# Acquisizione e Montaggio {% hint style="success" %} Impara e pratica il hacking AWS:

[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)

\ Impara e pratica il hacking GCP:

[**HackTricks Training GCP Red Team Expert (GRTE)**

](https://training.hacktricks.xyz/courses/grte)

Supporta HackTricks

* Controlla i [**piani di abbonamento**](https://github.com/sponsors/carlospolop)! * **Unisciti al** 💬 [**gruppo Discord**](https://discord.gg/hRep4RUj7f) o al [**gruppo telegram**](https://t.me/peass) o **seguici** su **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Condividi trucchi di hacking inviando PR ai** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos su github.

{% endhint %}

{% embed url="https://websec.nl/" %} ## Acquisizione ### DD ```bash #This will generate a raw copy of the disk dd if=/dev/sdb of=disk.img ``` ### dcfldd ```bash #Raw copy with hashes along the way (more secur as it checks hashes while it's copying the data) dcfldd if= of= bs=512 hash= hashwindow= hashlog= dcfldd if=/dev/sdc of=/media/usb/pc.image hash=sha256 hashwindow=1M hashlog=/media/usb/pc.hashes ``` ### FTK Imager Puoi [**scaricare l'FTK imager da qui**](https://accessdata.com/product-download/debian-and-ubuntu-x64-3-1-1). ```bash ftkimager /dev/sdb evidence --e01 --case-number 1 --evidence-number 1 --description 'A description' --examiner 'Your name' ``` ### EWF Puoi generare un'immagine del disco utilizzando gli [**ewf tools**](https://github.com/libyal/libewf). ```bash ewfacquire /dev/sdb #Name: evidence #Case number: 1 #Description: A description for the case #Evidence number: 1 #Examiner Name: Your name #Media type: fixed #Media characteristics: physical #File format: encase6 #Compression method: deflate #Compression level: fast #Then use default values #It will generate the disk image in the current directory ``` ## Mount ### Diversi tipi In **Windows** puoi provare a utilizzare la versione gratuita di Arsenal Image Mounter ([https://arsenalrecon.com/downloads/](https://arsenalrecon.com/downloads/)) per **montare l'immagine forense**. ### Raw ```bash #Get file type file evidence.img evidence.img: Linux rev 1.0 ext4 filesystem data, UUID=1031571c-f398-4bfb-a414-b82b280cf299 (extents) (64bit) (large files) (huge files) #Mount it mount evidence.img /mnt ``` ### EWF ```bash #Get file type file evidence.E01 evidence.E01: EWF/Expert Witness/EnCase image file format #Transform to raw mkdir output ewfmount evidence.E01 output/ file output/ewf1 output/ewf1: Linux rev 1.0 ext4 filesystem data, UUID=05acca66-d042-4ab2-9e9c-be813be09b24 (needs journal recovery) (extents) (64bit) (large files) (huge files) #Mount mount output/ewf1 -o ro,norecovery /mnt ``` ### ArsenalImageMounter È un'applicazione Windows per montare volumi. Puoi scaricarla qui [https://arsenalrecon.com/downloads/](https://arsenalrecon.com/downloads/) ### Errors * **`cannot mount /dev/loop0 read-only`** in questo caso è necessario utilizzare i flag **`-o ro,norecovery`** * **`wrong fs type, bad option, bad superblock on /dev/loop0, missing codepage or helper program, or other error.`** in questo caso il montaggio è fallito poiché l'offset del filesystem è diverso da quello dell'immagine del disco. Devi trovare la dimensione del Settore e il Settore di Avvio: ```bash fdisk -l disk.img Disk disk.img: 102 MiB, 106954648 bytes, 208896 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: dos Disk identifier: 0x00495395 Device Boot Start End Sectors Size Id Type disk.img1 2048 208895 206848 101M 1 FAT12 ``` Nota che la dimensione del settore è **512** e l'inizio è **2048**. Quindi monta l'immagine in questo modo: ```bash mount disk.img /mnt -o ro,offset=$((2048*512)) ```