xmount挂载e01格式磁盘文件
xmount --in ewf --out vdi --cache ./Disk.cache ./PLEXTOR\ PX-128M5Pro.e01 ./mnt/
输出的vdi格式文件可以通过virtualbox 还原
- --out vdi 为输出镜像格式
- ./Disk.cache ./****.e01 为检材文件格式,有关更多E01格式可参考
- ./mnt 为目标挂在卷,输出的vdi格式镜像将会被挂载到此目录下
bulk_extractor内存取证
bulk_extractor -o ./out DESKTOP-D7AP30M-20200605-082800.raw
获取url访问历史、电话号码、email等信息并输出到./out目录下
有关bulk_extractor详细用法可参考
volatility 内存取证
volatility文档command
volatility -f DESKTOP-D7AP30M-20200605-082800.raw imageinfo #获取镜像信息 volatility -f DESKTOP-D7AP30M-20200605-082800.raw --profile=Win10x64_17134 pslist #列出进程 volatility -f DESKTOP-D7AP30M-20200605-082800.raw --profile=Win10x64_14393 truecryptsummary #列出加密摘要
url_decode
python有url转中文字符的库
# coding:utf-8 import urllib.parse with open('url_keyword.txt') as f: result = f.read() print(urllib.parse.unquote(result))