Upatikanaji na Kufunga Picha

Jifunze kuhusu udukuzi wa AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Je, unafanya kazi katika kampuni ya usalama wa mtandao? Je, ungependa kuona kampuni yako ikionekana kwenye HackTricks? au ungependa kupata upatikanaji wa toleo jipya la PEASS au kupakua HackTricks kwa PDF? Angalia MIPANGO YA KUJIUNGA!
Gundua Familia ya PEASS, mkusanyiko wetu wa NFTs ya kipekee
Pata swag rasmi ya PEASS & HackTricks
Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au nifuata kwenye Twitter 🐦@carlospolopm.
Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwenye repo ya hacktricks na repo ya hacktricks-cloud.

{% embed url="https://websec.nl/" %}

Upatikanaji

DD

#This will generate a raw copy of the disk
dd if=/dev/sdb of=disk.img

dcfldd

#Raw copy with hashes along the way (more secur as it checks hashes while it's copying the data)
dcfldd if=<subject device> of=<image file> bs=512 hash=<algorithm> hashwindow=<chunk size> hashlog=<hash file>
dcfldd if=/dev/sdc of=/media/usb/pc.image hash=sha256 hashwindow=1M hashlog=/media/usb/pc.hashes

FTK Imager

Unaweza kupakua FTK imager kutoka hapa.

ftkimager /dev/sdb evidence --e01 --case-number 1 --evidence-number 1 --description 'A description' --examiner 'Your name'

EWF

Unaweza kuzalisha picha ya diski ukitumia zana za ewf.

ewfacquire /dev/sdb
#Name: evidence
#Case number: 1
#Description: A description for the case
#Evidence number: 1
#Examiner Name: Your name
#Media type: fixed
#Media characteristics: physical
#File format: encase6
#Compression method: deflate
#Compression level: fast

#Then use default values
#It will generate the disk image in the current directory

Kufunga

Aina kadhaa

Katika Windows unaweza kujaribu kutumia toleo huru la Arsenal Image Mounter (https://arsenalrecon.com/downloads/) kufunga picha ya uchunguzi wa kielelezo.

#Get file type
file evidence.img
evidence.img: Linux rev 1.0 ext4 filesystem data, UUID=1031571c-f398-4bfb-a414-b82b280cf299 (extents) (64bit) (large files) (huge files)

#Mount it
mount evidence.img /mnt

EWF

#Get file type
file evidence.E01
evidence.E01: EWF/Expert Witness/EnCase image file format

#Transform to raw
mkdir output
ewfmount evidence.E01 output/
file output/ewf1
output/ewf1: Linux rev 1.0 ext4 filesystem data, UUID=05acca66-d042-4ab2-9e9c-be813be09b24 (needs journal recovery) (extents) (64bit) (large files) (huge files)

#Mount
mount output/ewf1 -o ro,norecovery /mnt

ArsenalImageMounter

Ni Programu ya Windows ya kupakia voli. Unaweza kuipakua hapa https://arsenalrecon.com/downloads/

Makosa

hawezi kupakia /dev/loop0 kusoma tu katika kesi hii unahitaji kutumia bendera -o ro,norecovery
aina isiyo sahihi ya fs, chaguo baya, superblock mbaya kwenye /dev/loop0, ukurasa wa nambari uliopotea au programu msaidizi, au kosa lingine. katika kesi hii upakiaji ulishindwa kwa sababu offset ya mfumo wa faili ni tofauti na ile ya picha ya diski. Unahitaji kupata Ukubwa wa Sekta na Sekta ya Kuanza:

fdisk -l disk.img
Disk disk.img: 102 MiB, 106954648 bytes, 208896 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x00495395

Device        Boot Start    End Sectors  Size Id Type
disk.img1       2048 208895  206848  101M  1 FAT12

Tafadhali kumbuka ukubwa wa sekta ni 512 na kuanza ni 2048. Kisha funga picha kama hivi:

mount disk.img /mnt -o ro,offset=$((2048*512))