邪恶八进制信息安全团队技术讨论组's Archiver

冰血封情 2004-8-25 23:25

[转载]LINUX上对CDR的取证

信息来源:Linux Forensics of CDR

可录的光盘媒介(CDR, CDRW) 可能提供有用的证据数据。下面介绍三个有用的工具

1. readcd
readcd程序是cdrecord或者cdrtools软件包的一部分, linux上通常都有。
[mshannon@silentpower mshannon]$ readcd dev=0,0,0 -fulltoc
Read speed: 9152 kB/s (CD 52x, DVD 6x).
Write speed: 9152 kB/s (CD 52x, DVD 6x).
TOC len: 169. First Session: 1 Last Session: 3.
01 14 00 A0 00 00 00 00 01 00 00
01 14 00 A1 00 00 00 00 01 00 00
01 14 00 A2 00 00 00 00 00 0A 00
01 14 00 01 00 00 00 00 00 02 00
01 54 00 B0 02 28 00 02 4F 3B 47
01 54 00 C0 A0 00 30 00 61 1A 42
02 14 00 A0 00 00 00 00 02 00 00
02 14 00 A1 00 00 00 00 02 00 00
02 14 00 A2 00 00 00 00 08 1D 37
02 14 00 02 00 00 00 00 02 2A 00
02 54 00 B0 09 3B 37 01 4F 3B 47
03 14 00 A0 00 00 00 00 03 00 00
03 14 00 A1 00 00 00 00 03 00 00
03 14 00 A2 00 00 00 00 0A 09 37
03 14 00 03 00 00 00 00 0A 01 37
Lead out 1: 600
Lead out 2: 38080
Lead out 3: 45580
[mshannon@silentpower mshannon]$

2.Isoinfo
Isoinfo程序也是cdrecord或者cdrtools软件包的一部分, linux上通常都有。
mshannon@silentpower mshannon]$ isoinfo -d -i=/dev/cdrom
CD-ROM is in ISO 9660 format
System id:
Volume id: DISK1
Volume set id:
Publisher id:
Data preparer id:
Application id: NERO___BURNING_ROM
Copyright File id:
Abstract File id:
Bibliographic File id:
Volume set size is: 1
Volume set sequence number is: 1
Logical block size is: 2048
Volume size is: 600
Joliet with UCS level 3 found
NO Rock Ridge present
[mshannon@silentpower mshannon]$

3. CDFS
CDFS是一个Linux文件系统,可以对每个CDR Session做单独的存取。CDFS可以在
[url]http://www.elis.rug.ac.be/~ronsse/cdfs/[/url]下载。
[root@silentpower mnt]# mount /dev/cdrom /mnt/cdrom/
mount: block device /dev/cdrom is write-protected, mounting read-only
[root@silentpower mnt]# cd cdrom
[root@silentpower cdrom]# ls
TechnicalConsultingResume_JGP.doc
[root@silentpower cdrom]# cd ..
[root@silentpower mnt]# umount /mnt/cdrom
[root@silentpower mnt]# mount -t cdfs /dev/cdrom /mnt/cdfs
mount: block device /dev/cdrom is write-protected, mounting read-only
[root@silentpower mnt]# cd cdfs
[root@silentpower cdfs]# ls
3.1.Apple_partition_map sessions_1-1.iso sessions_1-3.iso
3.2.Apple_HFS sessions_1-2.iso sessions_1-4.iso
[root@silentpower cdfs]# mkdir /mnt/loop1
[root@silentpower cdfs]# mount -o loop sessions_1-1.iso /mnt/loop1
[root@silentpower cdfs]# cd /mnt/loop1/
[root@silentpower loop1]# ls
DP-Mig-1.xls EGL.xls misc9-11-00.xls
EGL_New.xls july-results.xls WG-audit.xls
[root@silentpower loop1]#

页: [1]
© 1999-2008 EvilOctal Security Team