์ด๋ฏธ์ง€ ์ˆ˜์ง‘ ๋ฐ ๋งˆ์šดํŠธ

Tip

AWS ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ:HackTricks Training AWS Red Team Expert (ARTE)
GCP ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training GCP Red Team Expert (GRTE) Azure ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks ์ง€์›ํ•˜๊ธฐ

์ˆ˜์ง‘

ํ•ญ์ƒ ์ฝ๊ธฐ ์ „์šฉ์œผ๋กœ ์ˆ˜์ง‘ํ•˜๊ณ  ๋ณต์‚ฌํ•˜๋Š” ๋™์•ˆ ํ•ด์‹œ๋ฅผ ์ƒ์„ฑํ•˜์„ธ์š”. ์›๋ณธ ์žฅ์น˜๋Š” ์“ฐ๊ธฐ ์ฐจ๋‹จ ์ƒํƒœ๋กœ ์œ ์ง€ํ•˜๊ณ  ๊ฒ€์ฆ๋œ ๋ณต์‚ฌ๋ณธ์—์„œ๋งŒ ์ž‘์—…ํ•˜์„ธ์š”.

DD

# Generate a raw, bit-by-bit image (no on-the-fly hashing)
dd if=/dev/sdb of=disk.img bs=4M status=progress conv=noerror,sync
# Verify integrity afterwards
sha256sum disk.img > disk.img.sha256

dc3dd / dcfldd

dc3dd๋Š” dcfldd(DoD Computer Forensics Lab dd)์˜ ์ ๊ทน์ ์œผ๋กœ ์œ ์ง€ ๊ด€๋ฆฌ๋˜๋Š” ํฌํฌ์ž…๋‹ˆ๋‹ค.

# Create an image and calculate multiple hashes at acquisition time
sudo dc3dd if=/dev/sdc of=/forensics/pc.img hash=sha256,sha1 hashlog=/forensics/pc.hashes log=/forensics/pc.log bs=1M

Guymager

๊ทธ๋ž˜ํ”ฝ, ๋ฉ€ํ‹ฐ์Šค๋ ˆ๋“œ ์ด๋ฏธ์ €๋กœ raw (dd), EWF (E01/EWFX) ๋ฐ AFF4 ์ถœ๋ ฅ์„ ์ง€์›ํ•˜๋ฉฐ ๋ณ‘๋ ฌ ๊ฒ€์ฆ์ด ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค. ๋Œ€๋ถ€๋ถ„์˜ Linux ์ €์žฅ์†Œ์—์„œ ์‚ฌ์šฉ ๊ฐ€๋Šฅ (apt install guymager).

# Start in GUI mode
sudo guymager
# Or acquire from CLI (since v0.9.5)
sudo guymager --simulate --input /dev/sdb --format EWF --hash sha256 --output /evidence/drive.e01

AFF4 (Advanced Forensics Format 4)

AFF4๋Š” ๋งค์šฐ ํฐ ์ฆ๊ฑฐ(ํฌ์†Œ, ์žฌ๊ฐœ ๊ฐ€๋Šฅ, ํด๋ผ์šฐ๋“œ ๋„ค์ดํ‹ฐ๋ธŒ)๋ฅผ ์œ„ํ•ด ์„ค๊ณ„๋œ Google์˜ ํ˜„๋Œ€์ ์ธ ์ด๋ฏธ์ง€ ํ˜•์‹์ž…๋‹ˆ๋‹ค.

# Acquire to AFF4 using the reference tool
pipx install aff4imager
sudo aff4imager acquire /dev/nvme0n1 /evidence/nvme.aff4 --hash sha256

# Velociraptor can also acquire AFF4 images remotely
velociraptor --config server.yaml frontend collect --artifact Windows.Disk.Acquire --args device="\\.\\PhysicalDrive0" format=AFF4

FTK Imager (Windows & Linux)

You can download FTK Imager and create raw, E01 or AFF4 images:

ftkimager /dev/sdb evidence --e01 --case-number 1 --evidence-number 1 \
--description 'Laptop seizure 2025-07-22' --examiner 'AnalystName' --compress 6

EWF ๋„๊ตฌ (libewf)

sudo ewfacquire /dev/sdb -u evidence -c 1 -d "Seizure 2025-07-22" -e 1 -X examiner --format encase6 --compression best

Imaging Cloud Disks

AWS โ€“ ์ธ์Šคํ„ด์Šค๋ฅผ ์ข…๋ฃŒํ•˜์ง€ ์•Š๊ณ  ํฌ๋ Œ์‹ ์Šค๋ƒ…์ƒท์„ ์ƒ์„ฑํ•ฉ๋‹ˆ๋‹ค:

aws ec2 create-snapshot --volume-id vol-01234567 --description "IR-case-1234 web-server 2025-07-22"
# Copy the snapshot to S3 and download with aws cli / aws snowball

Azure โ€“ az snapshot create๋ฅผ ์‚ฌ์šฉํ•˜๊ณ  SAS URL๋กœ ๋‚ด๋ณด๋ƒ…๋‹ˆ๋‹ค.

๋งˆ์šดํŠธ

์˜ฌ๋ฐ”๋ฅธ ์ ‘๊ทผ ๋ฐฉ์‹ ์„ ํƒ

  1. ์›๋ณธ ํŒŒํ‹ฐ์…˜ ํ…Œ์ด๋ธ”(MBR/GPT)์ด ํ•„์š”ํ•  ๋•Œ ์ „์ฒด ๋””์Šคํฌ๋ฅผ ๋งˆ์šดํŠธํ•ฉ๋‹ˆ๋‹ค.
  2. ํ•˜๋‚˜์˜ ๋ณผ๋ฅจ๋งŒ ํ•„์š”ํ•  ๋•Œ ๋‹จ์ผ ํŒŒํ‹ฐ์…˜ ํŒŒ์ผ์„ ๋งˆ์šดํŠธํ•ฉ๋‹ˆ๋‹ค.
  3. ํ•ญ์ƒ ์ฝ๊ธฐ ์ „์šฉ(-o ro,norecovery)์œผ๋กœ ๋งˆ์šดํŠธํ•˜๊ณ  ๋ณต์‚ฌ๋ณธ์—์„œ ์ž‘์—…ํ•ฉ๋‹ˆ๋‹ค.

์›์‹œ ์ด๋ฏธ์ง€ (dd, AFF4 ์ถ”์ถœ)

# Identify partitions
fdisk -l disk.img

# Attach the image to a network block device (does not modify the file)
sudo modprobe nbd max_part=16
sudo qemu-nbd --connect=/dev/nbd0 --read-only disk.img

# Inspect partitions
lsblk /dev/nbd0 -o NAME,SIZE,TYPE,FSTYPE,LABEL,UUID

# Mount a partition (e.g. /dev/nbd0p2)
sudo mount -o ro,uid=$(id -u) /dev/nbd0p2 /mnt

์™„๋ฃŒ๋˜๋ฉด ๋ถ„๋ฆฌํ•˜์‹ญ์‹œ์˜ค:

sudo umount /mnt && sudo qemu-nbd --disconnect /dev/nbd0

EWF (E01/EWFX)

# 1. Mount the EWF container
mkdir /mnt/ewf
ewfmount evidence.E01 /mnt/ewf

# 2. Attach the exposed raw file via qemu-nbd (safer than loop)
sudo qemu-nbd --connect=/dev/nbd1 --read-only /mnt/ewf/ewf1

# 3. Mount the desired partition
sudo mount -o ro,norecovery /dev/nbd1p1 /mnt/evidence

๋Œ€์‹  xmount๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ์‹ค์‹œ๊ฐ„์œผ๋กœ ๋ณ€ํ™˜ํ•ฉ๋‹ˆ๋‹ค:

xmount --in ewf evidence.E01 --out raw /tmp/raw_mount
mount -o ro /tmp/raw_mount/image.dd /mnt

LVM / BitLocker / VeraCrypt ๋ณผ๋ฅจ

๋ธ”๋ก ์žฅ์น˜(๋ฃจํ”„ ๋˜๋Š” nbd)๋ฅผ ์—ฐ๊ฒฐํ•œ ํ›„:

# LVM
sudo vgchange -ay               # activate logical volumes
sudo lvscan | grep "/dev/nbd0"

# BitLocker (dislocker)
sudo dislocker -V /dev/nbd0p3 -u -- /mnt/bitlocker
sudo mount -o ro /mnt/bitlocker/dislocker-file /mnt/evidence

kpartx ํ—ฌํผ

kpartx๋Š” ์ด๋ฏธ์ง€๋ฅผ /dev/mapper/์— ์ž๋™์œผ๋กœ ๋งคํ•‘ํ•ฉ๋‹ˆ๋‹ค:

sudo kpartx -av disk.img  # creates /dev/mapper/loop0p1, loop0p2 โ€ฆ
mount -o ro /dev/mapper/loop0p2 /mnt

์ผ๋ฐ˜์ ์ธ ๋งˆ์šดํŠธ ์˜ค๋ฅ˜ ๋ฐ ์ˆ˜์ •

์˜ค๋ฅ˜์ผ๋ฐ˜์ ์ธ ์›์ธ์ˆ˜์ •
cannot mount /dev/loop0 read-only์ €๋„๋ง ํŒŒ์ผ ์‹œ์Šคํ…œ (ext4)์ด ์ •์ƒ์ ์œผ๋กœ ๋ถ„๋ฆฌ๋˜์ง€ ์•Š์Œ-o ro,norecovery ์‚ฌ์šฉ
bad superblock โ€ฆ์ž˜๋ชป๋œ ์˜คํ”„์…‹ ๋˜๋Š” ์†์ƒ๋œ ํŒŒ์ผ ์‹œ์Šคํ…œ์˜คํ”„์…‹ ๊ณ„์‚ฐ (sector*size) ๋˜๋Š” ๋ณต์‚ฌ๋ณธ์—์„œ fsck -n ์‹คํ–‰
mount: unknown filesystem type 'LVM2_member'LVM ์ปจํ…Œ์ด๋„ˆvgchange -ay๋กœ ๋ณผ๋ฅจ ๊ทธ๋ฃน ํ™œ์„ฑํ™”

์ •๋ฆฌ

umount ๋ฐ disconnect ๋ฃจํ”„/nbd ์žฅ์น˜๋ฅผ ๊ธฐ์–ตํ•˜์—ฌ ์ถ”๊ฐ€ ์ž‘์—…์„ ์†์ƒ์‹œํ‚ฌ ์ˆ˜ ์žˆ๋Š” ๋‚จ์•„ ์žˆ๋Š” ๋งคํ•‘์„ ๋‚จ๊ธฐ์ง€ ์•Š๋„๋ก ํ•˜์‹ญ์‹œ์˜ค:

umount -Rl /mnt/evidence
kpartx -dv /dev/loop0  # or qemu-nbd --disconnect /dev/nbd0

References

  • AFF4 imaging tool announcement & specification: https://github.com/aff4/aff4
  • qemu-nbd ๋งค๋‰ด์–ผ ํŽ˜์ด์ง€ (๋””์Šคํฌ ์ด๋ฏธ์ง€๋ฅผ ์•ˆ์ „ํ•˜๊ฒŒ ๋งˆ์šดํŠธํ•˜๊ธฐ): https://manpages.debian.org/qemu-system-common/qemu-nbd.1.en.html

Tip

AWS ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ:HackTricks Training AWS Red Team Expert (ARTE)
GCP ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training GCP Red Team Expert (GRTE) Azure ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks ์ง€์›ํ•˜๊ธฐ