HackTricksPata na Kuunganisha
Reading time: 4 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Upataji
DD
#This will generate a raw copy of the disk
dd if=/dev/sdb of=disk.img
dcfldd
#Raw copy with hashes along the way (more secur as it checks hashes while it's copying the data)
dcfldd if=<subject device> of=<image file> bs=512 hash=<algorithm> hashwindow=<chunk size> hashlog=<hash file>
dcfldd if=/dev/sdc of=/media/usb/pc.image hash=sha256 hashwindow=1M hashlog=/media/usb/pc.hashes
FTK Imager
Unaweza kupakua FTK imager kutoka hapa.
ftkimager /dev/sdb evidence --e01 --case-number 1 --evidence-number 1 --description 'A description' --examiner 'Your name'
EWF
Unaweza kuunda picha ya diski kwa kutumia ewf tools.
ewfacquire /dev/sdb
#Name: evidence
#Case number: 1
#Description: A description for the case
#Evidence number: 1
#Examiner Name: Your name
#Media type: fixed
#Media characteristics: physical
#File format: encase6
#Compression method: deflate
#Compression level: fast
#Then use default values
#It will generate the disk image in the current directory
Mount
Aina kadhaa
Katika Windows unaweza kujaribu kutumia toleo la bure la Arsenal Image Mounter (https://arsenalrecon.com/downloads/) ili kuweka picha ya uchunguzi.
Raw
#Get file type
file evidence.img
evidence.img: Linux rev 1.0 ext4 filesystem data, UUID=1031571c-f398-4bfb-a414-b82b280cf299 (extents) (64bit) (large files) (huge files)
#Mount it
mount evidence.img /mnt
EWF
#Get file type
file evidence.E01
evidence.E01: EWF/Expert Witness/EnCase image file format
#Transform to raw
mkdir output
ewfmount evidence.E01 output/
file output/ewf1
output/ewf1: Linux rev 1.0 ext4 filesystem data, UUID=05acca66-d042-4ab2-9e9c-be813be09b24 (needs journal recovery) (extents) (64bit) (large files) (huge files)
#Mount
mount output/ewf1 -o ro,norecovery /mnt
ArsenalImageMounter
Ni Programu ya Windows ya kuunganisha volumes. Unaweza kuipakua hapa https://arsenalrecon.com/downloads/
Errors
cannot mount /dev/loop0 read-onlykatika kesi hii unahitaji kutumia bendera-o ro,norecoverywrong fs type, bad option, bad superblock on /dev/loop0, missing codepage or helper program, or other error.katika kesi hii kuunganisha kumeshindwa kwa sababu offset ya filesystem ni tofauti na ile ya picha ya diski. Unahitaji kupata Ukubwa wa Sekta na Sekta ya Mwanzo:
fdisk -l disk.img
Disk disk.img: 102 MiB, 106954648 bytes, 208896 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x00495395
Device Boot Start End Sectors Size Id Type
disk.img1 2048 208895 206848 101M 1 FAT12
Kumbuka kwamba saizi ya sekta ni 512 na mwanzo ni 2048. Kisha pandisha picha kama hii:
mount disk.img /mnt -o ro,offset=$((2048*512))
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.