无用:pyfilesystem2 :不适合磁盘数据恢复
pip install fs --trusted-host pypi.tuna.tsinghua.edu.cn
pyfilesystem2 doc pdf
有用的?
直接python读取磁盘例子
直接python读取磁盘例子
ntfs结构遍历例子: nneonneo/ntfsrecover
ntfsrecover.py
没啥用:PabloLec/RecoverPy: 仅仅在linux下可用,偷懒 的 搜索了linux的裸磁盘sda1
PabloLec/RecoverPy
PabloLec/RecoverPy: 看起来像是完整的磁盘数据恢复工具(python linux) , 但是由于以下取巧,导致没啥用
哎,grep -a -b 搜索目标字符串 /dev/sda1
这条命令在linux下估计是按二进制在裸磁盘sda1中目标字符串,但微软windows显然没法这么弄,所以作者说只支持linux 估计就是这原因,作者太取巧了 此项目也没啥用
Open Source Digital Forensics (数字取证)也得从裸磁盘做数据恢复,所以很像
Open Source Digital Forensics : autopsy 对比 sleuthkit
autopsy==sleuthkit+GUI
sleuthkit源码
autopsy源码
最终选择
选择 将 autopsy 改造为 磁盘数据恢复软件:
python代码增加逆向难度: Boris-code/jmpy
Boris-code/jmpy
nodejs 桌面应用 自带打包为exe,因此无需增加逆向难度
GUI
nodejs GUI
mimecorg/vuido
mimecorg/vuido
python GUI
hoffstadt/DearPyGui
hoffstadt/DearPyGui
参考
- 跨平台GUI库 ,注意这其中有些不成熟
autopsy
本文csdn链接
-
- autopsy == sleuthkit + java GUI (以netbeans为骨架?) + solr搜索 等各种库,甚至有用到testdisk,可以说是各种大杂烩
-
- sleuthkit == cpp 解析各种文件系统 等功能 + java包装(jni+java调用jni)
autopsy 整体上是java GUI项目,调用sleuthkit的java包装以实现磁盘能力
理论上,按照 Linux下autopsy安装手册 安装 autopsy后,
启动 autopsy GUI后
用netbeans打开autopsy的源码目录,应该可以用netbeans远程attach到autopsy GUI进程
但注意 autopsy GUI不是直接以java.exe启动的 而是以 autospy安装目录/platform/lib/nbexec 启动的,
注意同样有netbeans暗黄目录/platform/lib/nbexec
autopsy 安装、启动过程 (Ubuntu22.04x64)
参考: Linux下autopsy安装手册
0. 下载autopsy Linux 安装包
下载页面
或 autopsy github下载页面
autopsy-4.20.0.zip
mkdir app/autopsy-home/; cd /app/autopsy-home/wget https://github.com/sleuthkit/autopsy/releases/download/autopsy-4.20.0/autopsy-4.20.0.zip
unzip autopsy-4.20.0.zipfile /app/autopsy-home/autopsy-4.20.0.zip
#/app/autopsy-home/autopsy-4.20.0.zip: Zip archive data, at least v1.0 to extract, compression method=storels /app/autopsy-home/autopsy-4.20.0/
#autopsy CoreTestLibs etc icon.ico LICENSE-2.0.txt NEWS.txt README.txt unix_setup.sh
# bin docs harness java linux_macos_install_scripts platform Running_Linux_OSX.md
1. Installing Prerequisites (jdk8)
bash -x /app/autopsy-home/autopsy-4.20.0/linux_macos_install_scripts/install_prereqs_ubuntu.sh#安装了bellsoft-java8-full, 据说是带了javaFX. autopsy用的JAVA GUI即javaFX?
/usr/lib/jvm/bellsoft-java8-full-amd64/bin/javac -version
#javac 1.8.0_372
2. Installing The Sleuth Kit
- 下载Sleuth Linux .deb安装包
sleuthkit github下载页面
sleuthkit-java_4.12.0-1_amd64.deb
cd /app/autopsy-home/
wget https://github.com/sleuthkit/sleuthkit/releases/download/sleuthkit-4.12.0/sleuthkit-java_4.12.0-1_amd64.debsudo apt update && sudo apt install /app/autopsy-home/sleuthkit-java_4.12.0-1_amd64.deb#安装结果
ldconfig -p | grep tsk
# libtsk_jni.so.0 (libc6,x86-64) => /lib/x86_64-linux-gnu/libtsk_jni.so.0
# libtsk_jni.so (libc6,x86-64) => /lib/x86_64-linux-gnu/libtsk_jni.so
# libtsk.so.19 (libc6,x86-64) => /lib/x86_64-linux-gnu/libtsk.so.19
# libtsk.so (libc6,x86-64) => /lib/x86_64-linux-gnu/libtsk.so
3.Installing Autopsy
######sudo rm -fr ~/.autopsy/
/app/autopsy-4.20.0-install/linux_macos_install_scripts/install_application.sh -z /app/autopsy-home/autopsy-4.20.0.zip -i /app/autopsy-home/ -j /usr/lib/jvm/bellsoft-java8-full-amd64/
4.启动autopsy
export JAVA_HOME=/usr/lib/jvm/bellsoft-java8-full-amd64/
export PATH=$JAVA_HOME/bin:$PATH
which java
#/usr/lib/jvm/bellsoft-java8-full-amd64//bin/java
sudo bash -x /app/autopsy-home/autopsy-4.20.0/bin/autopsy
#等同于以下命令:
sudo /app/autopsy-home/autopsy-4.20.0/bin/../platform/lib/nbexec --jdkhome /usr/lib/jvm/bellsoft-java8-full-amd64/ --clusters /app/autopsy-home/autopsy-4.20.0/autopsy:/app/autopsy-home/autopsy-4.20.0/CoreTestLibs:/app/autopsy-home/autopsy-4.20.0/harness:/app/autopsy-home/autopsy-4.20.0/java: --userdir /root/.autopsy/dev --branding autopsy -J-Xms24m -J-Xmx4G -J-Xverify:none -J-XX:+UseG1GC -J-XX:+UseStringDeduplication -J-Dprism.order=sw -J-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=0.0.0.0:5005 #有打印:
#SleuthkitJNI: loaded libtsk_jni
#说明找到了libSleuthkitJNI.so#正常启动#need:
chmod +x /app/autopsy-home/autopsy-4.20.0/platform/lib/nbexec
注意 :
可能要注意这几点
- 启动一个autopsy后 ,第二个autopsy肯定启动报错
- 同理,若启动了netbeans ,很可能autopsy也启动不了?
- Linux下 , 如果要选真磁盘(比如u盘), 启动autopsy必须 sudo /app/autopsy-home/autopsy-4.20.0/platform/lib/nbexec … ,否则没权限选择真磁盘
提前执行:
chmod +x /app/autopsy-home/autopsy-4.20.0/platform/lib/nbexec
提醒
autopsy启动了哪些进程? 3个nbexec、1个jvm
ps auxf
#手工找到autopsy的进程们(3个nbexec、1个jvm),如下:
root 58819 | \_ sudo /app/autopsy-home/autopsy-4.20.0/platform/lib/nbexec --jdkhome /usr/lib/jvm/bellsoft-java
root 58820 | \_ sudo /app/autopsy-home/autopsy-4.20.0/platform/lib/nbexec --jdkhome /usr/lib/jvm/bellsoft-
root 58821 | \_ /bin/sh /app/autopsy-home/autopsy-4.20.0/platform/lib/nbexec --jdkhome /usr/lib/jvm/be
root 58889 | \_ /usr/lib/jvm/bellsoft-java8-full-amd64/bin/java -Djdk.home=/usr/lib/jvm/bellsoft-jps auxf | grep java #这些进程的完成命令行如下:
root 58819 sudo /app/autopsy-home/autopsy-4.20.0/platform/lib/nbexec --jdkhome /usr/lib/jvm/bellsoft-java8-full-amd64/ --clusters /app/autopsy-home/autopsy-4.20.0/autopsy:/app/autopsy-home/autopsy-4.20.0/CoreTestLibs:/app/autopsy-home/autopsy-4.20.0/harness:/app/autopsy-home/autopsy-4.20.0/java: --userdir /home/zz/.autopsy/dev --branding autopsy -J-Xms24m -J-Xmx4G -J-Xverify:none -J-XX:+UseG1GC -J-XX:+UseStringDeduplication -J-Dprism.order=swroot 58820 sudo /app/autopsy-home/autopsy-4.20.0/platform/lib/nbexec --jdkhome /usr/lib/jvm/bellsoft-java8-full-amd64/ --clusters /app/autopsy-home/autopsy-4.20.0/autopsy:/app/autopsy-home/autopsy-4.20.0/CoreTestLibs:/app/autopsy-home/autopsy-4.20.0/harness:/app/autopsy-home/autopsy-4.20.0/java: --userdir /home/zz/.autopsy/dev --branding autopsy -J-Xms24m -J-Xmx4G -J-Xverify:none -J-XX:+UseG1GC -J-XX:+UseStringDeduplication -J-Dprism.order=swroot 58821 /bin/sh /app/autopsy-home/autopsy-4.20.0/platform/lib/nbexec --jdkhome /usr/lib/jvm/bellsoft-java8-full-amd64/ --clusters /app/autopsy-home/autopsy-4.20.0/autopsy:/app/autopsy-home/autopsy-4.20.0/CoreTestLibs:/app/autopsy-home/autopsy-4.20.0/harness:/app/autopsy-home/autopsy-4.20.0/java: --userdir /home/zz/.autopsy/dev --branding autopsy -J-Xms24m -J-Xmx4G -J-Xverify:none -J-XX:+UseG1GC -J-XX:+UseStringDeduplication -J-Dprism.order=swroot 58889 /usr/lib/jvm/bellsoft-java8-full-amd64/bin/java -Djdk.home=/usr/lib/jvm/bellsoft-java8-full-amd64 -classpath /app/autopsy-home/autopsy-4.20.0/platform/lib/boot.jar:/app/autopsy-home/autopsy-4.20.0/platform/lib/org-openide-modules.jar:/app/autopsy-home/autopsy-4.20.0/platform/lib/org-openide-util-lookup.jar:/app/autopsy-home/autopsy-4.20.0/platform/lib/org-openide-util-ui.jar:/app/autopsy-home/autopsy-4.20.0/platform/lib/org-openide-util.jar:/usr/lib/jvm/bellsoft-java8-full-amd64/lib/dt.jar:/usr/lib/jvm/bellsoft-java8-full-amd64/lib/tools.jar -Dnetbeans.dirs=/app/autopsy-home/autopsy-4.20.0/autopsy:/app/autopsy-home/autopsy-4.20.0/CoreTestLibs:/app/autopsy-home/autopsy-4.20.0/harness:/app/autopsy-home/autopsy-4.20.0/java: -Dnetbeans.home=/app/autopsy-home/autopsy-4.20.0/platform -Xms24m -Xmx4G -Xverify:none -XX:+UseG1GC -XX:+UseStringDeduplication -Dprism.order=sw -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/home/zz/.autopsy/dev/var/log/heapdump.hprof org.netbeans.Main --cachedir /home/zz/.autopsy/dev/var/cache --userdir /home/zz/.autopsy/dev --branding autopsy
#注意看此进程 是真java进程(jvm进程)
autopsy的jvm进程用的jar和so
autopsy的jvm进程pid
#autopsy的jvm进程命令行中有openide字符串 ,据此 找到autopsy的jvm进程id:
for pid in `pidof java `; do grep openide /proc/$pid/cmdline && autopsy_pid=$pid; done
#比如,autopsy_pid 为 87542
autopsy的jvm进程用的jar
#autopsy的jvm进程用的jar
sudo lsof -p $autopsy_pid | grep app | grep ".jar" |tr -s " "| cut -d" " -f 9 > ./autopsy_process_open_jars.txt
autopsy的jvm进程用的 so
#autopsy的jvm进程用的 so: libtsk.so、libtsk_jni*.so 的完整路径
sudo lsof -p $autopsy_pid | grep "\.