Sleuth Kit Praktische Übungen
Zur Navigation springen
Zur Suche springen
Anzeigen der Partition Tabelle
- mmls debian1.dd
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
000: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
001: ------- 0000000000 0000002047 0000002048 Unallocated
002: 000:000 0000002048 0005468159 0005466112 Linux Swap / Solaris x86 (0x82)
003: 000:001 0005468160 0052426751 0046958592 Linux (0x83)
004: ------- 0052426752 0052428799 0000002048 Unallocated
Anzeigen der EXT4 Partion
fsstat -o 5468160 debian1.dd | more
FILE SYSTEM INFORMATION -------------------------------------------- File System Type: Ext4 Volume Name: Volume ID: 3cb5534c0a99fc9e6d463987f2410776 Last Written at: 2024-08-05 13:18:33 (EDT) Last Checked at: 2022-12-03 04:04:37 (EST) Last Mounted at: 2024-08-05 13:18:34 (EDT) Unmounted properly Last mounted on: / Source OS: Linux Dynamic Structure Compat Features: Journal, Ext Attributes, Resize Inode, Dir Index InCompat Features: Filetype, Needs Recovery, Extents, 64bit, Flexible Block Groups, Read Only Compat Features: Sparse Super, Large File, Huge File, Extra Inode Size Journal ID: 00 Journal Inode: 8 METADATA INFORMATION -------------------------------------------- Inode Range: 1 - 1468801 Root Directory: 2 Free Inodes: 1310126 Inode Size: 256 Orphan Inodes: 1057216, 1057065, 1056868, 1056867, 1057017, 1056900, 1057032, CONTENT INFORMATION -------------------------------------------- Block Groups Per Flex Group: 16 Block Range: 0 - 5869823 Block Size: 4096 Free Blocks: 4447898 BLOCK GROUP INFORMATION -------------------------------------------- Number of Block Groups: 180 Inodes per group: 8160 Blocks per group: 32768
Auflisten der Files unter /
- fls -o 5468160 debian1.dd
d/d 1044481: home d/d 11: lost+found d/d 130561: etc d/d 522241: media l/l 18: vmlinuz.old d/d 391681: var l/l 12: bin d/d 783361: usr l/l 13: sbin l/l 14: lib l/l 15: lib32 l/l 16: lib64 l/l 17: libx32 d/d 652801: boot d/d 913921: dev d/d 1305601: proc d/d 1175041: root d/d 1305602: run d/d 261132: sys d/d 652802: tmp d/d 1044482: mnt d/d 1175044: srv d/d 261133: opt d/d 652812: .cache l/l 19: initrd.img.old l/l 22: vmlinuz l/l 20: initrd.img V/V 1468801: $OrphanFiles
Auflisten der Files etc und grep nach shadow
- fls -o 5468160 debian1.dd 130561 | grep shadow
r/l * 130841(realloc): shadow r/l * 136225(realloc): gshadow r/l * 130702(realloc): shadow- r/r * 130704(realloc): gshadow- r/l * 136258(realloc): shadow.17149 r/l * 136256(realloc): gshadow.lock r/r * 136755: shadow.2145 r/r * 136747(realloc): .#shadowtJKApa r/r * 130703(realloc): .#gshadow5j8HI9 r/- * 0: gshadow.lock r/r 130703: gshadow- r/r 130701: shadow- r/r 136730: gshadow r/r * 136730(realloc): gshadow+ r/r 130676: shadow r/r * 136750(realloc): gshadow.lock r/r * 136755: shadow.lock
Inhalt der shadow-Datei extrahieren
- icat -o 5468160 debian1.dd 130676 > shadow
Beispiel /var/log/daemon.log
- fls -o 5468160 debian1.dd | grep var
d/d 391681: var
- fls -o 5468160 debian1.dd 391681 | grep log
d/d 391865: log
- fls -o 5468160 debian1.dd 391865 | grep daemon
r/r 393069: daemon.log r/r 391806: daemon.log.2.gz r/r 393067: daemon.log.1
Inhalt der daemin.log extrahieren
- icat -o 5468160 debian1.dd 393069