1、Kali Linux ?The quieter you become?the more you are able to hear? ? F?Forensic investigations? ? Forensic ? ? ?CSI? ?DNA? ? / ? / ? ?IoT? ? ?HASH? ? ? ? ? ?CPU?I/O? ? ? ? ? ? ? ? ? ?metadata? ? U? / ? ? ?MBR?GPT?LVM?Kali?dump? Dumpit?http:/ ?raw? volatility imageinfo -f xp.raw#?profile volatility hi
2、velist -f XP.raw -profile=WinXPSP3x86#? volatility -f XP.raw -profile=WinXPSP3x86 hivedump -o 0 xe124f8a8 # ? volatility -f XP.raw -profile=WinXPSP3x86 printkey -K SAMDomainsAccountUsersNames# ? volatility -f xp.raw -profile=WinXPSP3x86 printkey -K SOFTWAREMicrosoftWindows NTCurrentVersionWinlogon#?
3、 volatility -f XP.raw -profile=WinXPSP3x86 userassist#? volatility -f XP.raw -profile=WinXPSP3x86 pslist#?volatility -f 7.raw -profile=Win7SP1x64 memdump -p 1456 -D test#dump?strings 1456.dmp 1111.txt # ? grep password / volatility cmdscan -f 7.raw -profile=Win7SP1x64#? volatility netscan -f 7.raw -
4、profile=Win7SP1x64#? volatility iehistory -f 7.raw -profile=Win7SP1x64# volatility -f 7.raw -profile=Win7SP1x64 hivelist#?HASHvolatility -f 7.raw -profile=Win7SP1x64 hashdump -y system -s SAMVolatility?Firefoxhistory ? http:/downloads.volatilityfoundation.org/contest/2014/DaveLasalle_ForensicSuite.z
5、ip /usr/lib/python2.7/dist-packages/volatility/plugins/ volatility -f 7.raw -profile=Win7SP1x64 firefoxhistoryUSN? NTFS? https:/ volatility -f 7.raw -profile=Win7SP1x64 usnparser -output=csv -output-file=usn.csv# Volatility?Timeline ? volatility -f 7.raw -profile=Win7SP1x64 timeliner ? https:/ https
6、:/ XP? meterpreter session ? dump ? volatility -f xp.raw -profile=WinXPSP3x86 pstree volatility connscan # ? volatility getsids -p 111,222 # SID volatility dlllist -p 111,222# ? volatility malfind -p 111,222 -D test # ? https:/ https:/ procdump -ma notepad.exe notepad.dmp strings notepad.dmp notepad
7、.txt ? ?Virtualbox ? volatility -f 7.raw -profile=Win7SP1x64 memdump -p 1456 -D test mv mstsc.dmp mstsc.data Gimp - open - Raw Image Data - ? procdump -ma lsass.exe lsass.dmp Mimikatz sekurlsa:minidump lsass.dmp sekurlsa:logonPasswordsVolatility ? mimikatz ? https:/ ? dumpzilla /root/.mozilla/firefo
8、x/bvpenhsu.default/ -All? ? kali ? ? Dc3dd ? Dcfldd Guymager ?http:/www.cfreds.nist.gov/Controlv1_0/control.ddDFF?Digital Forensics Framework? Open Evidence # ? ?Autopsy ? WebServer + ? ?Extundelete ?ext3?ext4? Extundelete device-file -restore-file restore locationiPhone Backup Analyzer ? iTunes ? iPhone ?imageForemost ? ?dump?raw?dd?iso?vmem? foremost -t jpeg,gif,png,doc -i 7.raw? ? ? ? ? ?Kali Linux ?