5.6 KiB
Beeldverkryging & Monteer
{% hint style="success" %}
Leer & oefen AWS Hacking:
HackTricks Opleiding AWS Red Team Expert (ARTE)
Leer & oefen GCP Hacking: 
HackTricks Opleiding GCP Red Team Expert (GRTE)
Ondersteun HackTricks
- Kyk na die subskripsieplanne!
- Sluit aan by die 💬 Discord-groep of die telegram-groep of volg ons op Twitter 🐦 @hacktricks_live.
- Deel hacking truuks deur PRs in te dien na die HackTricks en HackTricks Cloud github repos.
{% embed url="https://websec.nl/" %}
Verkryging
DD
#This will generate a raw copy of the disk
dd if=/dev/sdb of=disk.img
dcfldd
#Raw copy with hashes along the way (more secur as it checks hashes while it's copying the data)
dcfldd if=<subject device> of=<image file> bs=512 hash=<algorithm> hashwindow=<chunk size> hashlog=<hash file>
dcfldd if=/dev/sdc of=/media/usb/pc.image hash=sha256 hashwindow=1M hashlog=/media/usb/pc.hashes
FTK Imager
Jy kan die FTK imager hier aflaai.
ftkimager /dev/sdb evidence --e01 --case-number 1 --evidence-number 1 --description 'A description' --examiner 'Your name'
EWF
Jy kan 'n skyfbeeld genereer met behulp van die ewf tools.
ewfacquire /dev/sdb
#Name: evidence
#Case number: 1
#Description: A description for the case
#Evidence number: 1
#Examiner Name: Your name
#Media type: fixed
#Media characteristics: physical
#File format: encase6
#Compression method: deflate
#Compression level: fast
#Then use default values
#It will generate the disk image in the current directory
Mount
Verskeie tipes
In Windows kan jy probeer om die gratis weergawe van Arsenal Image Mounter (https://arsenalrecon.com/downloads/) te gebruik om die forensiese beeld te mont.
Raw
#Get file type
file evidence.img
evidence.img: Linux rev 1.0 ext4 filesystem data, UUID=1031571c-f398-4bfb-a414-b82b280cf299 (extents) (64bit) (large files) (huge files)
#Mount it
mount evidence.img /mnt
EWF
#Get file type
file evidence.E01
evidence.E01: EWF/Expert Witness/EnCase image file format
#Transform to raw
mkdir output
ewfmount evidence.E01 output/
file output/ewf1
output/ewf1: Linux rev 1.0 ext4 filesystem data, UUID=05acca66-d042-4ab2-9e9c-be813be09b24 (needs journal recovery) (extents) (64bit) (large files) (huge files)
#Mount
mount output/ewf1 -o ro,norecovery /mnt
ArsenalImageMounter
Dit is 'n Windows-toepassing om volumes te monteer. Jy kan dit hier aflaai https://arsenalrecon.com/downloads/
Errors
cannot mount /dev/loop0 read-onlyin hierdie geval moet jy die vlae-o ro,norecoverygebruikwrong fs type, bad option, bad superblock on /dev/loop0, missing codepage or helper program, or other error.in hierdie geval het die monteer gefaal omdat die offset van die lêerstelsel verskil van dié van die skyfbeeld. Jy moet die Sektor grootte en die Begin sektor vind:
fdisk -l disk.img
Disk disk.img: 102 MiB, 106954648 bytes, 208896 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x00495395
Device Boot Start End Sectors Size Id Type
disk.img1 2048 208895 206848 101M 1 FAT12
Let op dat die sektor grootte 512 is en begin by 2048. Mount dan die beeld soos volg:
mount disk.img /mnt -o ro,offset=$((2048*512))
{% embed url="https://websec.nl/" %}
{% hint style="success" %}
Leer & oefen AWS Hacking:HackTricks Opleiding AWS Red Team Expert (ARTE)
Leer & oefen GCP Hacking: HackTricks Opleiding GCP Red Team Expert (GRTE)
Ondersteun HackTricks
- Kyk na die subskripsie planne!
- Sluit aan by die 💬 Discord groep of die telegram groep of volg ons op Twitter 🐦 @hacktricks_live.
- Deel hacking truuks deur PRs in te dien na die HackTricks en HackTricks Cloud github repos.