![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
sleuthkit
apt-get install sleuthkit
Autopsy
Autopsy is HTML-based, you can connect to the Autopsy server from any platform using an HTML browser.
sigfind
Usage
sigfind [-b bsize] [-o offset] [-t template] [-lV] [hex_signature] file
-b bsize: Give block size (default 512)
-o offset: Give offset into block where signature should exist (default 0)
-l: Signature will be little endian in image
-V: Version
-t template: dospart, ext2, ext3, ext4, fat, hfs, hfs+, ntfs, ufs1, ufs2
Example
mkfs.ext4 test.bin
dumpe2fs -h test.bin
Block size: 1024
# ext4: Offset: 0x38, Magic signature: 0xEF53
sigfind -b 1024 -o 56 -l EF53 test.bin
Block size: 1024 Offset: 56 Signature: 53EF Block: 1 (-) # xxd -s 0x400 test.bin | less Block: 8193 (+8192) # xxd -s 0x800400 test.bin | less <- hex(8193 * 1024) Block: 24577 (+16384) # xxd -s 0x1800400 test.bin | less