Unit 3: Unix/Linux File System 3.1 Unix/Linux File System Sleuthkit and Autopsy

湛鸿
2023-12-01

>> Now let's learn and practice a well-known open source forensic analysis tool called
Sleuth Kit.

>>现在让我们学习和实践一个著名的开源法医分析工具,称为侦探工具包。


It supports almost all file systems.

它支持几乎所有的文件系统。


Autopsy is the GUI front end for Sleuth Kit.

尸检是侦探工具包的GUI前端。


Sleuth Kit view the file system in five layers and it contains tools
for each layer except for the physical layer.

侦探工具包在五层查看文件系统,它包含除物理层之外的每一层的工具。


The physical layer uses magnetic hard disks
and then solid state drives to physically store data.

物理层使用磁性硬盘,然后使用固态硬盘物理存储数据。


Magnetic hard disks operate by creating or detecting magnetic fields
in fixed regions or blocks of a magnetic surface.

磁性硬盘通过在磁性表面的固定区域或块上创建或检测磁场来工作。


When the disk is asked to write to a particularly block, it spins and moves its head
to a certain location and magnetize the magnetic surface of the disk in that region.

当磁盘被要求写入某个特定块时,它会旋转并将磁头移动到某个位置,并在该区域磁化磁盘的磁表面。


If there is already old discarded data in that location, the data is automatically converted
or overwritten to the new values.

如果该位置已经有旧的丢弃数据,则数据将自动转换或覆盖到新值。


Solid state drives, on the other hand, have no moving mechanical components.

另一方面,固态驱动器没有移动的机械部件。


Data is stored in fixed arrangements of electronic transistors.

数据存储在电子晶体管的固定排列中。


A couple of SSD properties will affect forensic analysis.

SSD的一些特性将影响法医分析。


Data rewrite requires blocks to be erased electronically before they can be used again.

数据重写需要用电子方式擦除数据块才能再次使用。


The write over old data property of magnetic disks does not work in SDD.

磁盘的旧数据写入属性在SDD中不起作用。


To increase performance for writing, a technology called garbage collection was built
into SSD computers to help automatically reset the used data blocks back to free space.

为了提高写入的性能,SSD计算机中内置了一种称为垃圾收集的技术,以帮助自动将使用的数据块重置回空闲空间。


The garbage collection process will erase old data,
so recovering deleted data will be affected to some degree in SDD.

垃圾收集过程会删除旧数据,因此在SDD中,恢复已删除数据会受到一定的影响。


The data layer uses blocks or clusters to store data.

数据层使用块或集群来存储数据。


Cluster is a Windows term for block.

群集是块的Windows术语。


The metadata layer contains a file's metadata information.

元数据层包含文件的元数据信息。


For example, INODE information.

例如,INODE信息。


The file system layers describes the file system structure details
such as information in super block.

文件系统层描述文件系统结构细节,如超级块中的信息。


File name layer associates a file name to its metadata structure.

文件名层将文件名与其元数据结构关联起来。


We can break Sleuth Kit into four sets of tools.

我们可以把侦探工具包分成四套工具。


File system layer tools start with FS.

文件系统层工具从FS开始。


File name layer tools start with F. Metadata layer tools start with I
and data layer tools start with BLK, which is block.

文件名层工具从f开始,元数据层工具从I开始,数据层工具从block开始。


For example, FSSTAT, ISTAT, and block stat display status information in different layers.

例如,FSSTAT、ISTAT和block stat在不同的层中显示状态信息。


All Sleuth Kit commands need at least the image name.

所有侦察工具命令至少需要图像名称。


The dash F option specifies the file system type, such as EXT32, NTFS, or FAT, et cetera.

dash F选项指定文件系统类型,如EXT32、NTFS或FAT等。


The dash O image offset option specifies the offset in bytes,

telling where the file system starts in the drive image.

dash O图像偏移量选项以字节为单位指定偏移量,表示文件系统在驱动器图像中的起始位置。


FSSTAT displays statistics such as block size, number of INODES, and the type of file system.

FSSTAT显示诸如块大小、索引节点数量和文件系统类型等统计信息。


Once we learn the type of file system, we can provide that information to other tools.

一旦我们了解了文件系统的类型,我们就可以将这些信息提供给其他工具。


For simplicity, I will omit the dash O offset in later examples.

为了简单起见,我将在后面的示例中省略破折号偏移量。


This command will tell you whether the block was the block address of 300
from the image is allocated or not allocated.

这个命令将告诉您该块是否是从映像中分配的300块地址。


Not allocated means the block has been marked as deleted.

未分配意味着块已被标记为已删除。


Block LS by default will display all unallocated data in one file.

默认情况下,块LS将在一个文件中显示所有未分配的数据。


Here we put all the unallocated data to a file called my unallocated.

这里,我们将所有未分配的数据放入一个名为my unassigned的文件中。


What is exactly in my unallocated file?

我的未分配文件中究竟有什么?


It is simply raw data, zero and one.

它只是原始数据,0和1。


The Linux UNIX command strings can be used to display ASCII characters stored in this file.

Linux UNIX命令字符串可用于显示存储在该文件中的ASCII字符。


Block cat will display the content of a given data block number for a file that is larger
than one block, data block cat will only display a portion of this whole file.

对于大于一个块的文件,Block cat将显示给定数据块号的内容,data Block cat只显示整个文件的一部分。


ISTAT displays the INODE statistic for a given INODE number, including INODE number, mac time,
permission, file size, allocation status
or allocated data blocks number, number of links, et cetera.

ISTAT显示给定INODE数量的INODE统计信息,包括INODE数量、mac时间、权限、文件大小、分配状态或分配的数据块数量、链接数量等。


IFIND maps from a block number to an INODE number.

IFIND从块号映射到INODE号。


This one is extremely useful since you will find more metadata information
after you recover the INODE number.

这是非常有用的,因为在恢复INODE编号之后,您将发现更多元数据信息。


It is possibly to find other data blocks if any.

如果有其他数据块,可能会找到它们。


We will go into additional Sleuth Kit commands in the next video.

我们将在下一集视频中介绍更多的侦探工具包命令。

 

转载于:https://www.cnblogs.com/sec875/articles/10015539.html

 类似资料: