Back to Details

disk-forensics

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Disk Forensics

磁盘取证

Comprehensive disk forensics skill for analyzing storage media, file systems, and persistent artifacts. Enables recovery of deleted files, analysis of file system metadata, detection of hidden data, and extraction of forensic artifacts from disk images.
这是一套全面的磁盘取证技能,用于分析存储介质、文件系统和持久化痕迹。支持恢复已删除文件、分析文件系统元数据、检测隐藏数据,以及从磁盘镜像中提取取证痕迹。

Capabilities

功能特性

  • Disk Image Acquisition: Create forensically sound disk images with integrity verification
  • File System Analysis: Parse and analyze NTFS, FAT, EXT, HFS+, APFS file systems
  • Deleted File Recovery: Recover deleted files using file carving and file system analysis
  • MFT Analysis: Parse NTFS Master File Table for file metadata and timestamps
  • Slack Space Analysis: Examine slack space for hidden or residual data
  • Alternate Data Streams: Detect and extract NTFS alternate data streams
  • File Signature Analysis: Verify file signatures and detect mismatched extensions
  • Hash Analysis: Calculate and verify file hashes for integrity and known file detection
  • Volume Shadow Copy Analysis: Extract and analyze Windows Volume Shadow Copies
  • Partition Analysis: Detect hidden partitions, analyze partition tables
  • 磁盘镜像获取:创建具备完整性验证的合规取证磁盘镜像
  • 文件系统分析:解析并分析NTFS、FAT、EXT、HFS+、APFS文件系统
  • 已删除文件恢复:通过文件雕刻和文件系统分析恢复已删除文件
  • MFT分析:解析NTFS主文件表(Master File Table)以获取文件元数据和时间戳
  • 松弛空间分析:检查松弛空间中的隐藏或残留数据
  • 备用数据流:检测并提取NTFS备用数据流(Alternate Data Streams)
  • 文件签名分析:验证文件签名并检测扩展名不匹配的情况
  • 哈希分析:计算并验证文件哈希值,用于完整性校验和已知文件检测
  • 卷影副本分析:提取并分析Windows卷影副本(Volume Shadow Copy)
  • 分区分析:检测隐藏分区,分析分区表

Quick Start

快速开始

python
from disk_forensics import DiskAnalyzer, FileRecovery, MFTParser
python
from disk_forensics import DiskAnalyzer, FileRecovery, MFTParser

Initialize analyzer with disk image

Initialize analyzer with disk image

analyzer = DiskAnalyzer("/evidence/disk_image.E01")
analyzer = DiskAnalyzer("/evidence/disk_image.E01")

Get volume information

Get volume information

volumes = analyzer.list_volumes() for vol in volumes: print(f"Volume: {vol.description} - {vol.size_gb}GB")
volumes = analyzer.list_volumes() for vol in volumes: print(f"Volume: {vol.description} - {vol.size_gb}GB")

Recover deleted files

Recover deleted files

recovery = FileRecovery(analyzer) deleted = recovery.find_deleted_files()
recovery = FileRecovery(analyzer) deleted = recovery.find_deleted_files()

Parse MFT

Parse MFT

mft_parser = MFTParser(analyzer) entries = mft_parser.parse_all()
undefined
mft_parser = MFTParser(analyzer) entries = mft_parser.parse_all()
undefined

Usage

使用方法

Task 1: Disk Image Acquisition

任务1:磁盘镜像获取

Input: Physical disk or logical volume to acquire
Process:
  1. Document source media details
  2. Calculate source hash before acquisition
  3. Create forensic image (E01/Ex01/raw)
  4. Verify image integrity with hash comparison
  5. Generate acquisition report
Output: Forensically sound disk image with documentation
Example:
python
from disk_forensics import DiskAcquisition
输入:需要获取镜像的物理磁盘或逻辑卷
流程:
  1. 记录源介质详细信息
  2. 获取镜像前计算源介质哈希值
  3. 创建取证镜像(E01/Ex01/raw格式)
  4. 通过哈希对比验证镜像完整性
  5. 生成获取报告
输出:附带文档的合规取证磁盘镜像
示例:
python
from disk_forensics import DiskAcquisition

Initialize acquisition

Initialize acquisition

acquisition = DiskAcquisition()
acquisition = DiskAcquisition()

Document source

Document source

source_info = acquisition.document_source( device_path="/dev/sdb", make="Samsung", model="SSD 870 EVO", serial_number="S5XXXXXXXXXXXX", capacity_gb=500 )
source_info = acquisition.document_source( device_path="/dev/sdb", make="Samsung", model="SSD 870 EVO", serial_number="S5XXXXXXXXXXXX", capacity_gb=500 )

Create forensic image

Create forensic image

result = acquisition.create_image( source="/dev/sdb", destination="/evidence/suspect_disk.E01", format="ewf", # Expert Witness Format compression="best", segment_size_gb=2, hash_algorithms=["md5", "sha256"] )
print(f"Acquisition complete") print(f"Source Hash: {result.source_hash}") print(f"Image Hash: {result.image_hash}") print(f"Verified: {result.verified}")
result = acquisition.create_image( source="/dev/sdb", destination="/evidence/suspect_disk.E01", format="ewf", # Expert Witness Format compression="best", segment_size_gb=2, hash_algorithms=["md5", "sha256"] )
print(f"Acquisition complete") print(f"Source Hash: {result.source_hash}") print(f"Image Hash: {result.image_hash}") print(f"Verified: {result.verified}")

Generate acquisition report

Generate acquisition report

acquisition.generate_report( output_path="/evidence/acquisition_report.pdf", case_id="CASE-2024-001", examiner="Jane Smith" )
undefined
acquisition.generate_report( output_path="/evidence/acquisition_report.pdf", case_id="CASE-2024-001", examiner="Jane Smith" )
undefined

Task 2: File System Analysis

任务2:文件系统分析

Input: Disk image file path
Process:
  1. Mount disk image read-only
  2. Identify file system type
  3. Parse file system structures
  4. Extract file metadata
  5. Build file system timeline
Output: File system analysis with metadata
Example:
python
from disk_forensics import DiskAnalyzer, FileSystemParser

analyzer = DiskAnalyzer("/evidence/disk_image.E01")
输入:磁盘镜像文件路径
流程:
  1. 以只读方式挂载磁盘镜像
  2. 识别文件系统类型
  3. 解析文件系统结构
  4. 提取文件元数据
  5. 构建文件系统时间线
输出:包含元数据的文件系统分析结果
示例:
python
from disk_forensics import DiskAnalyzer, FileSystemParser

analyzer = DiskAnalyzer("/evidence/disk_image.E01")

List all volumes

List all volumes

volumes = analyzer.list_volumes() for vol in volumes: print(f"Volume {vol.index}: {vol.file_system}") print(f" Start: {vol.start_offset}") print(f" Size: {vol.size_bytes} bytes")
volumes = analyzer.list_volumes() for vol in volumes: print(f"Volume {vol.index}: {vol.file_system}") print(f" Start: {vol.start_offset}") print(f" Size: {vol.size_bytes} bytes")

Parse specific volume

Parse specific volume

parser = FileSystemParser(analyzer, volume_index=2)
parser = FileSystemParser(analyzer, volume_index=2)

Get volume statistics

Get volume statistics

stats = parser.get_statistics() print(f"Total files: {stats.total_files}") print(f"Total directories: {stats.total_directories}") print(f"Deleted entries: {stats.deleted_entries}")
stats = parser.get_statistics() print(f"Total files: {stats.total_files}") print(f"Total directories: {stats.total_directories}") print(f"Deleted entries: {stats.deleted_entries}")

List directory contents

List directory contents

files = parser.list_directory("/Users/suspect/Documents") for f in files: print(f"{f.name} - {f.size} bytes - {f.modified_time}")
files = parser.list_directory("/Users/suspect/Documents") for f in files: print(f"{f.name} - {f.size} bytes - {f.modified_time}")

Find files by extension

Find files by extension

docs = parser.find_files_by_extension([".docx", ".xlsx", ".pdf"])
docs = parser.find_files_by_extension([".docx", ".xlsx", ".pdf"])

Find files by date range

Find files by date range

recent = parser.find_files_by_date( start_date="2024-01-01", end_date="2024-01-31", date_type="modified" )
undefined
recent = parser.find_files_by_date( start_date="2024-01-01", end_date="2024-01-31", date_type="modified" )
undefined

Task 3: Deleted File Recovery

任务3:已删除文件恢复

Input: Disk image with potential deleted files
Process:
  1. Scan file system for deleted entries
  2. Analyze unallocated space
  3. Perform file carving by signatures
  4. Verify recovered file integrity
  5. Document recovery results
Output: Recovered files with recovery metadata
Example:
python
from disk_forensics import DiskAnalyzer, FileRecovery

analyzer = DiskAnalyzer("/evidence/disk_image.E01")
recovery = FileRecovery(analyzer)
输入:可能包含已删除文件的磁盘镜像
流程:
  1. 扫描文件系统查找已删除条目
  2. 分析未分配空间
  3. 通过签名执行文件雕刻
  4. 验证恢复文件的完整性
  5. 记录恢复结果
输出:带有恢复元数据的已恢复文件
示例:
python
from disk_forensics import DiskAnalyzer, FileRecovery

analyzer = DiskAnalyzer("/evidence/disk_image.E01")
recovery = FileRecovery(analyzer)

Find deleted files via file system

Find deleted files via file system

deleted = recovery.find_deleted_files() for f in deleted: print(f"Deleted: {f.name}") print(f" Original path: {f.original_path}") print(f" Size: {f.size}") print(f" Recoverable: {f.recoverable_percent}%")
deleted = recovery.find_deleted_files() for f in deleted: print(f"Deleted: {f.name}") print(f" Original path: {f.original_path}") print(f" Size: {f.size}") print(f" Recoverable: {f.recoverable_percent}%")

Recover specific file

Recover specific file

recovery.recover_file( file_entry=deleted[0], output_path="/evidence/recovered/" )
recovery.recover_file( file_entry=deleted[0], output_path="/evidence/recovered/" )

File carving from unallocated space

File carving from unallocated space

carved = recovery.carve_files( file_types=["jpg", "png", "pdf", "docx"], output_dir="/evidence/carved/" )
for f in carved: print(f"Carved: {f.filename}") print(f" Type: {f.file_type}") print(f" Size: {f.size}") print(f" Offset: {f.disk_offset}")
carved = recovery.carve_files( file_types=["jpg", "png", "pdf", "docx"], output_dir="/evidence/carved/" )
for f in carved: print(f"Carved: {f.filename}") print(f" Type: {f.file_type}") print(f" Size: {f.size}") print(f" Offset: {f.disk_offset}")

Recovery statistics

Recovery statistics

stats = recovery.get_statistics() print(f"Files recovered: {stats.files_recovered}") print(f"Data recovered: {stats.bytes_recovered} bytes")
undefined
stats = recovery.get_statistics() print(f"Files recovered: {stats.files_recovered}") print(f"Data recovered: {stats.bytes_recovered} bytes")
undefined

Task 4: MFT Analysis (NTFS)

任务4:MFT分析(NTFS)

Input: NTFS disk image or extracted MFT file
Process:
  1. Locate and extract MFT
  2. Parse MFT entries
  3. Extract standard information attributes
  4. Analyze file names and timestamps
  5. Detect timestamp manipulation
Output: MFT analysis with timeline anomalies
Example:
python
from disk_forensics import DiskAnalyzer, MFTParser

analyzer = DiskAnalyzer("/evidence/disk_image.E01")
mft_parser = MFTParser(analyzer, volume_index=2)
输入:NTFS磁盘镜像或提取的MFT文件
流程:
  1. 定位并提取MFT
  2. 解析MFT条目
  3. 提取标准信息属性
  4. 分析文件名和时间戳
  5. 检测时间戳篡改
输出:带有时间线异常的MFT分析结果
示例:
python
from disk_forensics import DiskAnalyzer, MFTParser

analyzer = DiskAnalyzer("/evidence/disk_image.E01")
mft_parser = MFTParser(analyzer, volume_index=2)

Parse entire MFT

Parse entire MFT

entries = mft_parser.parse_all() print(f"Total MFT entries: {len(entries)}")
entries = mft_parser.parse_all() print(f"Total MFT entries: {len(entries)}")

Get specific file entry

Get specific file entry

entry = mft_parser.get_entry_by_path("/Users/suspect/malware.exe") if entry: print(f"File: {entry.filename}") print(f"Created: {entry.created_time}") print(f"Modified: {entry.modified_time}") print(f"Accessed: {entry.accessed_time}") print(f"MFT Modified: {entry.mft_modified_time}")
entry = mft_parser.get_entry_by_path("/Users/suspect/malware.exe") if entry: print(f"File: {entry.filename}") print(f"Created: {entry.created_time}") print(f"Modified: {entry.modified_time}") print(f"Accessed: {entry.accessed_time}") print(f"MFT Modified: {entry.mft_modified_time}")

Detect timestamp anomalies (timestomping)

Detect timestamp anomalies (timestomping)

anomalies = mft_parser.detect_timestamp_anomalies() for a in anomalies: print(f"ANOMALY: {a.filename}") print(f" Type: {a.anomaly_type}") print(f" Details: {a.description}")
anomalies = mft_parser.detect_timestamp_anomalies() for a in anomalies: print(f"ANOMALY: {a.filename}") print(f" Type: {a.anomaly_type}") print(f" Details: {a.description}")

Find files by MFT entry number

Find files by MFT entry number

entry = mft_parser.get_entry_by_number(12345)
entry = mft_parser.get_entry_by_number(12345)

Extract MFT to file

Extract MFT to file

mft_parser.extract_mft("/evidence/extracted_mft.bin")
mft_parser.extract_mft("/evidence/extracted_mft.bin")

Generate MFT timeline

Generate MFT timeline

mft_parser.export_timeline("/evidence/mft_timeline.csv")
undefined
mft_parser.export_timeline("/evidence/mft_timeline.csv")
undefined

Task 5: Alternate Data Streams Analysis

任务5:备用数据流分析

Input: NTFS disk image
Process:
  1. Scan for files with alternate data streams
  2. Extract ADS content
  3. Analyze ADS for malicious content
  4. Check Zone.Identifier streams
  5. Document ADS findings
Output: ADS inventory with extracted content
Example:
python
from disk_forensics import DiskAnalyzer, ADSScanner

analyzer = DiskAnalyzer("/evidence/disk_image.E01")
ads_scanner = ADSScanner(analyzer, volume_index=2)
输入:NTFS磁盘镜像
流程:
  1. 扫描带有备用数据流的文件
  2. 提取ADS内容
  3. 分析ADS中的恶意内容
  4. 检查Zone.Identifier流
  5. 记录ADS分析结果
输出:包含提取内容的ADS清单
示例:
python
from disk_forensics import DiskAnalyzer, ADSScanner

analyzer = DiskAnalyzer("/evidence/disk_image.E01")
ads_scanner = ADSScanner(analyzer, volume_index=2)

Find all alternate data streams

Find all alternate data streams

streams = ads_scanner.find_all_streams()
for stream in streams: print(f"File: {stream.parent_file}") print(f" Stream: {stream.stream_name}") print(f" Size: {stream.size} bytes")
streams = ads_scanner.find_all_streams()
for stream in streams: print(f"File: {stream.parent_file}") print(f" Stream: {stream.stream_name}") print(f" Size: {stream.size} bytes")

Extract specific stream

Extract specific stream

ads_scanner.extract_stream( file_path="/Users/suspect/document.docx", stream_name="Zone.Identifier", output_path="/evidence/zone_id.txt" )
ads_scanner.extract_stream( file_path="/Users/suspect/document.docx", stream_name="Zone.Identifier", output_path="/evidence/zone_id.txt" )

Analyze Zone.Identifier streams (download origins)

Analyze Zone.Identifier streams (download origins)

zone_info = ads_scanner.analyze_zone_identifiers() for zi in zone_info: print(f"File: {zi.filename}") print(f" Download URL: {zi.referrer_url}") print(f" Host URL: {zi.host_url}") print(f" Zone: {zi.security_zone}")
zone_info = ads_scanner.analyze_zone_identifiers() for zi in zone_info: print(f"File: {zi.filename}") print(f" Download URL: {zi.referrer_url}") print(f" Host URL: {zi.host_url}") print(f" Zone: {zi.security_zone}")

Find executable content in ADS

Find executable content in ADS

suspicious = ads_scanner.find_executable_ads() for s in suspicious: print(f"SUSPICIOUS: {s.parent_file}:{s.stream_name}")
undefined
suspicious = ads_scanner.find_executable_ads() for s in suspicious: print(f"SUSPICIOUS: {s.parent_file}:{s.stream_name}")
undefined

Task 6: Volume Shadow Copy Analysis

任务6:卷影副本分析

Input: Windows disk image with VSS
Process:
  1. Enumerate Volume Shadow Copies
  2. Mount shadow copy for analysis
  3. Compare files across shadow copies
  4. Extract previous file versions
  5. Timeline shadow copy changes
Output: VSS analysis with file version history
Example:
python
from disk_forensics import DiskAnalyzer, VSSAnalyzer

analyzer = DiskAnalyzer("/evidence/disk_image.E01")
vss_analyzer = VSSAnalyzer(analyzer, volume_index=2)
输入:包含VSS的Windows磁盘镜像
流程:
  1. 枚举卷影副本
  2. 挂载卷影副本以进行分析
  3. 对比不同卷影副本中的文件
  4. 提取历史文件版本
  5. 生成卷影副本变更时间线
输出:带有文件版本历史的VSS分析结果
示例:
python
from disk_forensics import DiskAnalyzer, VSSAnalyzer

analyzer = DiskAnalyzer("/evidence/disk_image.E01")
vss_analyzer = VSSAnalyzer(analyzer, volume_index=2)

List all shadow copies

List all shadow copies

shadows = vss_analyzer.list_shadow_copies() for sc in shadows: print(f"Shadow Copy: {sc.id}") print(f" Created: {sc.creation_time}") print(f" Volume: {sc.volume_path}")
shadows = vss_analyzer.list_shadow_copies() for sc in shadows: print(f"Shadow Copy: {sc.id}") print(f" Created: {sc.creation_time}") print(f" Volume: {sc.volume_path}")

Get file from specific shadow copy

Get file from specific shadow copy

file_content = vss_analyzer.extract_file( shadow_id=shadows[0].id, file_path="/Users/suspect/deleted_evidence.xlsx", output_path="/evidence/recovered_from_vss.xlsx" )
file_content = vss_analyzer.extract_file( shadow_id=shadows[0].id, file_path="/Users/suspect/deleted_evidence.xlsx", output_path="/evidence/recovered_from_vss.xlsx" )

Compare file across shadow copies

Compare file across shadow copies

diff = vss_analyzer.compare_file_versions( file_path="/Users/suspect/important.docx" ) for version in diff: print(f"Version from {version.shadow_date}:") print(f" Size: {version.size}") print(f" Hash: {version.hash}")
diff = vss_analyzer.compare_file_versions( file_path="/Users/suspect/important.docx" ) for version in diff: print(f"Version from {version.shadow_date}:") print(f" Size: {version.size}") print(f" Hash: {version.hash}")

Find deleted files recoverable from VSS

Find deleted files recoverable from VSS

recoverable = vss_analyzer.find_deleted_in_shadows()
recoverable = vss_analyzer.find_deleted_in_shadows()

Export VSS timeline

Export VSS timeline

vss_analyzer.export_timeline("/evidence/vss_timeline.csv")
undefined
vss_analyzer.export_timeline("/evidence/vss_timeline.csv")
undefined

Task 7: File Signature Analysis

任务7:文件签名分析

Input: Disk image or directory of files
Process:
  1. Extract file headers/signatures
  2. Compare to known file signatures
  3. Identify mismatched extensions
  4. Detect embedded files
  5. Report signature anomalies
Output: File signature analysis with mismatches
Example:
python
from disk_forensics import DiskAnalyzer, SignatureAnalyzer

analyzer = DiskAnalyzer("/evidence/disk_image.E01")
sig_analyzer = SignatureAnalyzer(analyzer, volume_index=2)
输入:磁盘镜像或文件目录
流程:
  1. 提取文件头/签名
  2. 与已知文件签名对比
  3. 识别扩展名不匹配的文件
  4. 检测嵌入文件
  5. 报告签名异常
输出:包含不匹配项的文件签名分析结果
示例:
python
from disk_forensics import DiskAnalyzer, SignatureAnalyzer

analyzer = DiskAnalyzer("/evidence/disk_image.E01")
sig_analyzer = SignatureAnalyzer(analyzer, volume_index=2)

Analyze all files

Analyze all files

results = sig_analyzer.analyze_all()
results = sig_analyzer.analyze_all()

Find extension mismatches

Find extension mismatches

mismatches = sig_analyzer.find_mismatches() for m in mismatches: print(f"MISMATCH: {m.file_path}") print(f" Extension: {m.extension}") print(f" Actual Type: {m.detected_type}") print(f" Signature: {m.signature_hex}")
mismatches = sig_analyzer.find_mismatches() for m in mismatches: print(f"MISMATCH: {m.file_path}") print(f" Extension: {m.extension}") print(f" Actual Type: {m.detected_type}") print(f" Signature: {m.signature_hex}")

Analyze specific file

Analyze specific file

file_info = sig_analyzer.analyze_file("/Users/suspect/image.jpg") print(f"File: {file_info.path}") print(f"Detected Type: {file_info.detected_type}") print(f"MIME Type: {file_info.mime_type}") print(f"Extension Valid: {file_info.extension_valid}")
file_info = sig_analyzer.analyze_file("/Users/suspect/image.jpg") print(f"File: {file_info.path}") print(f"Detected Type: {file_info.detected_type}") print(f"MIME Type: {file_info.mime_type}") print(f"Extension Valid: {file_info.extension_valid}")

Find renamed executables

Find renamed executables

renamed_exe = sig_analyzer.find_renamed_executables() for exe in renamed_exe: print(f"Hidden EXE: {exe.path} (disguised as {exe.extension})")
renamed_exe = sig_analyzer.find_renamed_executables() for exe in renamed_exe: print(f"Hidden EXE: {exe.path} (disguised as {exe.extension})")

Detect polyglot files (multiple valid signatures)

Detect polyglot files (multiple valid signatures)

polyglots = sig_analyzer.find_polyglots()
polyglots = sig_analyzer.find_polyglots()

Export analysis report

Export analysis report

sig_analyzer.export_report("/evidence/signature_analysis.csv")
undefined
sig_analyzer.export_report("/evidence/signature_analysis.csv")
undefined

Task 8: Slack Space Analysis

任务8:松弛空间分析

Input: Disk image file
Process:
  1. Identify file slack space locations
  2. Extract slack space content
  3. Search for readable data
  4. Identify potential evidence
  5. Document findings
Output: Slack space analysis with extracted data
Example:
python
from disk_forensics import DiskAnalyzer, SlackSpaceAnalyzer

analyzer = DiskAnalyzer("/evidence/disk_image.E01")
slack_analyzer = SlackSpaceAnalyzer(analyzer, volume_index=2)
输入:磁盘镜像文件
流程:
  1. 识别文件松弛空间位置
  2. 提取松弛空间内容
  3. 搜索可读数据
  4. 识别潜在证据
  5. 记录分析结果
输出:带有提取数据的松弛空间分析结果
示例:
python
from disk_forensics import DiskAnalyzer, SlackSpaceAnalyzer

analyzer = DiskAnalyzer("/evidence/disk_image.E01")
slack_analyzer = SlackSpaceAnalyzer(analyzer, volume_index=2)

Analyze all slack space

Analyze all slack space

results = slack_analyzer.analyze_all() print(f"Total slack space: {results.total_bytes} bytes") print(f"Slack with data: {results.data_bytes} bytes")
results = slack_analyzer.analyze_all() print(f"Total slack space: {results.total_bytes} bytes") print(f"Slack with data: {results.data_bytes} bytes")

Extract slack space from specific file

Extract slack space from specific file

slack_data = slack_analyzer.get_file_slack("/Users/suspect/document.docx") print(f"Slack content: {slack_data.content[:100]}")
slack_data = slack_analyzer.get_file_slack("/Users/suspect/document.docx") print(f"Slack content: {slack_data.content[:100]}")

Search slack space for patterns

Search slack space for patterns

matches = slack_analyzer.search_slack( patterns=["password", "secret", "confidential"], case_sensitive=False ) for m in matches: print(f"Found '{m.pattern}' in slack of {m.file_path}") print(f" Context: {m.context}")
matches = slack_analyzer.search_slack( patterns=["password", "secret", "confidential"], case_sensitive=False ) for m in matches: print(f"Found '{m.pattern}' in slack of {m.file_path}") print(f" Context: {m.context}")

Extract all readable strings from slack

Extract all readable strings from slack

strings = slack_analyzer.extract_strings(min_length=4)
strings = slack_analyzer.extract_strings(min_length=4)

Export slack space content

Export slack space content

slack_analyzer.export_slack_data("/evidence/slack_space/")
undefined
slack_analyzer.export_slack_data("/evidence/slack_space/")
undefined

Task 9: Partition Analysis

任务9:分区分析

Input: Raw disk image or physical device
Process:
  1. Read partition table (MBR/GPT)
  2. Identify all partitions
  3. Detect hidden partitions
  4. Analyze unallocated space
  5. Document partition layout
Output: Complete partition analysis
Example:
python
from disk_forensics import DiskAnalyzer, PartitionAnalyzer

analyzer = DiskAnalyzer("/evidence/full_disk.dd")
partition_analyzer = PartitionAnalyzer(analyzer)
输入:原始磁盘镜像或物理设备
流程:
  1. 读取分区表(MBR/GPT)
  2. 识别所有分区
  3. 检测隐藏分区
  4. 分析未分配空间
  5. 记录分区布局
输出:完整的分区分析结果
示例:
python
from disk_forensics import DiskAnalyzer, PartitionAnalyzer

analyzer = DiskAnalyzer("/evidence/full_disk.dd")
partition_analyzer = PartitionAnalyzer(analyzer)

Get partition table type

Get partition table type

pt_type = partition_analyzer.get_partition_table_type() print(f"Partition Table: {pt_type}")
pt_type = partition_analyzer.get_partition_table_type() print(f"Partition Table: {pt_type}")

List all partitions

List all partitions

partitions = partition_analyzer.list_partitions() for p in partitions: print(f"Partition {p.index}:") print(f" Type: {p.type_name}") print(f" Start: {p.start_sector}") print(f" Size: {p.size_bytes} bytes") print(f" File System: {p.file_system}") print(f" Bootable: {p.bootable}")
partitions = partition_analyzer.list_partitions() for p in partitions: print(f"Partition {p.index}:") print(f" Type: {p.type_name}") print(f" Start: {p.start_sector}") print(f" Size: {p.size_bytes} bytes") print(f" File System: {p.file_system}") print(f" Bootable: {p.bootable}")

Detect hidden partitions

Detect hidden partitions

hidden = partition_analyzer.find_hidden_partitions() for h in hidden: print(f"HIDDEN: Found at sector {h.start_sector}")
hidden = partition_analyzer.find_hidden_partitions() for h in hidden: print(f"HIDDEN: Found at sector {h.start_sector}")

Analyze gaps between partitions

Analyze gaps between partitions

gaps = partition_analyzer.find_unallocated_space() for gap in gaps: print(f"Unallocated: {gap.start_sector} - {gap.end_sector}") print(f" Size: {gap.size_bytes} bytes")
gaps = partition_analyzer.find_unallocated_space() for gap in gaps: print(f"Unallocated: {gap.start_sector} - {gap.end_sector}") print(f" Size: {gap.size_bytes} bytes")

Analyze deleted partitions

Analyze deleted partitions

deleted = partition_analyzer.find_deleted_partitions()
deleted = partition_analyzer.find_deleted_partitions()

Export partition map

Export partition map

partition_analyzer.export_map("/evidence/partition_map.json")
undefined
partition_analyzer.export_map("/evidence/partition_map.json")
undefined

Task 10: Hash Analysis and Known File Detection

任务10:哈希分析与已知文件检测

Input: Disk image or file collection
Process:
  1. Calculate hashes for all files
  2. Compare against known file databases
  3. Identify known good files (NSRL)
  4. Flag known malicious files
  5. Generate hash report
Output: Hash analysis with categorization
Example:
python
from disk_forensics import DiskAnalyzer, HashAnalyzer

analyzer = DiskAnalyzer("/evidence/disk_image.E01")
hash_analyzer = HashAnalyzer(analyzer, volume_index=2)
输入:磁盘镜像或文件集合
流程:
  1. 计算所有文件的哈希值
  2. 与已知文件数据库对比
  3. 识别已知正常文件(NSRL)
  4. 标记已知恶意文件
  5. 生成哈希报告
输出:带有分类的哈希分析结果
示例:
python
from disk_forensics import DiskAnalyzer, HashAnalyzer

analyzer = DiskAnalyzer("/evidence/disk_image.E01")
hash_analyzer = HashAnalyzer(analyzer, volume_index=2)

Calculate hashes for all files

Calculate hashes for all files

hashes = hash_analyzer.hash_all_files( algorithms=["md5", "sha1", "sha256"] )
hashes = hash_analyzer.hash_all_files( algorithms=["md5", "sha1", "sha256"] )

Compare against NSRL (known good files)

Compare against NSRL (known good files)

nsrl_results = hash_analyzer.check_nsrl( nsrl_path="/hashsets/NSRLFile.txt" ) print(f"Known good files: {nsrl_results.known_count}") print(f"Unknown files: {nsrl_results.unknown_count}")
nsrl_results = hash_analyzer.check_nsrl( nsrl_path="/hashsets/NSRLFile.txt" ) print(f"Known good files: {nsrl_results.known_count}") print(f"Unknown files: {nsrl_results.unknown_count}")

Check against malware hash database

Check against malware hash database

malware_check = hash_analyzer.check_malware_hashes( hash_db="/hashsets/malware_hashes.txt" ) for match in malware_check.matches: print(f"MALWARE: {match.file_path}") print(f" Hash: {match.hash}") print(f" Malware Name: {match.malware_name}")
malware_check = hash_analyzer.check_malware_hashes( hash_db="/hashsets/malware_hashes.txt" ) for match in malware_check.matches: print(f"MALWARE: {match.file_path}") print(f" Hash: {match.hash}") print(f" Malware Name: {match.malware_name}")

Find duplicate files

Find duplicate files

duplicates = hash_analyzer.find_duplicates() for dup_group in duplicates: print(f"Duplicate files (hash: {dup_group.hash}):") for f in dup_group.files: print(f" - {f}")
duplicates = hash_analyzer.find_duplicates() for dup_group in duplicates: print(f"Duplicate files (hash: {dup_group.hash}):") for f in dup_group.files: print(f" - {f}")

Export hash report

Export hash report

hash_analyzer.export_report( output_path="/evidence/hash_report.csv", format="csv" )
undefined
hash_analyzer.export_report( output_path="/evidence/hash_report.csv", format="csv" )
undefined

Configuration

配置

Environment Variables

环境变量

VariableDescriptionRequiredDefault
SLEUTHKIT_PATH
Path to The Sleuth Kit binariesNoSystem PATH
NSRL_PATH
Path to NSRL hash databaseNoNone
YARA_RULES
Path to YARA rules for file analysisNoNone
CARVING_SIGNATURES
Custom file carving signaturesNoBuilt-in
变量描述是否必填默认值
SLEUTHKIT_PATH
The Sleuth Kit二进制文件路径系统PATH
NSRL_PATH
NSRL哈希数据库路径None
YARA_RULES
用于文件分析的YARA规则路径None
CARVING_SIGNATURES
自定义文件雕刻签名内置签名

Options

选项

OptionTypeDescription
verify_image
booleanVerify image integrity on load
cache_metadata
booleanCache parsed metadata
parallel_hash
booleanParallel hash calculation
carving_depth
integerMaximum carving depth in bytes
timezone
stringTimezone for timestamp display
选项类型描述
verify_image
布尔值加载时验证镜像完整性
cache_metadata
布尔值缓存已解析的元数据
parallel_hash
布尔值并行计算哈希值
carving_depth
整数文件雕刻的最大深度(字节)
timezone
字符串时间戳显示所用时区

Examples

示例场景

Example 1: Data Theft Investigation

场景1:数据盗窃调查

Scenario: Investigating potential intellectual property theft
python
from disk_forensics import DiskAnalyzer, FileSystemParser, MFTParser
场景描述:调查潜在的知识产权盗窃事件
python
from disk_forensics import DiskAnalyzer, FileSystemParser, MFTParser

Load suspect's disk image

Load suspect's disk image

analyzer = DiskAnalyzer("/evidence/suspect_laptop.E01") parser = FileSystemParser(analyzer, volume_index=2)
analyzer = DiskAnalyzer("/evidence/suspect_laptop.E01") parser = FileSystemParser(analyzer, volume_index=2)

Find recently accessed sensitive documents

Find recently accessed sensitive documents

recent_docs = parser.find_files_by_date( start_date="2024-01-01", end_date="2024-01-31", date_type="accessed", extensions=[".docx", ".xlsx", ".pdf", ".pptx"] )
recent_docs = parser.find_files_by_date( start_date="2024-01-01", end_date="2024-01-31", date_type="accessed", extensions=[".docx", ".xlsx", ".pdf", ".pptx"] )

Check USB device history

Check USB device history

usb_artifacts = analyzer.get_usb_history() for device in usb_artifacts: print(f"USB: {device.device_name}") print(f" First connected: {device.first_connected}") print(f" Last connected: {device.last_connected}")
usb_artifacts = analyzer.get_usb_history() for device in usb_artifacts: print(f"USB: {device.device_name}") print(f" First connected: {device.first_connected}") print(f" Last connected: {device.last_connected}")

Analyze MFT for deleted documents

Analyze MFT for deleted documents

mft = MFTParser(analyzer, volume_index=2) deleted = mft.find_deleted_entries(extensions=[".docx", ".xlsx"])
mft = MFTParser(analyzer, volume_index=2) deleted = mft.find_deleted_entries(extensions=[".docx", ".xlsx"])

Check cloud sync folders

Check cloud sync folders

cloud_folders = [ "/Users/suspect/Dropbox", "/Users/suspect/OneDrive", "/Users/suspect/Google Drive" ] for folder in cloud_folders: files = parser.list_directory(folder, recursive=True) print(f"Found {len(files)} files in {folder}")
undefined
cloud_folders = [ "/Users/suspect/Dropbox", "/Users/suspect/OneDrive", "/Users/suspect/Google Drive" ] for folder in cloud_folders: files = parser.list_directory(folder, recursive=True) print(f"Found {len(files)} files in {folder}")
undefined

Example 2: Malware Persistence Analysis

场景2:恶意软件持久化分析

Scenario: Finding malware persistence mechanisms on disk
python
from disk_forensics import DiskAnalyzer, FileSystemParser, SignatureAnalyzer

analyzer = DiskAnalyzer("/evidence/infected_system.E01")
parser = FileSystemParser(analyzer, volume_index=2)
sig_analyzer = SignatureAnalyzer(analyzer, volume_index=2)
场景描述:查找磁盘上的恶意软件持久化机制
python
from disk_forensics import DiskAnalyzer, FileSystemParser, SignatureAnalyzer

analyzer = DiskAnalyzer("/evidence/infected_system.E01")
parser = FileSystemParser(analyzer, volume_index=2)
sig_analyzer = SignatureAnalyzer(analyzer, volume_index=2)

Check common persistence locations

Check common persistence locations

persistence_paths = [ "/Windows/System32/Tasks", "/Users/*/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup", "/ProgramData/Microsoft/Windows/Start Menu/Programs/Startup" ]
for path in persistence_paths: files = parser.list_directory(path) for f in files: print(f"Persistence: {f.name} - Created: {f.created_time}")
persistence_paths = [ "/Windows/System32/Tasks", "/Users/*/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup", "/ProgramData/Microsoft/Windows/Start Menu/Programs/Startup" ]
for path in persistence_paths: files = parser.list_directory(path) for f in files: print(f"Persistence: {f.name} - Created: {f.created_time}")

Find hidden executables

Find hidden executables

hidden_exe = sig_analyzer.find_renamed_executables()
hidden_exe = sig_analyzer.find_renamed_executables()

Analyze Windows prefetch

Analyze Windows prefetch

prefetch_files = parser.find_files_by_extension([".pf"], path="/Windows/Prefetch")
prefetch_files = parser.find_files_by_extension([".pf"], path="/Windows/Prefetch")

Check for suspicious services

Check for suspicious services

services = parser.get_file("/Windows/System32/config/SYSTEM")
undefined
services = parser.get_file("/Windows/System32/config/SYSTEM")
undefined

Example 3: Deleted File Recovery Operation

场景3:已删除文件恢复操作

Scenario: Recovering deleted evidence
python
from disk_forensics import DiskAnalyzer, FileRecovery, VSSAnalyzer

analyzer = DiskAnalyzer("/evidence/suspect_disk.E01")
场景描述:恢复已删除的证据文件
python
from disk_forensics import DiskAnalyzer, FileRecovery, VSSAnalyzer

analyzer = DiskAnalyzer("/evidence/suspect_disk.E01")

Method 1: File system recovery

Method 1: File system recovery

recovery = FileRecovery(analyzer) fs_deleted = recovery.find_deleted_files() print(f"Found {len(fs_deleted)} deleted files in file system")
recovery = FileRecovery(analyzer) fs_deleted = recovery.find_deleted_files() print(f"Found {len(fs_deleted)} deleted files in file system")

Method 2: File carving

Method 2: File carving

carved = recovery.carve_files( file_types=["jpg", "png", "pdf", "docx", "xlsx"], output_dir="/evidence/carved_files/" ) print(f"Carved {len(carved)} files from unallocated space")
carved = recovery.carve_files( file_types=["jpg", "png", "pdf", "docx", "xlsx"], output_dir="/evidence/carved_files/" ) print(f"Carved {len(carved)} files from unallocated space")

Method 3: Volume Shadow Copy recovery

Method 3: Volume Shadow Copy recovery

vss = VSSAnalyzer(analyzer, volume_index=2) shadows = vss.list_shadow_copies()
for shadow in shadows: vss_files = vss.list_deleted_in_shadow(shadow.id) for f in vss_files: vss.extract_file(shadow.id, f.path, f"/evidence/vss_recovery/{shadow.id}/{f.name}")
undefined
vss = VSSAnalyzer(analyzer, volume_index=2) shadows = vss.list_shadow_copies()
for shadow in shadows: vss_files = vss.list_deleted_in_shadow(shadow.id) for f in vss_files: vss.extract_file(shadow.id, f.path, f"/evidence/vss_recovery/{shadow.id}/{f.name}")
undefined

Limitations

局限性

  • Maximum supported disk image size depends on system resources
  • EWF compression may slow analysis on large images
  • File carving cannot recover fragmented files completely
  • Encrypted volumes require decryption keys
  • Some file systems may have limited support
  • VSS analysis requires Windows images
  • Hash database comparison requires external databases
  • 支持的最大磁盘镜像大小取决于系统资源
  • EWF压缩格式可能会减慢大镜像的分析速度
  • 文件雕刻无法完全恢复碎片化的文件
  • 加密卷需要解密密钥才能分析
  • 部分文件系统的支持有限
  • VSS分析仅支持Windows镜像
  • 哈希数据库对比需要外部数据库支持

Troubleshooting

故障排除

Common Issue 1: Image Mount Failure

常见问题1:镜像挂载失败

Problem: Unable to mount or read disk image Solution:
  • Verify image integrity with hash verification
  • Check for supported image format (raw, E01, AFF)
  • Ensure adequate disk space for cache
问题:无法挂载或读取磁盘镜像 解决方案:
  • 通过哈希验证确认镜像完整性
  • 检查镜像格式是否受支持(raw、E01、AFF)
  • 确保有足够的磁盘空间用于缓存

Common Issue 2: File System Not Recognized

常见问题2:文件系统无法识别

Problem: Unknown file system type Solution:
  • Check partition offset alignment
  • Try manual file system specification
  • Verify image is not encrypted
问题:检测到未知文件系统类型 解决方案:
  • 检查分区偏移对齐情况
  • 尝试手动指定文件系统类型
  • 确认镜像未被加密

Common Issue 3: Carving Produces Corrupt Files

常见问题3:雕刻生成损坏文件

Problem: Carved files are damaged or incomplete Solution:
  • Files may be fragmented
  • Increase carving validation settings
  • Use multiple carving tools for verification
问题:雕刻得到的文件损坏或不完整 解决方案:
  • 文件可能已碎片化
  • 提高雕刻验证设置的严格程度
  • 使用多种雕刻工具交叉验证

Common Issue 4: Slow Hash Calculation

常见问题4:哈希计算速度慢

Problem: Hashing takes too long Solution:
  • Enable parallel processing
  • Use faster hash algorithm (MD5 vs SHA-256)
  • Exclude known good files
问题:哈希计算耗时过长 解决方案:
  • 启用并行处理
  • 使用更快的哈希算法(如MD5对比SHA-256)
  • 排除已知正常文件

Related Skills

相关技能

  • memory-forensics: Volatile memory analysis
  • timeline-forensics: Super timeline creation
  • artifact-collection: Evidence collection procedures
  • registry-forensics: Windows registry analysis
  • malware-forensics: Malware sample analysis
  • memory-forensics: 易失性内存分析
  • timeline-forensics: 超级时间线创建
  • artifact-collection: 证据收集流程
  • registry-forensics: Windows注册表分析
  • malware-forensics: 恶意软件样本分析

References

参考资料

  • Disk Forensics Reference
  • File System Analysis Guide
  • File Carving Signatures
  • 磁盘取证参考文档
  • 文件系统分析指南
  • 文件雕刻签名