>> After acquiring volatile data, we move on to acquire nonvolatile data.
在获取易失性数据之后,我们继续获取非易失性数据。
Although it is possible to acquire drives from a live system, a common practice is to shutdown the system and remove the drives for imaging.
虽然可以从活动系统中获取驱动器,但通常的做法是关闭系统并删除用于映像的驱动器。
Please be aware that certain types of hard drivesand solid state drives may self-destroy any data on the drivewhen you remove the device or power it off completely.
请注意,某些类型的硬盘和固态硬盘可能会自毁驱动器上的任何数据时,您删除设备或电源完全关闭。
Toshiba is one example.
东芝就是一个例子。
At this point, there are many high speed forensic images in the market.
在这一点上,有许多高速法医图像在市场上。
High speed forensic images can copy up to 30 gigabytes per minute.
高速法医图像每分钟可复制30千兆字节。
Tableau series from Guidance Software is an example.
来自制导软件的Tableau系列就是一个例子。
These imagers usually have built-in write blocker functionalitiesto ensure the original drive data will not be modified.
这些映像程序通常具有内置的写阻塞器功能,以确保原始驱动器数据不会被修改。
Software-based imaging tools like FTK Imager and DD can also be usedto create a bit-stream copy of drives.
基于软件的成像工具,如FTK Imager和DD也可以用来创建驱动器的位流副本。
However, you will need a write blocker to separate the original drivesfrom the imaging software to prevent software from modifying data in original drives.
但是,您将需要一个写阻塞程序来将原始驱动器与映像软件分离,以防止软件修改原始驱动器中的数据。
Besides imaging, most of these imaging tools will generate the hash value automaticallyafter the imaging is done.
除了成像,这些成像工具大多在成像完成后会自动生成哈希值。
We have tried FTK Imager in unit one.
我们在第一单元试过FTK成像仪。
In this unit, we will learn a basic and a widely-available imaging utility, DD.
在本单元中,我们将学习一个基本的和广泛可用的成像实用程序DD。
DD is installed by default on most Linux distributions and UNIX variants.
DD默认安装在大多数Linux发行版和UNIX变体上。
It was originally designed as a system administration tool for system copyand conversion, but it can be used as a forensic imaging tool to make a bitstream copy of a file,folder, volume, or physical drive.
它最初被设计为用于系统复制和转换的系统管理工具,但它可以用作取证成像工具,以生成文件、文件夹、卷或物理驱动器的位流副本。
Let's find out how DD works and why it can be used for forensic bitstream copy.
让我们看看DD是如何工作的,为什么它可以用于取证位流复制。
Basically, DD reads input blocks one at a time from block level device and it puts theminto a memory buffer, applies the selected conversions, then outputs from bufferto the desired location, with a default block size of 512 bytes.
基本上,DD每次从块级设备读取一个输入块,然后将它们放入内存缓冲区,应用选择的转换,然后从缓冲区输出到所需的位置,默认块大小为512字节。
To copy our physical device data, we simply use DD to move chunks of bits from a source deviceto a destination device, ignoring the end of file marker.
要复制物理设备数据,只需使用DD将位块从源设备移动到目标设备,而忽略文件标记的末尾。
DD copies metadata and the data blocks in their entirety.
DD完整地复制元数据和数据块。
They-- regardless of whether or not they are allocated to an active file or not.
它们——不管是否分配给活动文件。
Here is a simple example of a command to copy data from dev HDA to dev HDB.
下面是一个将数据从dev HDA复制到dev HDB的命令的简单示例。
In this DD command, IF means input file and OF means output file.
在这个DD命令中,IF表示输入文件,OF表示输出文件。
If you do not specify an output file name, by default DD will output results to stdout.
如果没有指定输出文件名,默认情况下DD将输出结果到stdout。
Here is another example.
这是另一个例子。
DD can redirect by pipe to netcat or other applications to send the data from dev HDAto a networked machine, 192.168.1.2, listening on port 2222.
DD可以通过管道重定向到netcat或其他应用程序,将数据从dev HDA发送到网络机器192.168.1.2,监听端口2222。
Besides the simple options, DD also has a set of options to extend its basic capabilities.
除了简单的选项之外,DD还有一组选项来扩展其基本功能。
You can reach the main page, main DD, to learn all of the options.
您可以访问主页,主DD,了解所有选项。
Here we only cover the options that are useful for forensic imaging.
这里我们只讨论对法医成像有用的选项。
The default input and output size for DD is 512 bytes; however,if you choose to use specific input and output size otherthan the default, you can use the option BS.
DD的默认输入和输出大小为512字节;但是,如果您选择使用特定的输入和输出大小而不是默认大小,则可以使用选项b。
For example, BS equal to N means both input and output block size is N bytes.
例如,BS等于N意味着输入和输出块大小都是N字节。
NK means kilobytes.
NK意味着千字节。
Large block sizes of up to around eight K can decrease imaging time.
8 K左右的大块可以减少成像时间。
You can choose to have a different input size than the output size.
您可以选择输入大小与输出大小不同。
IBS defines the input block size while OBS specifies the output block size.
IBS定义输入块大小,OBS指定输出块大小。
You also have the flexibility of carving and copying a portion of data from the source deviceto a specific part of the destination device.
您还可以灵活地将一部分数据从源设备雕刻和复制到目标设备的特定部分。
The DD options skip, seek, and count will do the work.
DD选项skip、seek和count将完成这项工作。
Count equal to S will only transfer S blocks of data from the source and stop.
Count = S只会从源和stop传输S块数据。
Please be aware that the unit for count is block.
请注意计数单位是block。
For example, 512 bytes if the file system's block size is 512 bytes.
例如,如果文件系统的块大小为512字节,则为512字节。
Skip equal to N blocks will simply skip N blocks from the input file before copying.
等于N个块的Skip只会在复制之前从输入文件中跳过N个块。
Seek equal to N blocks will skip N blocks in the output file before copying over.
Seek = N块将在复制之前跳过输出文件中的N块。
Let's look at an example that use count, skip, and a seek.
让我们看一个使用count、skip和seek的示例。
The input file is SDA dot DD and the output file is called SDA one dot DD.
输入文件为SDA . DD,输出文件为SDA one . DD。
DD skipped the first 32 blocks and copied over a chunk of blocks.
DD跳过了前32个块,并复制了一个块。
For the first command, which partition does this DD command carveout from SDA dot DD and copy to SDA one dot DD?
对于第一个命令,这个DD命令从SDA . DD分割出哪个分区并复制到SDA one . DD?
How about the second command?
第二个命令呢?
Answer these questions to make sure your understanding before move on.
在继续之前,回答这些问题以确保你的理解。
转载于:https://www.cnblogs.com/sec875/articles/10013446.html
