sekarang lakukan perintah dibawah ini
he commands above are used dd to copy the file that was downloaded keperangkat output, in this case the output device I use is flashdisk
Next we will create a directory in the home
after doing this command
This command is another way to separate the common system used by the processing of evidence.
Determining the structure of the disk
next we will see information on the partition that will be used, in this Promised sda
follow the instructions below
We can redirect the output of this command to a file for later use by
issuing the command as:
Creating a forensic image of the suspect disk
The 444 gives all users readonly
access. If you are real picky, you could use 400. Note that the owner of the file is the user that created it.
Now that you have created an image file, you can restore the image to another disk if you are interested in a “clone” of the original disk. Put another (blank) floppy in and type:
The above command is that we take the input file of sdd1 (flash) that we have made earlier and the output file named image.disk1 to be stored in directory /home/evid.
Mounting a restored image
the above command will mount the file on sdd1
The “–o ro,noexec” specifies the options ro (readonly) and noexec (prevents the execution of binaries from the mount point) in order to protect the disk from you, and your system (and mount point) from the contents of the disk. There are other useful mount options as well, such as noatime. See man mount for more details.
Mounting the image using the loopback device
mount the file system within the image file, and we specify a disk (partition)
image rather than a disk device. Change to the directory where you created the
image and type:
image rather than a disk device. Change to the directory where you created the
image and type:
To be continue...
No comments:
Post a Comment