2024-04-06 18:13:07 +00:00
|
|
|
|
# 基本取证方法论
|
|
|
|
|
|
2024-07-19 04:51:22 +00:00
|
|
|
|
{% hint style="success" %}
|
|
|
|
|
学习和实践 AWS 黑客技术:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks 培训 AWS 红队专家 (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
|
|
|
学习和实践 GCP 黑客技术:<img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks 培训 GCP 红队专家 (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
|
|
2024-04-06 18:13:07 +00:00
|
|
|
|
<details>
|
|
|
|
|
|
2024-07-19 04:51:22 +00:00
|
|
|
|
<summary>支持 HackTricks</summary>
|
2024-04-06 18:13:07 +00:00
|
|
|
|
|
2024-07-19 04:51:22 +00:00
|
|
|
|
* 查看 [**订阅计划**](https://github.com/sponsors/carlospolop)!
|
|
|
|
|
* **加入** 💬 [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**Telegram 群组**](https://t.me/peass) 或 **关注** 我们的 **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
|
|
|
* **通过向** [**HackTricks**](https://github.com/carlospolop/hacktricks) 和 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub 仓库提交 PR 来分享黑客技巧。
|
2024-04-06 18:13:07 +00:00
|
|
|
|
|
|
|
|
|
</details>
|
2024-07-19 04:51:22 +00:00
|
|
|
|
{% endhint %}
|
2024-04-06 18:13:07 +00:00
|
|
|
|
|
|
|
|
|
## 创建和挂载镜像
|
|
|
|
|
|
|
|
|
|
{% content-ref url="../../generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.md" %}
|
|
|
|
|
[image-acquisition-and-mount.md](../../generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.md)
|
|
|
|
|
{% endcontent-ref %}
|
|
|
|
|
|
|
|
|
|
## 恶意软件分析
|
|
|
|
|
|
2024-07-19 04:51:22 +00:00
|
|
|
|
这**并不是在获得镜像后必须执行的第一步**。但是如果你有一个文件、文件系统镜像、内存镜像、pcap...,你可以独立使用这些恶意软件分析技术,因此**记住这些操作是好的**:
|
2024-04-06 18:13:07 +00:00
|
|
|
|
|
|
|
|
|
{% content-ref url="malware-analysis.md" %}
|
|
|
|
|
[malware-analysis.md](malware-analysis.md)
|
|
|
|
|
{% endcontent-ref %}
|
|
|
|
|
|
|
|
|
|
## 检查镜像
|
|
|
|
|
|
2024-07-19 04:51:22 +00:00
|
|
|
|
如果你获得了一个**取证镜像**,你可以开始**分析分区、文件系统**以及**恢复**潜在的**有趣文件**(甚至是已删除的文件)。了解如何进行:
|
2024-04-06 18:13:07 +00:00
|
|
|
|
|
|
|
|
|
{% content-ref url="partitions-file-systems-carving/" %}
|
|
|
|
|
[partitions-file-systems-carving](partitions-file-systems-carving/)
|
|
|
|
|
{% endcontent-ref %}
|
|
|
|
|
|
2024-07-19 04:51:22 +00:00
|
|
|
|
根据使用的操作系统甚至平台,应该搜索不同的有趣文物:
|
2024-04-06 18:13:07 +00:00
|
|
|
|
|
|
|
|
|
{% content-ref url="windows-forensics/" %}
|
|
|
|
|
[windows-forensics](windows-forensics/)
|
|
|
|
|
{% endcontent-ref %}
|
|
|
|
|
|
|
|
|
|
{% content-ref url="linux-forensics.md" %}
|
|
|
|
|
[linux-forensics.md](linux-forensics.md)
|
|
|
|
|
{% endcontent-ref %}
|
|
|
|
|
|
|
|
|
|
{% content-ref url="docker-forensics.md" %}
|
|
|
|
|
[docker-forensics.md](docker-forensics.md)
|
|
|
|
|
{% endcontent-ref %}
|
|
|
|
|
|
2024-07-19 04:51:22 +00:00
|
|
|
|
## 深入检查特定文件类型和软件
|
2024-04-06 18:13:07 +00:00
|
|
|
|
|
2024-07-19 04:51:22 +00:00
|
|
|
|
如果你有一个非常**可疑的****文件**,那么**根据文件类型和创建它的软件**,可能会有几种**技巧**是有用的。\
|
2024-04-06 18:13:07 +00:00
|
|
|
|
阅读以下页面以了解一些有趣的技巧:
|
|
|
|
|
|
|
|
|
|
{% content-ref url="specific-software-file-type-tricks/" %}
|
|
|
|
|
[specific-software-file-type-tricks](specific-software-file-type-tricks/)
|
|
|
|
|
{% endcontent-ref %}
|
|
|
|
|
|
2024-07-19 04:51:22 +00:00
|
|
|
|
我想特别提到以下页面:
|
2024-04-06 18:13:07 +00:00
|
|
|
|
|
|
|
|
|
{% content-ref url="specific-software-file-type-tricks/browser-artifacts.md" %}
|
|
|
|
|
[browser-artifacts.md](specific-software-file-type-tricks/browser-artifacts.md)
|
|
|
|
|
{% endcontent-ref %}
|
|
|
|
|
|
|
|
|
|
## 内存转储检查
|
|
|
|
|
|
|
|
|
|
{% content-ref url="memory-dump-analysis/" %}
|
|
|
|
|
[memory-dump-analysis](memory-dump-analysis/)
|
|
|
|
|
{% endcontent-ref %}
|
|
|
|
|
|
2024-07-19 04:51:22 +00:00
|
|
|
|
## Pcap 检查
|
2024-04-06 18:13:07 +00:00
|
|
|
|
|
|
|
|
|
{% content-ref url="pcap-inspection/" %}
|
|
|
|
|
[pcap-inspection](pcap-inspection/)
|
|
|
|
|
{% endcontent-ref %}
|
|
|
|
|
|
|
|
|
|
## **反取证技术**
|
|
|
|
|
|
2024-07-19 04:51:22 +00:00
|
|
|
|
请记住可能使用的反取证技术:
|
2024-04-06 18:13:07 +00:00
|
|
|
|
|
|
|
|
|
{% content-ref url="anti-forensic-techniques.md" %}
|
|
|
|
|
[anti-forensic-techniques.md](anti-forensic-techniques.md)
|
|
|
|
|
{% endcontent-ref %}
|
|
|
|
|
|
2024-07-19 04:51:22 +00:00
|
|
|
|
## 威胁狩猎
|
2024-04-06 18:13:07 +00:00
|
|
|
|
|
|
|
|
|
{% content-ref url="file-integrity-monitoring.md" %}
|
|
|
|
|
[file-integrity-monitoring.md](file-integrity-monitoring.md)
|
|
|
|
|
{% endcontent-ref %}
|
|
|
|
|
|
2024-07-19 04:51:22 +00:00
|
|
|
|
{% hint style="success" %}
|
|
|
|
|
学习和实践 AWS 黑客技术:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks 培训 AWS 红队专家 (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
|
|
|
学习和实践 GCP 黑客技术:<img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks 培训 GCP 红队专家 (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
|
|
2024-04-06 18:13:07 +00:00
|
|
|
|
<details>
|
|
|
|
|
|
2024-07-19 04:51:22 +00:00
|
|
|
|
<summary>支持 HackTricks</summary>
|
2024-04-06 18:13:07 +00:00
|
|
|
|
|
2024-07-19 04:51:22 +00:00
|
|
|
|
* 查看 [**订阅计划**](https://github.com/sponsors/carlospolop)!
|
|
|
|
|
* **加入** 💬 [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**Telegram 群组**](https://t.me/peass) 或 **关注** 我们的 **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
|
|
|
* **通过向** [**HackTricks**](https://github.com/carlospolop/hacktricks) 和 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub 仓库提交 PR 来分享黑客技巧。
|
2024-04-06 18:13:07 +00:00
|
|
|
|
|
|
|
|
|
</details>
|
2024-07-19 04:51:22 +00:00
|
|
|
|
{% endhint %}
|