>> Now, you may say DD is quite useful; however, on negative side,DD does not provide any feedback to the user about its progress.
>>,你可能会说DD很有用;然而,从消极的方面来说,DD不向用户提供关于其进度的任何反馈。
Especially, you do not know whether DD is still running or it encounters an error.
特别是,您不知道DD是否仍然在运行,或者它遇到了错误。
By default, DD will continue copy out data until the end of the file or driveor until it encounters a bad sector or block on the source device that it cannot read.
默认情况下,DD将继续复制数据,直到文件或驱动器结束,或者直到遇到无法读取的源设备上的坏扇区或块。
In the case of having a bad sector, it will just stop what it is doing.
如果有一个糟糕的部门,它就会停止它正在做的事情。
The user will have no ideas of if its progress and its status.
用户不知道它的进度和状态。
The option of CONV defines the conversion options for DDsince DD was originally designed for copy and conversion.
CONV的选项定义了DD的转换选项,因为DD最初是为复制和转换而设计的。
CONV equal to no error sync is often used for forensic imagingto skip the unreadable sectors and then continue copying.
CONV等于无错误同步通常用于法医成像跳过不可读扇区,然后继续复制。
More specifically, CONV equal to no error will instruct DD to pad the bad sectors with zerosand move on to continue copying the rest of the data.
更具体地说,CONV等于no error将指示DD用0填充坏扇区,然后继续复制其他数据。
The sync option instructs DD to keep the sectors in the target device alignedwith those from the source device.
sync选项指示DD保持目标设备中的扇区与源设备中的扇区对齐。
Thus, they data will not be misplaced in the wrong physical location on the destination copy.
因此,它们的数据不会被错误地放置在目标副本上的错误物理位置。
Here is one example of DD.
这是DD的一个例子。
You'll see CONV equal to no error sync will copy DD from slash HDBto a output file called HDB dot DD.
您将看到CONV = no错误同步会将DD从斜杠HDB复制到名为HDB . DD的输出文件。
If there is a bad sector in HDB, DD will pad bad sectors with zeros and continue copying.
如果HDB中有一个坏扇区,DD将用0填充坏扇区并继续复制。
Remember that since DD is a simple tool for data duplication,it will not calculate the hash value for the newly generated image.
请记住,由于DD是一种简单的数据复制工具,它不会计算新生成图像的散列值。
Therefore, after imaging process is complete, it is your responsibility to compute hash valuesfor both the original source and DD image.
因此,在图像处理完成后,您有责任计算原始源图像和DD图像的散列值。
Only if the hashes match, your forensic imaging process is done.
只有哈希值匹配,法医成像过程才能完成。
When you present your case to court, you can prove that the image you usedfor analysis is the same as the original.
当你向法庭陈述你的案件时,你可以证明你用于分析的图像与原始图像是一样的。
If slash dev slash HDB has a bad sector and you use the CONV equal to no error option,you have a complicated and interesting case.
如果dev和HDB有一个不好的扇区,并且您使用CONV等于no error选项,那么您将遇到一个复杂而有趣的情况。
As you know, the hash value of HDB dot DD will always be different from the hash valueof slash dev slash HDB due to the padding of zeros.
正如您所知道的,HDB . DD的哈希值总是与slash dev的哈希值不同,这是由于0的填充。
You have to document what has happened.
你必须记录发生了什么。
This DD image may not be called admissible evidence, depending on your action.
此DD图像可能不被称为可接受的证据,这取决于您的行动。
Besides creating forensic imaging, DD has other uses.
除了创建法医成像,DD还有其他用途。
You may recall that in unit one we emphasized that we haveto sanitize the evidence drive before writing any data on the drive to avoid data corruption.
您可能还记得,在第一单元中,我们强调在写入驱动器上的任何数据之前必须清理证据驱动器,以避免数据损坏。
You can use DD to wiping the drive with all zeros using this command.
您可以使用DD使用这个命令清除驱动器上的所有零。
So, in this case, input file is equal to slash dev slash zeroand it will provide endless zero to the destination.
因此,在本例中,输入文件等于dev斜杠0,它将为目标提供无限的0。
This process will basically fill your target drivewith zeros, overriding any data as it goes.
这个过程基本上会用0填充目标驱动器,在执行过程中覆盖所有数据。
Some sources say that very old hard drives might still contain residual datathat an electron microscope might pick up after one pass of cleaning.
一些消息来源说,非常旧的硬盘驱动器可能仍然包含电子显微镜清洗一遍后可能收集到的残留数据。
Therefore, the Department of Defense standardfor unclassified hard drive dispersion requires three passes over every byte.
因此,国防部的非机密硬盘分散标准要求每个字节进行三次传递。
Some researchers even suggest the seven passes of wiping.
一些研究人员甚至提出了擦拭的七个步骤。
After wiping, you can reformat drive.
擦拭后,您可以重新格式化驱动器。
Now the drive is sanitized and ready to accept data.
现在,驱动器已经过消毒,可以接受数据了。
Now let's look at some examples of using DD for forensic imaging.
现在让我们看一些使用DD进行法医成像的例子。
In drive to drive imaging, you physically remove the drive from the suspect computerand connect suspected drive to forensics machine with a write blocker.
在驱动器到驱动器映像中,您可以物理地从可疑计算机上删除驱动器,并使用写阻塞程序将可疑驱动器连接到取证机器。
Assume HDB is a clean, wiped drive filled with all zeroand HDB's capacity is larger than slash dev slash HDA.
假设HDB是一个干净的、已擦除的驱动器,其中填满了所有的零,并且HDB的容量大于dev / HDA。
We can use both DD copies below to copy the content.
我们可以使用下面的两个DD副本来复制内容。
What's the difference between these two commands?
这两个命令之间的区别是什么?
The differences are the output file.
区别在于输出文件。
In the first DD command, we copy every bit of HDA to a clean drive, HDB.
在第一个DD命令中,我们将HDA的每个位复制到一个干净的驱动器HDB。
Since the size of HDB is larger than HDA, after DD is done, HDB will contain the datafrom the source followed by a bunch of zeros.
由于HDB的大小大于HDA, DD完成后,HDB将包含来自源的数据,后面是一串0。
Therefore, the hash value of HDB will not be the same as the hashof HDA, due to those extra zeros.
因此,HDB的哈希值将不等于HDA的哈希值,因为这些额外的0。
To obtain the same hash value, you can use DD to carve out the numberof blocks copied form HDA, leaving out zeros.
为了获得相同的散列值,您可以使用DD来划分从HDA复制的块的数量,省略0。
Using the second command, since evidence dot DD is a file containing exactly the data from HDA,assuming DD copied successfully, the hash value of HDA will be the sameas the hash value of the file evidence dot DD.
使用第二个命令,因为evidence dot DD是一个包含来自HDA数据的文件,假设DD复制成功,那么HDA的hash值将与evidence dot DD文件的hash值相同。
If you choose not to remove a suspect machine for duplication,you can use a machine to machine drive image approach.
如果您选择不删除可疑机器进行复制,则可以使用机器驱动映像的方法。
In this case, we will simply connect a suspect machinewith forensics work station using a crossover cable or firewire cable.
在这种情况下,我们将简单地使用交叉电缆或火线电缆将可疑机器与法医工作站连接。
The forensic machine will listen on port 8888 for receiving data.
法医机器将监听8888端口以获取数据。
On a suspect machine, you are sending data and you'll run NetCat.
在可疑的机器上,发送数据并运行NetCat。
Now, the input file, certainly, is from HDA and pipe to NetCat.
现在,输入文件当然是从HDA和pipe到NetCat。
The IP address of the forensics machine and-- to the port 8888.
取证机的IP地址和——到8888端口。
And then now here we use the option dash W. It makes surethat the connection will be terminated aft N of seconds, in this case it's three,if the connection is not able to make or idle.
现在我们使用选项dash w,它确保连接会在N秒后终止,在这种情况下是3秒,如果连接不能建立或空闲。
After DD finished, make sure the hash values of original drive and the DD image match.
DD完成后,确保原始驱动器的哈希值与DD映像匹配。
Before I finish talking about DD, I also wantto briefly introduce DD's siblings, SDD, and DCFLDD.
在结束对DD的讨论之前,我还想简要介绍DD的兄弟姐妹SDD和DCFLDD。
Both of them improved DD's functionalities by achieving better performanceand also providing copy progresses.
它们都通过实现更好的性能和提供复制改进改进了DD的功能。
In summary, this unit covers Linux UNIX nonvolatileand volatile data acquisition process and technologies.
总之,本单元介绍了Linux UNIX非易失性和易失性数据获取过程和技术。
We will study Linux UNIX file systems in the next unit and hope you enjoy the lesson.
我们将在下一单元学习Linux UNIX文件系统,希望您喜欢这一课。
Hi. In this short video, let's practice DD and NetCat.
嗨。在这个简短的视频中,让我们练习DD和NetCat。
Now, on this suspect machine, we see a file called the secret.
现在,在这个可疑的机器上,我们看到了一个名为secret的文件。
Assume we want to copy the secret file from desktop to the evidence file.
假设我们要将秘密文件从桌面复制到证据文件。
So, we use DD.
我们用DD。
Input file is equal to secret and output file we want to save to the evidence folder--to our evidence folder and I call it secret dot DD.
输入文件等于secret而输出文件我们想保存到证据文件夹,到我们的证据文件夹,我叫它secret。DD。
Although you can use any file name, but always practice to use a meaningful name.
虽然可以使用任何文件名,但一定要练习使用有意义的名称。
Later that will save your time for investigation.
稍后,这将节省您进行调查的时间。
So, what you have done here is copied from secret file and output to secret dot DDand then here DD tells you there are two total-- 22 bytes copied.
所以,你在这里所做的是从秘密文件和输出复制到秘密点DD然后这里DD告诉你总共复制了两个字节——22字节。
Now, those two datas [phonetic], zero plus one means how many data copied,how many data copied out, copied in, and copied out.
现在,这两个DATAS【拼音】,零加一指有多少数据被复制,许多数据是如何复制出来,在复制和复制出来。
Zero-- the first one unit is sector, so since we only have 22 bytes,so it's a zero sector plus some bytes in and a zero sector plus some bytes out.
0,第一个单位是扇区,因为我们只有22字节,所以它是一个零扇区加上一些字节,一个零扇区加上一些字节。
If the content is 600 bytes, then you will see one plus onebecause it's one sector plus a couple of bytes.
如果内容是600字节,那么您将看到1 + 1,因为它是一个扇区加上几个字节。
One sector plus second bytes.
一个扇区加上第二个字节。
So, this is a dump with DD and you probably have a question said in the class you mentionedabout that DD will ignore end of file marker,but that's the situation when we said copy device drive.
这是一个带有DD的转储文件你可能在课上有个问题关于DD会忽略文件标记的末尾,但这就是我们说复制设备驱动器时的情况。
Copy device drive.
复制设备驱动。
So, in this case, we use DD copy file.
因此,在这种情况下,我们使用DD复制文件。
Certainly, DD will copy exactly what's the content in the file.
当然,DD会准确地复制文件中的内容。
If you copy from device to another file, then it will say copy anything from the device,in that case DD will ignore end of file markerbecause it's only focused on the content of the device.
如果你从设备复制到另一个文件,它会说从设备复制任何东西,在这种情况下,DD会忽略文件标记的结束,因为它只关注设备的内容。
Now, next let's look at how do we use DD to wipe a device or wipe a file.
现在,接下来让我们看看如何使用DD擦除设备或擦除文件。
So, wipe a device takes a long time, so we use DD to wipe a file.
所以,擦拭一个设备需要很长时间,所以我们使用DD来擦拭一个文件。
Let's look into evidence file.
让我们看一下证据档案。
OK. And we have a file called wipe me.
好的。我们有一个文件叫擦拭我。
So, let me see what's in there.
让我看看里面有什么。
So, it's just useless data.
所以,这些都是无用的数据。
Let's say this is old data and we want to wipe it out with zeros.
假设这是旧数据我们想用0把它擦掉。
OK. So, we say DD input file is equal to dev zero.
好的。我们说DD输入文件等于dev 0。
Now, what is a dev zero file?
现在,什么是dev zero文件?
This is a pseudofile.
这是一个伪文件。
No size limit.
没有大小限制。
Basically, it can-- supplies endless zero.
基本上,它可以提供无穷无尽的零。
Depends on the output file.
取决于输出文件。
No matter how-- it will give you-- how many--no matter how many of zeros you want, it will give you.
不管你想要多少个0,它都会给你。
So, this is the input file is equal to dev zero and output file,let's say we want to remove the-- what currently is inside of the evidence file.
这是输入文件等于dev 0和输出文件,假设我们要删除证据文件中当前的。
So, we just want to wipe out file is called directly called wipe me.
所以,我们要擦除的文件就叫直接擦除我。
And we only want to move one sector of zeros because this input file is endless zeros.
我们只想移动一个扇区的零因为这个输入文件是无限的零。
So, let's do that.
我们来算一下。
Now, in this case, you can see, one sector-- exactly one sector--512 bytes in and one sector, 512 bytes, out.
现在,在这种情况下,你可以看到,一个部门,确切地说,一个部门
输入512字节,输出512字节。
In the-- because we said count one sector.
因为我们说过计算一个扇区。
Copy one sector data into the-- to overwrite the output file.
将一个扇区数据复制到——以覆盖输出文件。
And it does not stop at the end of file marker for the output filebecause the input file does not have end of marker in this casebecause zero slash dev slash zero is endless.
它不会停在输出文件的结束标记处因为输入文件在这种情况下没有结束标记因为零斜杠dev斜杠零是无限的。
Now, what if we do not have count equal to one?
如果count不等于1呢?
You can try at home to find out.
你可以在家里找找看。
All right?
好吧?
It will be nonending because it just keep doing back-- sector--sectors of zeros try to write to the file of wipe me.
它不会结束,因为它一直在做,扇区,0扇区,试图写入擦拭我的文件。
OK. You can try that at your-- at home.
好的。你可以在家里试试。
But first let's look at now what is in the wipe me now, whether it still has useless dataor it's just-- it's supposed to have all zeros, right?
但首先让我们看一下擦除我现在是什么,它是否仍然有无用的数据或者它只是——它应该有所有的0,对吧?
So, if we say more wipe again, wipe again, it's a chunk of 512 bytes zeros.
所以,如果我们说,再擦,再擦,它是一个512字节零的块。
Now, let's try NetCat and DD together.
现在,让我们一起来试试NetCat和DD。
First, we have to have a listener, so we do NetCat listen.
首先,我们必须有一个监听器,所以我们做NetCat监听。
This is listen on port-- any port number you can use.
这是监听端口——任何你可以使用的端口号。
We use 8888 and if you hear something, we will save to a file we called NetCat data.
我们使用8888,如果您听到什么,我们将保存到一个名为NetCat data的文件中。
So, here, since we are in the evidence file, so that's correct.
既然我们在证据文件里,这是正确的。
So, the net data will be inside of the evidence folder.
所以,网络数据将在证据文件夹中。
Now, we send over something.
现在,我们派人过去。
So, in this case, we will say DD input file is equal to secret and then pipe to NetCat.
因此,在这种情况下,我们将说DD输入文件等于secret,然后管道到NetCat。
We have to give out the IP address for the receiving machine,but in this case it's the same machine, so it's a local host.
我们必须给出接收机器的IP地址,但是在这种情况下,它是同一台机器,所以它是本地主机。
Same machine.
同一台机器。
And then the port number has to be the one listening number, so it's 8888.
然后端口号必须是监听号,所以是8888。
OK. So, we send over and again we know that's 22 bytes data sent over.
好的。所以,我们发送了一次又一次我们知道发送了22字节的数据。
And then you can-- simply to do other things, like, for example, if we run who and then sendover to NetCat local host and then that also find--but currently the receiving end has already terminatedbecause once it's received data, then it's done.
然后你可以——简单地做其他事情,例如,如果我们运行who,然后发送到NetCat本地主机,然后那个也会找到——但是目前接收端已经终止了,因为一旦接收到数据,它就结束了。
OK? So, you needn't use DD, but you can use any command pipe over to NetCat to receiving end.
好吗?因此,您不需要使用DD,但是您可以使用任何命令管道连接到NetCat到接收端。
So, now if we look at the evidence file should have a NetCat D underscore dataand then the content certainly is same as the secret data.
现在,如果我们看证据文件应该有一个NetCat D下划线数据然后内容肯定和秘密数据相同。
So, that's the file received.
这就是接收到的文件。
Now, another one option we mentionedabout in the class is the sending you can use dash W. I want to explain this as well.
现在,我们在课上提到的另一个选项是发送你可以使用dash w。我也想解释一下。
So, for example, here I am again start to listen.
举个例子,我又开始听了。
Listening on port 8888.
监听8888端口。
OK. Listening on that.
好的。监听。
And then just sending-- for example, I don't have much thing to send.
然后只是发送——例如,我没有很多东西要发送。
I did say connect to the local host on port 8888, but then we use that dash W three,the standard says if I am idle or cannot connect, then I'm terminate.
我确实说了连接到端口8888上的本地主机,但是我们使用了dash W 3,标准说如果我空闲或者连接不上,那么我就终止。
Let's try six seconds, it's longer.
让我们试六秒钟,它更长。
So, if idle for six seconds or the connection cannot make, I don't send.
所以,如果空闲了6秒钟或者连接不上,我就不发送。
OK? So, I terminate the sending.
好吗?因此,我终止发送。
So, let's see.
所以,让我们看看。
So, it's count to six second since it's idle and then it disconnected.
它从空闲到6秒,然后断开连接。
It says no, I don't want to connect that anymore.
它说,不,我不想再连接了。
All right.
好吧。
So, the last thing I want to show you is the skip count.
最后我想展示的是跳跃计数。
All right?
All right.
Let's see.
So, if-- let's go to the evidence folder.
我们去证据文件夹。
In the evidence folder, we have a large file called the memory dump dash bin and thenif I want to use DD to carve out certain portion of data, so input file is memory dump dot binand I want to skip the first sector and I only want to save--I only want to copy over one sector.
证据文件夹中,我们有一个大文件称为内存转储dash本,然后如果我想使用DD开拓特定部分的数据,所以输入文件内存转储点本,我想跳过第一个扇区,我只想拯救——我只是想复制一个部门。
And the output file-- and I call it sub memory-- subset of the memory.
输出文件,我称之为子内存,内存的子集。
OK. So, if we do that, you see exactly one sector because we said count equal to one.
好的。如果我们这样做,你会看到一个扇形因为我们说count等于1。
Exactly one sector in and 512 bytes.
正好是一个扇区和512字节。
Now, if you want to exam that sub mem, that should be only one sector long, the size.
现在,如果你想检查那个下标mem,它应该只有一个扇区长,大小。
So, the size is 512 bytes and you can check the content, but since this--for this file it is partial of the memory, so you can check this is one sector,but this is starting from the second sector of the memory.
所以,大小是512字节,你可以检查内容,但是因为这个——对于这个文件,它是内存的一部分,所以你可以检查这是一个扇区,但是这是从内存的第二个扇区开始的。
You can use other large files to maybe-- to figure out more meaningful content,but in this case I just use this memory dump and so it skipped the first sectorfrom the original source and then copy over one sector in this case.
你可以使用其他大文件来找出更有意义的内容,但是在这个例子中,我只是使用了这个内存转储,所以它跳过了第一个扇区,然后在这个例子中复制了一个扇区。
OK? All right.
So, hopefully this video is helpful for you to understand DD and the NetCat.
希望这个视频对你们理解DD和NetCat有所帮助。
Enjoy.
享受。
转载于:https://www.cnblogs.com/sec875/articles/10013460.html
