>> Beside timeline analysis, examiners will closely examine files, especially deleted
files, log files, and history files; emails; pictures;
etc. to find clues.
>>除了时间轴分析外,审查员还会仔细检查文件,特别是删除的文件、日志文件、历史文件;电子邮件;照片,等等。找到线索。
For example, they will identify files and inodes stored in abnormal locations.
例如,它们将识别存储在异常位置的文件和索引节点。
For instance, /dev should mostly contain serial character or block special files.
例如,/dev应该主要包含串行字符或块特殊文件。
Recently created regular files in /dev will receive an investigator's attention.
最近在/dev中创建的常规文件将受到调查者的关注。
Also, inodes are usually allocated sequentially.
而且,索引节点通常是按顺序分配的。
If a list of inodes are created at around the same time, the inode numbers should be
close to one another; therefore, if you find a utility
or a file's inode number is out of place, you should investigate further.
如果同时创建了inode列表,则inode编号应该非常接近;因此,如果您发现一个实用程序或文件的inode编号不合适,您应该进一步研究。
Forensic examiners will use hash analysis to detect rootkits and any modifications
to binary files and configuration files.
法医检查人员将使用哈希分析来检测rootkit以及对二进制文件和配置文件的任何修改。
Systems' binaries and configurations could be replaced or modified by malicious rootkits.
恶意的rootkit可以替换或修改系统的二进制文件和配置。
Hackers modify these files to try to hide malicious network connections, processes,
users, etc.
黑客修改这些文件,试图隐藏恶意网络连接、进程、用户等。
Investigators use hash analysis to compare the current system's binaries hash values
with a known good hash set of binaries to identify changes.
研究人员使用哈希分析将当前系统的二进制哈希值与已知的一组良好的二进制哈希值进行比较,以识别更改。
A malware hash set that contains no rootkits and a malware's hash values can be used
to detect malware in the rootkits being stored on the system.
恶意软件哈希集不包含rootkit,恶意软件的哈希值可以用来检测存储在系统上的rootkit中的恶意软件。
Simple commands such as find are used for analysis tools as well.
find等简单命令也用于分析工具。
For example, to find hidden files in a directory that will start with dot
or space we use find command with the regular expressions to match these hidden files.
例如,要在以点或空格开头的目录中查找隐藏文件,我们使用find命令和正则表达式匹配这些隐藏文件。
To find all world-writable files in the directory, we use the find command with -exec option.
为了找到目录中所有可写的文件,我们使用带有-exec选项的find命令。
Set UID sets a permission that allows the user to run an executable file
with the permissions of the file's owner.
UID设置允许用户以文件所有者的权限运行可执行文件的权限。
To find all set UID/set GID files, we use find command
with set UID and set GID perm permission.
要查找所有set UID/set GID文件,我们使用具有set UID和set GID perm权限的find命令。
To find binary files that were modified in one day or files that were created in less
than 24 hours, we use find option M time and B minute.
要查找在一天内修改的二进制文件或在不到24小时内创建的文件,我们使用find选项M time和B minute。
Sometimes forensic examiners encounter files that do not have file structures.
有时法医检查人员会遇到没有文件结构的文件。
For example, deleted data file after running block LS myImage > unallocated.
例如,在运行块LS myImage 后删除数据文件>未分配。
The unallocated file gathers all raw data from all unallocated blocks without file name
and metadata attributes; however, this file may contain .jpeg pictures, .pdf, or other
files.
未分配的文件从所有未分配的块中收集所有原始数据,没有文件名和元数据属性;但是,该文件可能包含.jpeg图片、.pdf或其他文件。
We can use data carving tools to try to recover these hidden files.
我们可以使用数据雕刻工具试图恢复这些隐藏的文件。
Data carving is done by analyzing the raw data and identifying hidden files such as
JPEG and mp3 by looking for headers.
数据雕刻是通过分析原始数据并通过查找头来识别隐藏文件(如JPEG和mp3)来完成的。
For instance, every JPEG file has its own header, the hex value.
例如,每个JPEG文件都有自己的头,即十六进制值。
Some files may contain footers as well, marking the end of the file.
一些文件可能也包含页脚,标志着文件的结束。
Data carving tools rely on the headers and the footers or other variable information
such as size to carve out meaningful files.
数据雕刻工具依赖于页眉和页脚或其他可变信息(如大小)来雕刻有意义的文件。
They scan through a raw image, and when it finds a new header, it will start to carve
data out until it hits a footer or another known
headers or the size.
他们扫描原始图像,当它发现一个新的标题,它将开始切割数据,直到它遇到一个页脚或另一个已知的标题或大小。
The recovered file will not have file name information, certainly,
but it has an extension according to the header information.
恢复的文件当然不会有文件名信息,但是根据头信息,它有一个扩展名。
There are several free carving tools you can try, such as Foremost, Scalpel, Magic Rescue,
and Photorec, TestDisk, etc.
有几个免费的雕刻工具,你可以尝试,如最重要的,手术刀,魔术救援,和Photorec, TestDisk等。
Foremost stores a list of known file types with their corresponding headers and footer
information in the Foremost.conf file.
最前面存储了一个已知文件类型的列表,其中最前面存储了相应的标题和脚注信息。conf文件。
Users can modify this configuration file to add
or select what types of files they want to carve out.
用户可以修改这个配置文件来添加或选择他们想要分割的文件类型。
You will see a demo of using Foremost in the next video.
在下一个视频中,您将看到使用最重要的一个演示。
Foremost Demo
>> In this week's lecture, we talk about data carving function and the tools.
>>在这周的讲座中,我们将讨论数据雕刻函数和工具。
Now in this demo, I want to show you one of the popular tool
and it's free called Foremost
So before we start to do that, as I said, we can always start with main Foremost.
现在在这个演示中,我想给你们展示一个流行的工具,它是免费的,叫做,在我们开始之前,就像我说的,我们总是可以从,main,最开始。
Okay then to see what's this function do and what are the options.
然后看看这个函数是做什么的,有哪些选项。
So as it described here, Foremost recover files using their headers,
footers in a data structures.
正如这里所描述的,最重要的是在数据结构中使用文件的页眉、页脚来恢复文件。
Okay. So in this case, even though without file system information,
without file system metadata information, in Foremost will simply look into the data
and then try to search for the header.
好吧。所以在这种情况下,即使没有文件系统信息,没有文件系统元数据信息,在最重要的情况下,也只是查看数据,然后尝试搜索头。
And then once it find header it will start to carve out those data until it hits the footer
if the footer's available or hits another header.
一旦它找到页眉,它就会开始切割这些数据,直到它碰到页脚,如果页脚是可用的,或者碰到另一个页眉。
Another file's header or if the size limit is hit as well.
另一个文件的标题或如果大小限制也被击中。
So those are the information used by Foremost to carve out data.
这些信息是最重要的数据挖掘工具。
So Foremost to work, certainly you need to give out image.
所以最重要的工作,当然你需要给人一个形象。
Now that image can be an unallocated space data like [inaudible] kit
and collect all [inaudible] data together
because it's [inaudible] in data structure at all.
现在那个图像可以是一个未分配的空间数据,像[听不清]工具箱,收集所有[听不清]数据因为它在数据结构中是[听不清]的。
And it could be a memory dump because memory dump does not have data structure.
它可能是内存转储,因为内存转储没有数据结构。
So any files you can give to that.
所以你能给它的任何文件。
And then where do you know the header, footer information?
然后你从哪里知道页眉页脚信息?
This is come from a configuration file and I will talk about that configuration file shortly.
它来自一个配置文件,稍后我将讨论这个配置文件。
There's other options you might find out interesting to use.
您可能会发现还有其他一些有趣的选项可供使用。
And a dash T type [phonetic] means which type -- which file type you want to come out?
破折号T类型[语音]表示你想输出的文件类型?
Do you want to come out jpeg or other information?
你是想公布jpeg还是其他信息?
And then there's -- let's move over.
然后,让我们移过去。
We can see what other options I would like you to practice.
我们可以看看我希望你们练习的其他选项。
dash T is a good one because every time when you -- after it's done, dump outs file,
it has -- it uses default's name.
破折号是个不错的破折号,因为每次当你完成后,转储文件时,它都会使用默认名称。
Then you can only use once next time because it already exists, right?
那么下次只能用一次,因为它已经存在了,对吧?
So if you put the dash T there then the file name will be unique
because the file name will follow the [inaudible] time stamp.
所以如果你在这里加上破折号T那么文件名将是唯一的因为文件名将遵循[听不清]时间戳。
So you can run Foremost many times so it's different outputs.
所以你可以多次运行front,所以它是不同的输出。
So dash T I often like to use.
所以我经常用破折号T。
Okay. So let's quit there and then we come back to practice Foremost.
好吧。我们就讲到这里,然后回到最重要的练习。
Now we -- I mentioned about that it rely on the footer and the header information
but where does those information reside?
我提到过它依赖于页脚和页眉信息但这些信息在哪里呢?
It is reside in the Foremost configuration file.
它驻留在最重要的配置文件中。
So now you probably will ask me, so where is the file?
现在你可能会问我,文件在哪里?
And I said find it.
我说找到它。
Okay? We can use find and I say look for it stop from the system root
and then the name is Foremost.com.
好吧?我们可以使用find,我说从系统根目录中查找它stop然后名称是Foremost.com。
Okay? So I just wanted to go through from the system root because [inaudible] to find what --
tell me what is you can find file name was at that Foremost.com for now.
好吧?所以我只是想从系统根目录看一遍因为(听不清)要找到什么,告诉我你能找到的文件名现在在Foremost.com上。
And certainly it -- you'll hit lots of error message.
当然,你会遇到很多错误信息。
It said it's not permission -- permission denied.
它说这不是许可——许可被拒绝了。
Permission deny.
拒绝许可。
I don't want to see those noise.
我不想看那些噪音。
So I said what about those error message which is specified by 2, okay?
所以我说,那些由2指定的错误消息呢?
And regular standout is different and then this is 2 [inaudible].
普通的突出是不同的这是2(听不清)
If you don't understand that's fine.
如果你不明白,没关系。
Basically don't say show me -- this -- 2 means order error messages dump to the black hole.
基本上不要说,show me,这个,2,意思是命令错误信息转储到黑洞。
I don't want to see it.
我不想看。
Dump out all those information to the black hole.
把所有这些信息都倒进黑洞。
Don't show me it because I'm confident [inaudible] information by the way
but I'm confident I don't want to -- want that to ruin my output.
不要给我看,因为我有信心(听不清)顺便说一下,我有信心,我不想——想要它破坏我的输出。
So now what I have seen a couple of things one is Foremost.com.
现在我看到了一些东西,一个是Foremost.com。
Okay. That's the one I copy.
好吧。这是我复制的。
Actually I copied paste on the desktop.
实际上我是在桌面上复制粘贴的。
So this is this version.
这就是这个版本。
It finds and then there's another one is ETC. So you have done --
you haven't done anything, you will find those entries.
它会发现,然后还有另一个,等等,你已经做了,你什么都没做,你会发现那些项。
Okay. Now let's look into why I want to copy a file on top of my desktop because if you look
into the permissions for those files, let's see.
好吧。现在让我们看看为什么要在桌面上复制一个文件,因为如果您查看这些文件的权限,让我们看看。
Let's look into the use of one.
让我们来看看one的用法。
So this will most likely we want to use this configuration file
and copy it and paste it here.
因此,我们很可能想要使用这个配置文件并将其复制粘贴到这里。
So we want to look at the permission information.
我们想看权限信息。
Oh this is a link file.
这是一个链接文件。
So actually this is a soft link.
这是一个软链接。
I have already talked about soft link, right?
我已经讲过软链接了,对吧?
This is a soft link to [inaudible] Foremost configuration file.
这是一个软链接到[听不清]最重要的配置文件。
Now even though the permission is everyone would write executable
but actually it is point to this exe [phonetic] file.
现在,即使权限是每个人都会写可执行文件,但实际上它指向这个exe[语音]文件。
So now let's look into the permission of that exe file.
现在让我们看看这个exe文件的权限。
[ Background Sounds ]
So for this file, we are not [inaudible].
[背景音]
所以对于这个文件,我们不是(听不清)
Okay. So we only have read permission.
好吧。所以我们只有读权限。
That means that the Foremost.com, you can modify it.
这意味着Foremost.com,你可以修改它。
So I create a copy.
所以我创建了一个副本。
Put it on my desktop and then save.
把它放在我的桌面上,然后保存。
Actually save that file to my desktop and then I can have a modification.
实际上,把那个文件保存到我的桌面上,然后我就可以进行修改了。
Now why I want to modify that?
为什么我要修改它呢?
Once again, that's first look into this file.
同样,这也是第一次查看这个文件。
Let's look into this [inaudible] file, Foremost.com file.
让我们看看这个(听不清)文件,Foremost.com文件。
[ Background Sounds ]
So this is a configuration file.
[背景音]
这是一个配置文件。
And most of that -- most of it, it is the header and footer information.
大部分是页眉和页脚信息。
So for example, it's a gif file and the header information
and the jpeg what are the header information, it's all comment.
例如,它是gif文件,标题信息和jpeg标题信息是什么,都是注释。
It's all commented.
这是所有的评论。
So it's not [inaudible].
所以它不是(听不清)
So if you want to use it, you have to uncomment out.
如果你想用它,你必须取消注释。
If I want jpeg, then I need uncomment out those three lines.
如果我想要jpeg,那么我需要取消这三行注释。
All right.
So those are the jpeg headers.
这些是jpeg头文件。
Those are jpeg headers.
这些是jpeg头文件。
Similarly I included footers as well.
类似地,我也包括页脚。
So some was [inaudible] but those are the jpeg headers.
有些是(听不清)但这些是jpeg头文件。
Okay. So for you to use it and you need to modify the configuration file to remove those
because with this character in front it's comment.
好吧。要使用它,你需要修改配置文件来删除这些,因为前面有这个字符,它是注释。
It's commented and so you have to remove that to be able to work.
它被注释了,所以你必须删除它才能工作。
Okay. And then if you look at my file here.
好吧。看看我的文件。
It's -- I made a copy and then I simply -- I simply make those header footers to effective.
我复制了一份,然后我只是,我只是让页眉页脚有效。
So when I run my Foremost, it will only look at those header footers.
所以当我运行我的最重要的,它将只看那些页眉页脚。
That's all.
The other headers, footers all commented out for efficiency.
为了提高效率,其他页眉、页脚都被注释掉了。
Okay? So that's why I need that.
好吧?这就是我需要它的原因。
With my own Foremost.com, let's try Foremost.
用我自己的Foremost.com,让我们先试试。
So let's do Foremost dash c configuration file and I want use my own configuration file instead
of the user or exe because I -- my files currently on desktop.
我们先做dash c配置文件,我想用我自己的配置文件,而不是用户或exe,因为我,我的文件目前在桌面上。
Okay so I use my own configuration file and then I want to use dash T to create the file --
files in the folder with timestamps.
好的,我使用我自己的配置文件然后我想使用dash T来创建文件——文件夹中带有时间戳的文件。
Okay. So then I have dash I image.
好吧。然后是dash I image。
I want to grab one image because this image definitely have some pictures there.
我想抓拍一张图片因为这张图片肯定有一些图片。
I know it can come out.
我知道它会出来的。
All right.
So we do it.
我们就这么做了。
So now it creates -- now in my configuration file I uncommented
out gif file and the jpeg file.
现在它创建了。在我的配置文件中,我取消了gif文件和jpeg文件的注释。
Now I don't know about this doc file.
现在我不知道这个文档。
Somehow it's collected the doc file by default.
它在默认情况下以某种方式收集doc文件。
Okay. So it has documents.
好吧。它有文档。
It has gif files and then it has jpeg files.
它有gif文件和jpeg文件。
Now it know the extensions that's for sure because it has a header.
现在它肯定知道扩展名了,因为它有一个header。
Some even have footer information so it knows
with the header information it knows the file's extension.
有些甚至有页脚信息,所以它知道页眉信息,它知道文件的扩展名。
It certainly does not know file name information because that meta data information is --
cannot get it from -- by Foremost.
它当然不知道文件名信息,因为元数据信息最重要的是无法从其中获取。
So Foremost only care about the -- only knows the header footer information.
所以最重要的是只关心页眉页脚信息。
So all the files it come out.
所有的文件都出来了。
Some maybe even have file.
有些甚至有文件。
Now you didn't see this example here.
你们没有看到这个例子。
Some data -- they only come out half of the image possible.
有些数据,只能得到图像的一半。
And then it's -- put into that directory.
然后它——放到那个目录下。
Now there's another method to say if I don't want to use this configuration file,
I use dash T. Let's move this away.
现在还有另一种方法,如果我不想使用这个配置文件,我就用dash t,我们把这个移开。
Let's just hide that into the temp so we will not see it anymore.
我们把它隐藏到温度中,这样我们就看不到它了。
And then in that case, I use Foremost again and I said I'm only interested in jpeg file type.
在这种情况下,我再次使用了最重要的我说过我只对jpeg文件类型感兴趣。
Okay. I'm not providing the Foremost.
好吧。我没有提供最重要的。
It knows okay use jpeg.
它知道可以使用jpeg。
Use jpeg and then again, I use dash T and then dash I.
使用jpeg,然后再次使用破折号T和I。
And given this image itself.
给定这个图像本身。
Let's run that.
让我们运行。
So because I have a dash capital T, so it create two folders unique folders
because it has a timestamp.
因为我有一个大写的破折号T,所以它创建了两个文件夹唯一的文件夹因为它有一个时间戳。
Otherwise, it will give you error message say hey did the file --
it's already created and then you don't want to override on that.
否则,它会给你错误信息说,嘿,did文件,它已经创建了,你不想覆盖它。
So -- that's why I use dash T. If you look at the second one, okay?
所以,这就是为什么我用破折号t,如果你看第二个,好吗?
It only has jpeg now because I specifically say dash T jpeg.
它现在只有jpeg因为我特别说的是dash T jpeg。
Again this doc is somehow it's carved out.
这个医生是被雕刻出来的。
So now you should get ideas, get ideas of how this Foremost work to base header,
sometimes or even include footer those information to carve data
out without using any file system information.
所以现在你应该明白了,明白了最重要的是如何在不使用任何文件系统信息的情况下,将这些信息转化为基本标题,有时甚至包括页脚。
So this can be very powerful.
这是非常强大的。
Right? That's why we mentioned about it can be used to look into memory data or allocated data.
对吧?这就是为什么我们提到它可以用来查看内存数据或分配的数据。
Hopefully you can try it and once again, if you use this sift
or virtual machine then you needn't install anything because it is installed by default.
希望您能再次尝试,如果您使用这个sift或虚拟机,那么您不需要安装任何东西,因为它是默认安装的。
It -- you can try say which Foremost to find
out okay whether it's there or yeah, definitely it's there.
你可以试着说哪一个是最重要的,看看它是在那里还是在那里。
So hopefully you enjoy it.
希望你们喜欢。
Okay.
1187
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
