01 on-Site forensics and computer forensics
A static one dynamic
Offline forensics equipment on-site forensics-Hard disk copy machine (mirror the hard disk, copy and then forensics, forensics process is not allowed on the original hard disk operation)
ENcase
Ftk
Forensics Master
Forensic analysis of disk-stone media
Memory Forensics Technology
Virtual memory File/hibernation file/memory dump/dma/cold start
Chip forensics
Operating system Forensics
Windows system
Unallocated space actually has the data
File residue area filestack (disk fragmentation)
Logical size + File residue = physical size
File residue is not deleted and it is possible to recover previous files
How to hide Files
- Change the file name extension
- File content Encryption
- Virtual Disk
- Information steganography
- Hard disk Encryption
- 。。。
Historical record (under Linux)
- IE history
- IIS Access logs
- Operating system logs
- Firewall log (determine if attack)
- 。。。
Temporary files
- Office temp File
- C:\windows\temp\*.tmp
- C:\Documents and Settings\username\Local Settings\Temporary Internet Files
Linux system Forensics
#xwd-display Localhost:0–root >screen.xwd
Memory information
Network connection
Port/process ...
Process information
You need to do the mirroring and then the mirroring operation
File system
Log file #大部分时候会提供日志文件
Last year's question
SSH log inside l login log log/secure
There could be an attacker's explosion.
Example analysis
FK didn't say it sooner.
Cat VAR/LOG/DMESG
Make profile-"go to Google to find Debian 5.0 profiles under
Python vol.y–info See Help
Note Version x86 is also x64
Strange process. #老师说
Then look at the network situation
This IP is not easy.
SCP replication
Check the Mail log.
Triathlon Linux Forensics