Sleuth Kit Praktische Übungen: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
 
(10 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 1: Zeile 1:
 
=Anzeigen der Partition Tabelle=
 
=Anzeigen der Partition Tabelle=
*mmls rocky1.dd  
+
*mmls debian1.dd  
 
<pre>
 
<pre>
GUID Partition Table (EFI)
+
DOS Partition Table
 
Offset Sector: 0
 
Offset Sector: 0
 
Units are in 512-byte sectors
 
Units are in 512-byte sectors
  
 
       Slot      Start        End          Length      Description
 
       Slot      Start        End          Length      Description
000:  Meta      0000000000  0000000000  0000000001  Safety Table
+
000:  Meta      0000000000  0000000000  0000000001  Primary Table (#0)
 
001:  -------  0000000000  0000002047  0000002048  Unallocated
 
001:  -------  0000000000  0000002047  0000002048  Unallocated
002:  Meta      0000000001   0000000001   0000000001   GPT Header
+
002:  000:000   0000002048   0005468159   0005466112  Linux Swap / Solaris x86 (0x82)
003:  Meta      0000000002  0000000033  0000000032  Partition Table
+
003:  000:001  0005468160   0052426751   0046958592   Linux (0x83)
004:  000       0000002048  0001230847  0001228800  EFI System Partition
+
004:  -------  0052426752   0052428799   0000002048  Unallocated
005: 001       0001230848  0003327999  0002097152    
+
 
006:  002      0003328000   0062912511   0059584512    
 
007:  -------  0062912512   0062914559   0000002048  Unallocated
 
 
</pre>
 
</pre>
=Anzeigen der EFI Partion=
+
 
*fsstat -o 2048 rocky1.dd
+
=Anzeigen der EXT4 Partion=
 +
fsstat -o 5468160 debian1.dd | more
 
<pre>
 
<pre>
 
FILE SYSTEM INFORMATION
 
FILE SYSTEM INFORMATION
 
--------------------------------------------
 
--------------------------------------------
File System Type: FAT32
+
File System Type: Ext4
 +
Volume Name:
 +
Volume ID: 3cb5534c0a99fc9e6d463987f2410776
 +
 
 +
Last Written at: 2024-08-05 13:18:33 (EDT)
 +
Last Checked at: 2022-12-03 04:04:37 (EST)
  
OEM Name: mkfs.fat
+
Last Mounted at: 2024-08-05 13:18:34 (EDT)
Volume ID: 0x73f9acca
+
Unmounted properly
Volume Label (Boot Sector): NO NAME   
+
Last mounted on: /
Volume Label (Root Directory):
 
File System Type Label: FAT32 
 
Next Free Sector (FS Info): 16776
 
Free Sector Count (FS Info): 1212032
 
  
Sectors before file system: 2048
+
Source OS: Linux
 +
Dynamic Structure
 +
Compat Features: Journal, Ext Attributes, Resize Inode, Dir Index
 +
InCompat Features: Filetype, Needs Recovery, Extents, 64bit, Flexible Block Groups,
 +
Read Only Compat Features: Sparse Super, Large File, Huge File, Extra Inode Size
  
File System Layout (in sectors)
+
Journal ID: 00
Total Range: 0 - 1228751
+
Journal Inode: 8
* Reserved: 0 - 31
 
** Boot Sector: 0
 
** FS Info Sector: 1
 
** Backup Boot Sector: 6
 
* FAT 0: 32 - 1231
 
* FAT 1: 1232 - 2431
 
* Data Area: 2432 - 1228751
 
** Cluster Area: 2432 - 1228751
 
*** Root Directory: 2432 - 2439
 
  
 
METADATA INFORMATION
 
METADATA INFORMATION
 
--------------------------------------------
 
--------------------------------------------
Range: 2 - 19621126
+
Inode Range: 1 - 1468801
 
Root Directory: 2
 
Root Directory: 2
 +
Free Inodes: 1310126
 +
Inode Size: 256
 +
Orphan Inodes: 1057216, 1057065, 1056868, 1056867, 1057017, 1056900, 1057032,
  
 
CONTENT INFORMATION
 
CONTENT INFORMATION
 
--------------------------------------------
 
--------------------------------------------
Sector Size: 512
+
Block Groups Per Flex Group: 16
Cluster Size: 4096
+
Block Range: 0 - 5869823
Total Cluster Range: 2 - 153291
+
Block Size: 4096
 +
Free Blocks: 4447898
  
FAT CONTENTS (in sectors)
+
BLOCK GROUP INFORMATION
 
--------------------------------------------
 
--------------------------------------------
2432-2439 (8) -> EOF
+
Number of Block Groups: 180
2440-2447 (8) -> EOF
+
Inodes per group: 8160
2448-2455 (8) -> EOF
+
Blocks per group: 32768
2456-2463 (8) -> EOF
+
</pre>
2464-4319 (1856) -> EOF
+
=Auflisten der Files unter /=
4320-4503 (184) -> EOF
+
*fls -o 5468160 debian1.dd
4504-4511 (8) -> EOF
+
<pre>
4512-6191 (1680) -> EOF
+
d/d 1044481: home
6192-8047 (1856) -> EOF
+
d/d 11: lost+found
8048-9887 (1840) -> EOF
+
d/d 130561: etc
9888-11743 (1856) -> EOF
+
d/d 522241: media
11744-16695 (4952) -> EOF
+
l/l 18: vmlinuz.old
16736-16751 (16) -> EOF
+
d/d 391681: var
16752-16759 (8) -> EOF
+
l/l 12: bin
 +
d/d 783361: usr
 +
l/l 13: sbin
 +
l/l 14: lib
 +
l/l 15: lib32
 +
l/l 16: lib64
 +
l/l 17: libx32
 +
d/d 652801: boot
 +
d/d 913921: dev
 +
d/d 1305601: proc
 +
d/d 1175041: root
 +
d/d 1305602: run
 +
d/d 261132: sys
 +
d/d 652802: tmp
 +
d/d 1044482: mnt
 +
d/d 1175044: srv
 +
d/d 261133: opt
 +
d/d 652812: .cache
 +
l/l 19: initrd.img.old
 +
l/l 22: vmlinuz
 +
l/l 20: initrd.img
 +
V/V 1468801: $OrphanFiles
 +
</pre>
 +
=Auflisten der Files etc und grep nach shadow=
 +
* fls -o 5468160 debian1.dd 130561 | grep shadow
 +
<pre>
 +
r/l * 130841(realloc): shadow
 +
r/l * 136225(realloc): gshadow
 +
r/l * 130702(realloc): shadow-
 +
r/r * 130704(realloc): gshadow-
 +
r/l * 136258(realloc): shadow.17149
 +
r/l * 136256(realloc): gshadow.lock
 +
r/r * 136755: shadow.2145
 +
r/r * 136747(realloc): .#shadowtJKApa
 +
r/r * 130703(realloc): .#gshadow5j8HI9
 +
r/- * 0: gshadow.lock
 +
r/r 130703: gshadow-
 +
r/r 130701: shadow-
 +
r/r 136730: gshadow
 +
r/r * 136730(realloc): gshadow+
 +
r/r 130676: shadow
 +
r/r * 136750(realloc): gshadow.lock
 +
r/r * 136755: shadow.lock
 
</pre>
 
</pre>
 +
=Inhalt der shadow-Datei extrahieren=
 +
*icat -o 5468160 debian1.dd 130676 > shadow
 +
=Beispiel /var/log/daemon.log=
 +
*fls -o 5468160 debian1.dd | grep var
 +
d/d 391681: var
 +
*fls -o 5468160 debian1.dd 391681 | grep log
 +
d/d 391865: log
 +
*fls -o 5468160 debian1.dd 391865 | grep daemon
 +
r/r 393069: daemon.log
 +
r/r 391806: daemon.log.2.gz
 +
r/r 393067: daemon.log.1
 +
 +
=Inhalt der daemin.log extrahieren=
 +
*icat -o 5468160 debian1.dd 393069

Aktuelle Version vom 7. August 2024, 10:02 Uhr

Anzeigen der Partition Tabelle

  • mmls debian1.dd
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

      Slot      Start        End          Length       Description
000:  Meta      0000000000   0000000000   0000000001   Primary Table (#0)
001:  -------   0000000000   0000002047   0000002048   Unallocated
002:  000:000   0000002048   0005468159   0005466112   Linux Swap / Solaris x86 (0x82)
003:  000:001   0005468160   0052426751   0046958592   Linux (0x83)
004:  -------   0052426752   0052428799   0000002048   Unallocated

Anzeigen der EXT4 Partion

fsstat -o 5468160 debian1.dd | more 

FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: Ext4
Volume Name: 
Volume ID: 3cb5534c0a99fc9e6d463987f2410776

Last Written at: 2024-08-05 13:18:33 (EDT)
Last Checked at: 2022-12-03 04:04:37 (EST)

Last Mounted at: 2024-08-05 13:18:34 (EDT)
Unmounted properly
Last mounted on: /

Source OS: Linux
Dynamic Structure
Compat Features: Journal, Ext Attributes, Resize Inode, Dir Index
InCompat Features: Filetype, Needs Recovery, Extents, 64bit, Flexible Block Groups, 
Read Only Compat Features: Sparse Super, Large File, Huge File, Extra Inode Size

Journal ID: 00
Journal Inode: 8

METADATA INFORMATION
--------------------------------------------
Inode Range: 1 - 1468801
Root Directory: 2
Free Inodes: 1310126
Inode Size: 256
Orphan Inodes: 1057216, 1057065, 1056868, 1056867, 1057017, 1056900, 1057032, 

CONTENT INFORMATION
--------------------------------------------
Block Groups Per Flex Group: 16
Block Range: 0 - 5869823
Block Size: 4096
Free Blocks: 4447898

BLOCK GROUP INFORMATION
--------------------------------------------
Number of Block Groups: 180
Inodes per group: 8160
Blocks per group: 32768

Auflisten der Files unter /

  • fls -o 5468160 debian1.dd
d/d 1044481:	home
d/d 11:	lost+found
d/d 130561:	etc
d/d 522241:	media
l/l 18:	vmlinuz.old
d/d 391681:	var
l/l 12:	bin
d/d 783361:	usr
l/l 13:	sbin
l/l 14:	lib
l/l 15:	lib32
l/l 16:	lib64
l/l 17:	libx32
d/d 652801:	boot
d/d 913921:	dev
d/d 1305601:	proc
d/d 1175041:	root
d/d 1305602:	run
d/d 261132:	sys
d/d 652802:	tmp
d/d 1044482:	mnt
d/d 1175044:	srv
d/d 261133:	opt
d/d 652812:	.cache
l/l 19:	initrd.img.old
l/l 22:	vmlinuz
l/l 20:	initrd.img
V/V 1468801:	$OrphanFiles

Auflisten der Files etc und grep nach shadow

  • fls -o 5468160 debian1.dd 130561 | grep shadow
r/l * 130841(realloc):	shadow
r/l * 136225(realloc):	gshadow
r/l * 130702(realloc):	shadow-
r/r * 130704(realloc):	gshadow-
r/l * 136258(realloc):	shadow.17149
r/l * 136256(realloc):	gshadow.lock
r/r * 136755:	shadow.2145
r/r * 136747(realloc):	.#shadowtJKApa
r/r * 130703(realloc):	.#gshadow5j8HI9
r/- * 0:	gshadow.lock
r/r 130703:	gshadow-
r/r 130701:	shadow-
r/r 136730:	gshadow
r/r * 136730(realloc):	gshadow+
r/r 130676:	shadow
r/r * 136750(realloc):	gshadow.lock
r/r * 136755:	shadow.lock

Inhalt der shadow-Datei extrahieren

  • icat -o 5468160 debian1.dd 130676 > shadow

Beispiel /var/log/daemon.log

  • fls -o 5468160 debian1.dd | grep var
d/d 391681:	var
  • fls -o 5468160 debian1.dd 391681 | grep log
d/d 391865:	log
  • fls -o 5468160 debian1.dd 391865 | grep daemon
r/r 393069:	daemon.log
r/r 391806:	daemon.log.2.gz
r/r 393067:	daemon.log.1

Inhalt der daemin.log extrahieren

  • icat -o 5468160 debian1.dd 393069
Abgerufen von „http://wiki.ixheim.de/index.php?title=Sleuth_Kit_Praktische_Übungen&oldid=55338