这是 edx.org 上 RIT 推出的网络安全系列课程中 CYBER502x Computer Forensics 的课程笔记。
Unit 1: Computer Forensics Fundamentals
Working with Evidence:
- Acquire the evidence
- Anthenticate the evidence
- Analyze the evidence
- Present the evidence
Acquire volatile data
Network Interface
- Windows:
ipconfig /all > myWindowsNetworkSettings.txt - Linux
ifconfig -a > myUnixNetworkSettings
Bit stream coppy
CP copy, TA, cpio, dump restore only copy file content, stopping at the end of file marker.
The bit stream copy will copy every bit on the drive, including deleted data. Both dd and the FTK imagers are well-known forensic imaging tools.
FTK
本例中,使用 FTK Imager 来实现对 USB 内容的镜像拷贝(bit stream copy).