in this practice, i will try to learn about SSH to remote Ubuntu server Installed.
i use ubuntu 12.04.4 LTS, download here
what is SSH ??
Secure Shell (SSH), sometimes known as Secure Socket Shell, is a UNIX-based
command interface and protocol
for securely getting access to a remote computer. It is widely used by network administrators to
control Web and other kinds of servers remotely.
1. Power On computer Server
2. Scan using ZenMap via BT
from result zenmap, we get iformatian what Port opened. and many other
3. Conect SSH
use : ssh host@ipaddress
but, i can login into server..
any body can help me ??
============
i was get solution..
first run apt-get update on server
and then try to chage keygen via cliet ssh-keygen -R ip_addres
# ssh-keygen -R 192.168.1.7
run ssh name@ip-address
Learning Until Die
Senin, 14 April 2014
Minggu, 09 Maret 2014
Lab1 : exploitation Badstore
Badstore.net is dedicated to helping you understand how hackers prey on
Web application vulnerabilities, and to showing you how to reduce your
exposure.
(http://www.badstore.net/)
prepare Lab.
- Virtual Box to run Lab1
- Mantra web Browser
- Owasp Zap to web proxie vunerabelity
assisment
Run Lab1 on VirtualBox and cek IP, use
ifconfig and we get IP lab1 192.168.56.101,
we can use IP to scan informatian
gathering in ZenMap
Operating System is Linux 2.4.x, port
open 80 for web, 443 and 3306 for MySql. couse port 80 opened we can access web using
browser by type IP on URL, we use Mantra web Browser. Before that run
owasp zap,
I have tired more than 3 practice and restart mantra web and owasp zap an then choosed menus on badstore.net,, but owasp zap did not cacth information from badstore. huft
oke..
get information from /robots.txt
we get information user-agent structure directory
/bacup, /cgi-bin, /suplier, /upload
type on url http://192.168.56.101/upload
type on url http://192.168.56.101/supplier/
we get a directory accounts and four accounts as supplier.
1. Cross Site Scripting
try to Cross site scripting use <script>alert("TEST");</script> on textarea gusetbox command and klik "Add Entry", we will eccounter allret "ATTACTTT".
Selasa, 18 Februari 2014
Digital Forensic: Acquire Large Capacity Disk
Split Large Capacity Disk
list device from yaour laptop or compter
root@bt:~/evid# fdisk -l
root@bt:~/evid# fdisk -l
WARNING: GPT (GUID Partition Table) detected on '/dev/sda'! The util fdisk doesn't support GPT. Use GNU Parted.
Disk /dev/sda: 500.1 GB, 500107862016 bytes
255 heads, 63 sectors/track, 60801 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disk identifier: 0xb05cd80c
Device Boot Start End Blocks Id System
/dev/sda1 * 1 13 102400 7 HPFS/NTFS
Partition 1 does not end on cylinder boundary.
/dev/sda2 13 12749 102297600 7 HPFS/NTFS
/dev/sda3 12749 18828 48828125 83 Linux
/dev/sda4 18828 60801 337154049 f W95 Ext'd (LBA)
Partition 4 does not start on physical sector boundary.
/dev/sda5 18828 19077 1999872 82 Linux swap / Solaris
/dev/sda6 19077 60801 335153152 7 HPFS/NTFS
Disk /dev/sdc: 7803 MB, 7803174912 bytes
241 heads, 62 sectors/track, 1019 cylinders
Units = cylinders of 14942 * 512 = 7650304 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00044125
get informatin device de/sdc is 8Gb space , we will DD /dev/sdc to create image file we clone Flasdisk
root@bt:~/evid# dd if=/dev/sdc of=image.disk2.dduse ls to see file and folder in evid folder,
split normally works on lines of input (i.e. from a text file). But if we use the –b option, we force split to treat the file as binary input and lines are ignored.
In newer versions of split we can also use the -d option to give us numerical numbering (*.01, *.02, *.03, etc.)
split -d -b XXm <file to be split> <prefix of output files>split image.disk2.dd
root@bt:~/evid# split -d -b 2000m image.disk2.dd image.split2.This would result in 2 files (8GB in size) each named with the prefix “image.split.” as specified in the command, followed by “01”, “02” and so
on (assuming a newer version of split that supports the -d option is used):
root@bt:~/evid# ls image.split2.*
The process can be reversed. If we want to reassemble the image from
the split parts (from CD-R, etc.), we can use the cat command and redirect the
output to a new file.
root@bt:~/evid# cat image.split2.00 image.split2.01 > image2.new
OR
root@bt:~/evid# cat image.split2.0* > image2.newlook hasing
root@bt:~/evid# cat image.split2.0* | md5sum
root@bt:~/evid# md5sum image2.new
Looking at the output of the above commands, we see that all the sha1sum’s match (don't confuse sha1sum output with md5sum output). We find the same hash for the disk, for the split images “cat-ed” together, and for the newly reassembled image.
Data carving using DD
download and copy to /evid
Have a brief look at the file image_carve.raw with your wonderful command line hexdump tool, xxd:
root@bt:~/evid# xxd image_carve.raw | less
Find the start of the JPEG (xxd and
grep)
root@bt:~/evid# xxd image_carve.raw | grep ffd800052a0: b4f1 559c ffd8 ffe0 0010 4a46 4946 0001 ..U.......JFIF..
root@bt:~/evid# echo "ibase=16;00052A0" | bc21152
Now it’s time to find the end of the
file.
root@bt:~/evid# xxd -s 21156 image_carve.raw | grep ffd90006c74: ffd9 d175 650b ce68 4543 0bf5 6705 a73c ...ue..hEC..g..<
calculate decimal
root@bt:~/evid# echo "ibase=16;0006C74" | bc27764
nclude the ffd9 (giving us 27766)
root@bt:~/evid# echo "27766 - 21156" | bc6610
We now know the file is 6610 bytes in size, and it starts at byte offset 21156. The carving is the easy part! We will use dd with three options: skip= how far into the data chuck we begin “cutting”. bs= (block size) the number of bytes we include as a “block”. count = the number of blocks we will be “cutting”.
root@bt:~/evid# dd if=image_carve.raw of=carv.jpg skip=21156 bs=1 count=66106610+0 records in6610+0 records out6610 bytes (6.6 kB) copied, 0.0285196 s, 232 kB/s
our current
directory called carv.jpg. If you are in X, simply use the xv command
to view the file
xv from a command line (while in
an X session) will display the graphic image in it's own window.
The libewf tools and detailed project information can be found at:
https://www.uitwisselplatform.nl/projects/libewf/
https://www.uitwisselplatform.nl/projects/libewf/
We will cover the
following tools briefly here:
ewfinfo
ewfverify
ewfexport
ewfacquire
ewfacquirestream
ewfinfo
root@bt:~/evid#
ewfinfo ntfs_pract.E01
ewfverify
root@bt:~/evid#
ewfverify ntfs_pract.E01
ewfexport
root@bt:~/evid#
ewfexport ntfs_pract.E01 | md5sum
root@bt:~/evid#
ewfexport -t ntfs_image.dd ntfs_pract.E01
root@bt:~/evid#
md5sum ntfs_image.dd
d3c4659e4195c6df1da3afdbdc0dce8f
ntfs_image.dd
ewfacquire
root@bt:~/evid#
ewfacquire /dev/sdc
Acquiry parameters required, please provide the necessary inputImage path and filename without extension: /root/ntfs_ewfCase number: 111-222Description: Removable media (generic thumdrive)Evidence number: 1Examiner name: Umar AlfaruqNotes: Seized from subjectMedia type (fixed, removable, optical, memory) [removable]: removable diskSelected option not supported, please try again or terminate using Ctrl^C.Media type (fixed, removable, optical, memory) [removable]: removableMedia characteristics (logical, physical) [logical]: physicalUse compression (none, empty-block, fast, best) [none]: fastUse EWF file format (ewf, smart, ftk, encase1, encase2, encase3, encase4, encase5, encase6, linen5, linen6, ewfx) [encase6]: encase5Start to acquire at offset (0 >= value >= 4040748544) [0]:The amount of bytes to acquire (0 >= value >= 4040748544) [4040748544]:Evidence segment file size in bytes (1.0 MiB >= value >= 1.9 GiB) [1.4 GiB]:The amount of bytes per sector (0 >= value >= 4294967295) [512]:The amount of sectors to read at once (64, 128, 256, 512, 1024, 2048, 4096, 8192, 16384, 32768) [64]:The amount of sectors to be used as error granularity (1 >= value >= 64) [64]:The amount of retries when a read error occurs (0 >= value >= 255) [2]:Wipe sectors on read error (mimic EnCase like behavior) (yes, no) [no]: yes
Senin, 17 Februari 2014
Basic Command Computer Forensic
Tools to forensic data
1. dd,
resource : http://www.forensicswiki.org/wiki/Dd
Forensic tools to analysis data image format, keep data no change propertis like time and other
Usage: dd [OPERAND]...
or: dd OPTION
The basic dd syntax is as follows:
wiped and formatted drive, like this:
In linux, the blocksize value can have a multiplicative suffix:
2. libewf
resource : http://code.google.com/p/libewf/wiki/Mounting
libewf is a library to access the Expert Witness Compression Format (EWF).
- mkdir /mnt/ewfimage
- mounting
3. sleuthkit
resource : http://www.sleuthkit.org/
A library, framework, and set of command line tools to analyze disk images.
- Its comand line forensic tools can be used to analyze disk images and perform in-depth analysis of file systems (such as NTFS, FAT, HFS+, Ext3, and UFS) and several volume system types. for graphical interface can use Autopsy
root@bt:~# icat -h
Missing image name and/or address
usage: icat [-hrRsvV] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] image [images] inum[-typ[-id]]
-h: Do not display holes in sparse files
-r: Recover deleted file
-R: Recover deleted file and suppress recovery errors
-s: Display slack space at end of file
-i imgtype: The format of the image file (use '-i list' for supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-f fstype: File system type (use '-f list' for supported types)
-o imgoffset: The offset of the file system in the image (in sectors)
-v: verbose to stderr
-V: Print version
http://wiki.sleuthkit.org/index.php?title=TSK_Tool_Overview
http://wiki.sleuthkit.org/index.php?title=FS_Analysis
4. Autopsy
A graphical interface to the Sleuth Kit and other digital forensics tools.
1. dd,
resource : http://www.forensicswiki.org/wiki/Dd
Forensic tools to analysis data image format, keep data no change propertis like time and other
Usage: dd [OPERAND]...
or: dd OPTION
The basic dd syntax is as follows:
# dd if= of= bs=("if" being "input file" and "of" meaning "output file").
wiped and formatted drive, like this:
# dd if=/dev/ of=/dev/ bs=512 conv=noerror,syncYou can write the output to a file:
# dd if=/dev/ of=/home/user/linux_image.dd bs=512 conv=noerror,syncroot@bt:~/evid# dd if=/dev/fd0 of=image.disk1 bs=512
In linux, the blocksize value can have a multiplicative suffix:
c =1 w =2 b =512 kB =1000, K =1024 MB =1000*1000, M =1024*1024 GB =1000*1000*1000, G =1024*1024*1024 and so on for T, P, E, Z, Y.
2. libewf
resource : http://code.google.com/p/libewf/wiki/Mounting
libewf is a library to access the Expert Witness Compression Format (EWF).
- mkdir /mnt/ewfimage
- mounting
This will create the following device file:ewfmount image.E01 /mnt/ewfimage/
Unmount :/mnt/ewfimage/ewf1
Or fusermount:umount /mnt/ewfimage/
fusermount -u /mnt/ewfimage/
3. sleuthkit
resource : http://www.sleuthkit.org/
A library, framework, and set of command line tools to analyze disk images.
- Its comand line forensic tools can be used to analyze disk images and perform in-depth analysis of file systems (such as NTFS, FAT, HFS+, Ext3, and UFS) and several volume system types. for graphical interface can use Autopsy
root@bt:~# icat -h
Missing image name and/or address
usage: icat [-hrRsvV] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] image [images] inum[-typ[-id]]
-h: Do not display holes in sparse files
-r: Recover deleted file
-R: Recover deleted file and suppress recovery errors
-s: Display slack space at end of file
-i imgtype: The format of the image file (use '-i list' for supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-f fstype: File system type (use '-f list' for supported types)
-o imgoffset: The offset of the file system in the image (in sectors)
-v: verbose to stderr
-V: Print version
http://wiki.sleuthkit.org/index.php?title=TSK_Tool_Overview
http://wiki.sleuthkit.org/index.php?title=FS_Analysis
4. Autopsy
A graphical interface to the Sleuth Kit and other digital forensics tools.
Introduction to Computer / Digital Forensic : practical_floppy.dd
To cunduct Computer Forensic any 5 fase / procedure.
1. Identification
2. Preservation to preserve evidence, chain of chustady fisic and labelling exhibit
3. Examination /Colleccting
4. Analysis (chain of chustady, analisis, Colecting, Recontruction)
5. Presentation report and conclusion.
There are two types of data :
1. Volatile : data is loss when computer is off. ex : data on RAM
2. Non Volatile : data is not loss when computer is off. ex :data on HDD,FDD, etc
Tools to Digital Forensic
on Linux :
Practice for example..
resouces : The Law Enforcement and Forensic Examiner's Introduction to Linux
1. Analysis organization
analisis forensic practical_floppy.dd
The practice floppy (in raw image format from a simple dd) for the following exercise is available at:
http://www.LinuxLEO.com/Files/practical.floppy.dd
Once you download the floppy image, lets to analyze
- Create /dev/fd0 using touch couse on Backtrack not yet
-
-
- create a directory in your “home” directory for evidence and then a subdirectory for different cases
The tilde (~) in front of the directory name is shorthand for “home directory”, Note that if you are already in your home directory, then you don't need to type ~/. Simply using mkdir evid will work just fine. o the output files that we create and the images we make will be found under /root/evid/.
The first, fdisk, we discussed earlier using the -l option. Replace the “x” with the letter of the drive that corresponds to the subject drive. For example, if our subject disk is attached on the secondary IDE channel as the master disk, it will be seen as /dev/hdc. A Serial ATA (SATA) disk will be /dev/sda (or sdb, etc.) We can get the partition information on that disk with:
chek fdisk -l
get information a serial SATA..~#fdisk -l /dev/sda
We can redirect the output of this command to a file for later use by
issuing the command as:
root@bt:~# fdisk -l /dev/sb1 > ~/evid/fdisk.disk1
Creating a forensic image of the suspect disk
can give 400 to real picky
Mounting a restored image
root@bt:~/evid# mount -t vfat -o ro,noexec /dev/fd0 /mnt/analysis/ -o loop
specifies the options
ro :read-only
noexec : prevents the execution of binaries from the mount point
be sure unmount if finish
root@bt:~/evid# umount /mnt/analysis/
File Hash
can use SHA or MD5 Hash
root@bt:~/evid# md5sum /dev/fd0
hasing /dev/fdo and return to file md5.disk1 by type this:
root@bt:~/evid# md5sum /dev/fd0 > md5.disk1
- We can get a hash of each file on the disk using the find command and an option that allows us to execute a command on each file found
- mounting image
root@bt:~/evid# mount -t vfat -o ro,noexec,noatime,loop image.disk1/mnt/analysis
root@bt:~/evid# cd /mnt/analysis
-t :
ro : read only
noexec : prevents the execution of binaries from the mountpoint
noatime : time
loop :
- Once we are in the /mnt/analysis directory we can now run a command that will find all the regular files on the file system at that mount point and run a hash on all those files:
root@bt:/mnt/analysis# find . -type f -exec md5sum {} \; > ~/evid/md5.filelist
find : comand
"." : signifed
-type f : any reguler type file
-exec : execute
md5sum {} : to hasing md5 all files found
> : redirect to
md5.filelist : name file to output
~/evd/ : directory where we all storing all our evidence files
- Have a look at the hashes by using the cat command to stream the file to
standard output
root@bt:/mnt/analysis# cat /root/evid/md5.filelist
- To verify that nothing has been changed on the original floppy, you can use the -c option
root@bt:/mnt/analysis# md5sum -c /root/evid/md5.disk1
root@bt:/mnt/analysis# md5sum -c /root/evid/md5.filelist
The Analysis
- mount /mnt/analysis
- use ls -all
root@bt:/mnt/analysis# ls -al
This will show all the hidden files (-a), give the list in long format to
identify permission, date, etc. (-l). You can also use the –R option to list
recursively through directories. You might want to pipe that through less.
root@bt:/mnt/analysis# ls -alR | less
Making a List of All Files
- For example,you could use the –i option to include the inode (file “serial number”) in the list, the –u option can be used so that the output will include and sort by access time (when used with the –t option).
root@bt:/mnt/analysis# ls -aliRtu > ~/evid/access_file.list
- using the find command and redirecting the output to another list file:
root@bt:/mnt/analysis# find . -type f > ~/evid/file.list.2
- There is also the tree command,
Now use the grep command on either of lists created by the first two
commands above for whatever strings or extensions you want to look for.
i : case insensitive
jpg : grep file JPG
Making a List of File Types
file filename
root@bt:/mnt/analysis# find . -type f -exec file {} \; > ~/evid/filetype.list
root@bt:/mnt/analysis# cat ~/evid/filetype.list
root@bt:/mnt/analysis# grep image ~/evid/filetype.list
Viewing Files
For text files and data files, you might want to use cat, more or less to
view the contents.
cat filename
more filename
less filename
Perhaps a better alternative for viewing unknown files would be to use
the strings command.
strings filename | less
root@bt:/mnt/analysis# ls
ARP.EXE Docs FTP.EXE loveletter.virus ouchy.dat Pics snoof.gz
root@bt:/mnt/analysis# strings arp.exe | less
this screenshot not full..
Once you are finished exploring, be sure to unmount the floppy
Searching Unallocated and Slack Space for Text
Now let’s go back to the original image.
First, change back to the directory in which you created the image, whether it was the root’s home directory, or a special one you created.
root@bt:~# cd evid/
root@bt:~/evid#
use the grep command to search the image for any instance of an expression or pattern.
grep –options <pattern> <file-to-search>
root@bt:~/evid# nano searchlist.txt
root@bt:~/evid# grep -abif searchlist.txt image.disk1 > hits.txt
root@bt:~/evid# cat hits.txt
root@bt:~/evid# xxd -s 75441 image.disk1 | lees
1. Identification
2. Preservation to preserve evidence, chain of chustady fisic and labelling exhibit
3. Examination /Colleccting
4. Analysis (chain of chustady, analisis, Colecting, Recontruction)
5. Presentation report and conclusion.
There are two types of data :
1. Volatile : data is loss when computer is off. ex : data on RAM
2. Non Volatile : data is not loss when computer is off. ex :data on HDD,FDD, etc
Tools to Digital Forensic
on Linux :
- TSK (sleuthkit),
- EwfLib,
- Aff,
- dd, to clone Divice
- Volatility, to Analisis memory RAM
- Ptk, cal
- Explico, to Network Forensic
- etc
Practice for example..
resouces : The Law Enforcement and Forensic Examiner's Introduction to Linux
1. Analysis organization
analisis forensic practical_floppy.dd
The practice floppy (in raw image format from a simple dd) for the following exercise is available at:
http://www.LinuxLEO.com/Files/practical.floppy.dd
Once you download the floppy image, lets to analyze
- Create /dev/fd0 using touch couse on Backtrack not yet
-
-
- create a directory in your “home” directory for evidence and then a subdirectory for different cases
The tilde (~) in front of the directory name is shorthand for “home directory”, Note that if you are already in your home directory, then you don't need to type ~/. Simply using mkdir evid will work just fine. o the output files that we create and the images we make will be found under /root/evid/.
- create a special mount point for all subject file system analysis
root@bt:~# mkdir /mnt/analysis
Determining the structure of disk
The first, fdisk, we discussed earlier using the -l option. Replace the “x” with the letter of the drive that corresponds to the subject drive. For example, if our subject disk is attached on the secondary IDE channel as the master disk, it will be seen as /dev/hdc. A Serial ATA (SATA) disk will be /dev/sda (or sdb, etc.) We can get the partition information on that disk with:
chek fdisk -l
get information a serial SATA..~#fdisk -l /dev/sda
We can redirect the output of this command to a file for later use by
issuing the command as:
root@bt:~# fdisk -l /dev/sb1 > ~/evid/fdisk.disk1
Creating a forensic image of the suspect disk
- Make an image of the practice disk using basic dd, and change directory to evid
root@bt:~/evid# dd if=/dev/fd0 of=image.disk1 bs=512
/dev/fd0 : take flopy device
if : input file
if : input file
of=image.disk1 : out file called image.disk1 in directory /dev/fd0
bs=512 : specific block size 512
- For the sake of safety and practice, change the read-write permissions of
your image to read-only
your image to read-only
can give 400 to real picky
Mounting a restored image
root@bt:~/evid# mount -t vfat -o ro,noexec /dev/fd0 /mnt/analysis/ -o loop
specifies the options
ro :read-only
noexec : prevents the execution of binaries from the mount point
be sure unmount if finish
root@bt:~/evid# umount /mnt/analysis/
File Hash
can use SHA or MD5 Hash
root@bt:~/evid# md5sum /dev/fd0
hasing /dev/fdo and return to file md5.disk1 by type this:
root@bt:~/evid# md5sum /dev/fd0 > md5.disk1
- We can get a hash of each file on the disk using the find command and an option that allows us to execute a command on each file found
- mounting image
root@bt:~/evid# mount -t vfat -o ro,noexec,noatime,loop image.disk1/mnt/analysis
root@bt:~/evid# cd /mnt/analysis
-t :
ro : read only
noexec : prevents the execution of binaries from the mountpoint
noatime : time
loop :
- Once we are in the /mnt/analysis directory we can now run a command that will find all the regular files on the file system at that mount point and run a hash on all those files:
root@bt:/mnt/analysis# find . -type f -exec md5sum {} \; > ~/evid/md5.filelist
find : comand
"." : signifed
-type f : any reguler type file
-exec : execute
md5sum {} : to hasing md5 all files found
> : redirect to
md5.filelist : name file to output
~/evd/ : directory where we all storing all our evidence files
- Have a look at the hashes by using the cat command to stream the file to
standard output
root@bt:/mnt/analysis# cat /root/evid/md5.filelist
- To verify that nothing has been changed on the original floppy, you can use the -c option
root@bt:/mnt/analysis# md5sum -c /root/evid/md5.disk1
root@bt:/mnt/analysis# md5sum -c /root/evid/md5.filelist
The Analysis
- mount /mnt/analysis
- use ls -all
root@bt:/mnt/analysis# ls -al
This will show all the hidden files (-a), give the list in long format to
identify permission, date, etc. (-l). You can also use the –R option to list
recursively through directories. You might want to pipe that through less.
root@bt:/mnt/analysis# ls -alR | less
Making a List of All Files
- For example,you could use the –i option to include the inode (file “serial number”) in the list, the –u option can be used so that the output will include and sort by access time (when used with the –t option).
root@bt:/mnt/analysis# ls -aliRtu > ~/evid/access_file.list
- using the find command and redirecting the output to another list file:
root@bt:/mnt/analysis# find . -type f > ~/evid/file.list.2
- There is also the tree command,
Now use the grep command on either of lists created by the first two
commands above for whatever strings or extensions you want to look for.
i : case insensitive
jpg : grep file JPG
Making a List of File Types
file filename
root@bt:/mnt/analysis# find . -type f -exec file {} \; > ~/evid/filetype.list
root@bt:/mnt/analysis# cat ~/evid/filetype.list
root@bt:/mnt/analysis# grep image ~/evid/filetype.list
Viewing Files
For text files and data files, you might want to use cat, more or less to
view the contents.
cat filename
more filename
less filename
Perhaps a better alternative for viewing unknown files would be to use
the strings command.
strings filename | less
root@bt:/mnt/analysis# ls
ARP.EXE Docs FTP.EXE loveletter.virus ouchy.dat Pics snoof.gz
root@bt:/mnt/analysis# strings arp.exe | less
this screenshot not full..
Once you are finished exploring, be sure to unmount the floppy
Searching Unallocated and Slack Space for Text
Now let’s go back to the original image.
First, change back to the directory in which you created the image, whether it was the root’s home directory, or a special one you created.
root@bt:~# cd evid/
root@bt:~/evid#
use the grep command to search the image for any instance of an expression or pattern.
grep –options <pattern> <file-to-search>
root@bt:~/evid# nano searchlist.txt
root@bt:~/evid# grep -abif searchlist.txt image.disk1 > hits.txt
root@bt:~/evid# cat hits.txt
root@bt:~/evid# xxd -s 75441 image.disk1 | lees
Langganan:
Postingan (Atom)