Sleuth Kit Praktische Übungen: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
(Die Seite wurde neu angelegt: „=Anzeigen der Partition Tabelle= *mmls rocky1.dd <pre> GUID Partition Table (EFI) Offset Sector: 0 Units are in 512-byte sectors Slot Start…“) |
|||
| (11 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
| Zeile 1: | Zeile 1: | ||
=Anzeigen der Partition Tabelle= | =Anzeigen der Partition Tabelle= | ||
| − | *mmls | + | *mmls debian1.dd |
<pre> | <pre> | ||
| − | + | DOS Partition Table | |
Offset Sector: 0 | Offset Sector: 0 | ||
Units are in 512-byte sectors | Units are in 512-byte sectors | ||
Slot Start End Length Description | Slot Start End Length Description | ||
| − | 000: Meta 0000000000 0000000000 0000000001 | + | 000: Meta 0000000000 0000000000 0000000001 Primary Table (#0) |
001: ------- 0000000000 0000002047 0000002048 Unallocated | 001: ------- 0000000000 0000002047 0000002048 Unallocated | ||
| − | 002: | + | 002: 000:000 0000002048 0005468159 0005466112 Linux Swap / Solaris x86 (0x82) |
| − | 003: | + | 003: 000:001 0005468160 0052426751 0046958592 Linux (0x83) |
| − | 004: | + | 004: ------- 0052426752 0052428799 0000002048 Unallocated |
| − | + | ||
| − | + | </pre> | |
| − | + | ||
| + | =Anzeigen der EXT4 Partion= | ||
| + | fsstat -o 5468160 debian1.dd | more | ||
| + | <pre> | ||
| + | FILE SYSTEM INFORMATION | ||
| + | -------------------------------------------- | ||
| + | File System Type: Ext4 | ||
| + | Volume Name: | ||
| + | Volume ID: 3cb5534c0a99fc9e6d463987f2410776 | ||
| + | |||
| + | Last Written at: 2024-08-05 13:18:33 (EDT) | ||
| + | Last Checked at: 2022-12-03 04:04:37 (EST) | ||
| + | |||
| + | Last Mounted at: 2024-08-05 13:18:34 (EDT) | ||
| + | Unmounted properly | ||
| + | Last mounted on: / | ||
| + | |||
| + | Source OS: Linux | ||
| + | Dynamic Structure | ||
| + | Compat Features: Journal, Ext Attributes, Resize Inode, Dir Index | ||
| + | InCompat Features: Filetype, Needs Recovery, Extents, 64bit, Flexible Block Groups, | ||
| + | Read Only Compat Features: Sparse Super, Large File, Huge File, Extra Inode Size | ||
| + | |||
| + | Journal ID: 00 | ||
| + | Journal Inode: 8 | ||
| + | |||
| + | METADATA INFORMATION | ||
| + | -------------------------------------------- | ||
| + | Inode Range: 1 - 1468801 | ||
| + | Root Directory: 2 | ||
| + | Free Inodes: 1310126 | ||
| + | Inode Size: 256 | ||
| + | Orphan Inodes: 1057216, 1057065, 1056868, 1056867, 1057017, 1056900, 1057032, | ||
| + | |||
| + | CONTENT INFORMATION | ||
| + | -------------------------------------------- | ||
| + | Block Groups Per Flex Group: 16 | ||
| + | Block Range: 0 - 5869823 | ||
| + | Block Size: 4096 | ||
| + | Free Blocks: 4447898 | ||
| + | |||
| + | BLOCK GROUP INFORMATION | ||
| + | -------------------------------------------- | ||
| + | Number of Block Groups: 180 | ||
| + | Inodes per group: 8160 | ||
| + | Blocks per group: 32768 | ||
| + | </pre> | ||
| + | =Auflisten der Files unter /= | ||
| + | *fls -o 5468160 debian1.dd | ||
| + | <pre> | ||
| + | d/d 1044481: home | ||
| + | d/d 11: lost+found | ||
| + | d/d 130561: etc | ||
| + | d/d 522241: media | ||
| + | l/l 18: vmlinuz.old | ||
| + | d/d 391681: var | ||
| + | l/l 12: bin | ||
| + | d/d 783361: usr | ||
| + | l/l 13: sbin | ||
| + | l/l 14: lib | ||
| + | l/l 15: lib32 | ||
| + | l/l 16: lib64 | ||
| + | l/l 17: libx32 | ||
| + | d/d 652801: boot | ||
| + | d/d 913921: dev | ||
| + | d/d 1305601: proc | ||
| + | d/d 1175041: root | ||
| + | d/d 1305602: run | ||
| + | d/d 261132: sys | ||
| + | d/d 652802: tmp | ||
| + | d/d 1044482: mnt | ||
| + | d/d 1175044: srv | ||
| + | d/d 261133: opt | ||
| + | d/d 652812: .cache | ||
| + | l/l 19: initrd.img.old | ||
| + | l/l 22: vmlinuz | ||
| + | l/l 20: initrd.img | ||
| + | V/V 1468801: $OrphanFiles | ||
| + | </pre> | ||
| + | =Auflisten der Files etc und grep nach shadow= | ||
| + | * fls -o 5468160 debian1.dd 130561 | grep shadow | ||
| + | <pre> | ||
| + | r/l * 130841(realloc): shadow | ||
| + | r/l * 136225(realloc): gshadow | ||
| + | r/l * 130702(realloc): shadow- | ||
| + | r/r * 130704(realloc): gshadow- | ||
| + | r/l * 136258(realloc): shadow.17149 | ||
| + | r/l * 136256(realloc): gshadow.lock | ||
| + | r/r * 136755: shadow.2145 | ||
| + | r/r * 136747(realloc): .#shadowtJKApa | ||
| + | r/r * 130703(realloc): .#gshadow5j8HI9 | ||
| + | r/- * 0: gshadow.lock | ||
| + | r/r 130703: gshadow- | ||
| + | r/r 130701: shadow- | ||
| + | r/r 136730: gshadow | ||
| + | r/r * 136730(realloc): gshadow+ | ||
| + | r/r 130676: shadow | ||
| + | r/r * 136750(realloc): gshadow.lock | ||
| + | r/r * 136755: shadow.lock | ||
</pre> | </pre> | ||
| + | =Inhalt der shadow-Datei extrahieren= | ||
| + | *icat -o 5468160 debian1.dd 130676 > shadow | ||
| + | =Beispiel /var/log/daemon.log= | ||
| + | *fls -o 5468160 debian1.dd | grep var | ||
| + | d/d 391681: var | ||
| + | *fls -o 5468160 debian1.dd 391681 | grep log | ||
| + | d/d 391865: log | ||
| + | *fls -o 5468160 debian1.dd 391865 | grep daemon | ||
| + | r/r 393069: daemon.log | ||
| + | r/r 391806: daemon.log.2.gz | ||
| + | r/r 393067: daemon.log.1 | ||
| + | |||
| + | =Inhalt der daemin.log extrahieren= | ||
| + | *icat -o 5468160 debian1.dd 393069 | ||
Aktuelle Version vom 7. August 2024, 10:02 Uhr
Anzeigen der Partition Tabelle
- mmls debian1.dd
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
000: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
001: ------- 0000000000 0000002047 0000002048 Unallocated
002: 000:000 0000002048 0005468159 0005466112 Linux Swap / Solaris x86 (0x82)
003: 000:001 0005468160 0052426751 0046958592 Linux (0x83)
004: ------- 0052426752 0052428799 0000002048 Unallocated
Anzeigen der EXT4 Partion
fsstat -o 5468160 debian1.dd | more
FILE SYSTEM INFORMATION -------------------------------------------- File System Type: Ext4 Volume Name: Volume ID: 3cb5534c0a99fc9e6d463987f2410776 Last Written at: 2024-08-05 13:18:33 (EDT) Last Checked at: 2022-12-03 04:04:37 (EST) Last Mounted at: 2024-08-05 13:18:34 (EDT) Unmounted properly Last mounted on: / Source OS: Linux Dynamic Structure Compat Features: Journal, Ext Attributes, Resize Inode, Dir Index InCompat Features: Filetype, Needs Recovery, Extents, 64bit, Flexible Block Groups, Read Only Compat Features: Sparse Super, Large File, Huge File, Extra Inode Size Journal ID: 00 Journal Inode: 8 METADATA INFORMATION -------------------------------------------- Inode Range: 1 - 1468801 Root Directory: 2 Free Inodes: 1310126 Inode Size: 256 Orphan Inodes: 1057216, 1057065, 1056868, 1056867, 1057017, 1056900, 1057032, CONTENT INFORMATION -------------------------------------------- Block Groups Per Flex Group: 16 Block Range: 0 - 5869823 Block Size: 4096 Free Blocks: 4447898 BLOCK GROUP INFORMATION -------------------------------------------- Number of Block Groups: 180 Inodes per group: 8160 Blocks per group: 32768
Auflisten der Files unter /
- fls -o 5468160 debian1.dd
d/d 1044481: home d/d 11: lost+found d/d 130561: etc d/d 522241: media l/l 18: vmlinuz.old d/d 391681: var l/l 12: bin d/d 783361: usr l/l 13: sbin l/l 14: lib l/l 15: lib32 l/l 16: lib64 l/l 17: libx32 d/d 652801: boot d/d 913921: dev d/d 1305601: proc d/d 1175041: root d/d 1305602: run d/d 261132: sys d/d 652802: tmp d/d 1044482: mnt d/d 1175044: srv d/d 261133: opt d/d 652812: .cache l/l 19: initrd.img.old l/l 22: vmlinuz l/l 20: initrd.img V/V 1468801: $OrphanFiles
Auflisten der Files etc und grep nach shadow
- fls -o 5468160 debian1.dd 130561 | grep shadow
r/l * 130841(realloc): shadow r/l * 136225(realloc): gshadow r/l * 130702(realloc): shadow- r/r * 130704(realloc): gshadow- r/l * 136258(realloc): shadow.17149 r/l * 136256(realloc): gshadow.lock r/r * 136755: shadow.2145 r/r * 136747(realloc): .#shadowtJKApa r/r * 130703(realloc): .#gshadow5j8HI9 r/- * 0: gshadow.lock r/r 130703: gshadow- r/r 130701: shadow- r/r 136730: gshadow r/r * 136730(realloc): gshadow+ r/r 130676: shadow r/r * 136750(realloc): gshadow.lock r/r * 136755: shadow.lock
Inhalt der shadow-Datei extrahieren
- icat -o 5468160 debian1.dd 130676 > shadow
Beispiel /var/log/daemon.log
- fls -o 5468160 debian1.dd | grep var
d/d 391681: var
- fls -o 5468160 debian1.dd 391681 | grep log
d/d 391865: log
- fls -o 5468160 debian1.dd 391865 | grep daemon
r/r 393069: daemon.log r/r 391806: daemon.log.2.gz r/r 393067: daemon.log.1
Inhalt der daemin.log extrahieren
- icat -o 5468160 debian1.dd 393069