
在我们的示例中,/dev/hda1从第一个柱体开始,结束于990柱体。
If we use dd to carve out this partition, you have to convert values
from cylinders to 512-byte sectors.
如果我们使用dd划分这个分区,则必须将值从柱面转换为512字节扇区。
Media management LS or MMLS from Sleuthkit is designed
to display partition information in the unit of 512-bytes sector.
来自Sleuthkit的媒体管理LS或MMLS用于以512字节扇区为单位显示分区信息。
Given a disc image, MMLS will interpret MBR to display all the partition entries information
that can be easily used by dd to carve out partitions.
给定一个磁盘映像,MMLS将解释MBR,以显示dd可以轻松使用的所有分区条目信息。
It also works for the GUID partition table GPT.
它也适用于GUID分区表GPT。
Next we will mount partitions to start analysis.
接下来,我们将挂载分区以开始分析。
Everyone should be familiar with the Linux/Unix command mount.
每个人都应该熟悉Linux/Unix命令装载。
Here I will emphasize a couple of key options for forensic analysis purpose.
在这里,我将强调法医分析的几个关键选项。
Assume my hda1.dd is a dd raw image file representing a partition.
假设我的hda1。dd是表示分区的dd原始图像文件。
The command shown here will mount my hda1.dd to a mount point /mnt/hacked.
这里显示的命令将挂载我的hda1。dd到一个挂载点/mnt/黑客。
The option read-only, ro, has to be used to prevent mount from modifying anything.
只读选项ro必须用于防止挂载修改任何内容。
Since my hda1.dd is a file, not a device, we need to use the root back device option.
因为我hda1。dd是一个文件,不是一个设备,我们需要使用根设备选项。
Note that with most sophisticated forensic analysis tools,
mounting will be done automatically.
请注意,使用最先进的法医分析工具,安装将自动完成。
432
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
