»èÁ¦µÈ ÆÄÀÏÀ» º¹±¸Çϱâ À§ÇÑ ÀüÁ¦ Á¶°ÇÀº »èÁ¦ÇÏ¿´´ø ÆÄÀÏÀÌ ÀÖ¾ú´ø Çϵåµð½ºÅ©ÀÇ ¼½ÅÍ ºÎºÐÀÌ ´Ù¸¥ ÆÄÀÏ·Î µ¤¾î ¾º¿öÁö±â Àü¿¡ º¹±¸ÇØ¾ß ÇÑ´Ù´Â °ÍÀÔ´Ï´Ù.
1. ÆÄÀÏ º¹±¸ ÇÁ·Î±×·¥ ¼³Ä¡
1) tct ´Ù¿î·Îµå
http://www.porcupine.org/forensics/tct.html
2) ¼³Ä¡
# tar zxvf tct-1.16.tar.gz
# cd tct-1.16
# vi src/fstools/mylseek.c ÆÄÀÏÀ» ¿¾î #include Ãß°¡
# make
2. ÆÄÀÏ º¹±¸ Å×½ºÆ®
¿¹½Ã:
grub.conf ÆÄÀÏÀ» /tmp/grub ·Î º¹»çÈÄ »èÁ¦ÇÑ ´ÙÀ½ º¹±¸°¡ µÇ´ÂÁö Å×½ºÆ®ÇØ º¸¾Ò½À´Ï´Ù.
1) »èÁ¦ÈÄ º¹±¸ÇÒ Å×½ºÆ® ÆÄÀÏ(grub.conf)À» /tmp µð·ºÅ丮·Î º¹»çÈÄ »èÁ¦
# cp -a /boot/grub /tmp
# rm /tmp/grub -rf
# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/hda8 289M 8.1M 266M 3% /tmp
2) /tmp ÆÄƼ¼ÇÀ» unrm ¸í·ÉÀ¸·Î ´ýÇÁ¸¦ ¶å´Ï´Ù.
unrm - disk data recovery
# ./bin/unrm /dev/hda8 > tmp_dump
# ll -h tmp_dump
-rw-r--r-- 1 root root 281M 1¿ù 16 19:13 tmp_dump
3) lazarus ¸í·ÉÀ¸·Î ´ýÇÁ¸¦ ¶á ÆÄƼ¼ÇÀÇ ÆÄÀÏÀ» º¹±¸ÇÕ´Ï´Ù.
lazarus =create structure from unstructured data
# ./bin/lazarus -h tmp_dump --> ¾Æ·¡¿Í °°Àº ÆÄÀÏ°ú µð·ºÅ丮 »ý¼º
# ll -h
drwx------ 2 root root 106496 1¿ù 16 19:48 blocks
-rw-r--r-- 1 root root 294216704 1¿ù 16 19:13 tmp_dump
-rw-r--r-- 1 root root 203 1¿ù 16 19:14 tmp_dump.frame.html
-rw-r--r-- 1 root root 730609 1¿ù 16 19:48 tmp_dump.html
-rw-r--r-- 1 root root 1472 1¿ù 16 19:14 tmp_dump.menu.html
drwx------ 2 root root 270336 1¿ù 16 19:48 www
4) blocks µð·ºÅ丮¿¡¼ /boot/grub/grub.conf ÆÄÀÏÀÇ ³»¿ë°ú µ¿ÀÏÇÑ ÆÄÀÏÀ» °Ë»öÇÕ´Ï´Ù. ¿©±â¿¡¼´Â LABELÀ̶ó´Â ´Ü¾î·Î °Ë»öÇÏ¿´½À´Ï´Ù.
# grep LABEL ./blocks/*.txt
Binary file ./blocks/7631.t.txt matches
7631.t.txt ¶ó´Â ÆÄÀÏÀ» ¿¾îº¸´Ï /boot/grub/grub.conf ÆÄÀÏ ³»¿ë°ú ÀÏÄ¡ÇÔÀ» º¸¿´½À´Ï´Ù. º¹±¸¿¡ ¼º°ø!!
# cat ./blocks/7631.t.txt
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/hda7
# initrd /initrd-version.img
#boot=/dev/hda
default=1
timeout=10
splashimage=(hd0,0)/grub/splash.xpm.gz
title Red Hat Linux (2.4.20-46.9.legacy)
root (hd0,0)
kernel /vmlinuz-2.4.20-46.9.legacy ro root=LABEL=/ hdc=ide-scsi
initrd /initrd-2.4.20-46.9.legacy.img
title Red Hat Linux (2.4.29)
root (hd0,0)
kernel /vmlinuz-2.4.29 ro root=/dev/hda7 hdc=ide-scsi
initrd /initrd-2.4.29.img
title Red Hat Linux (2.4.20-37.9.legacy)
root (hd0,0)
kernel /vmlinuz-2.4.20-37.9.legacy ro root=LABEL=/ hdc=ide-scsi
initrd /initrd-2.4.20-37.9.legacy.img
title Red Hat Linux (2.4.20-8)
root (hd0,0)
kernel /vmlinuz-2.4.20-8 ro root=LABEL=/ hdc=ide-scsi
initrd /initrd-2.4.20-8.img
3. Âü°í ¹®¼
http://kltp.kldp.org/stories.php?story=01/11/01/7561951
ÃÖÁ¾¼öÁ¤ÀÏ: 2009-11-11
<ÀÚ·áÃâó : ÈÄÀÌÁî http://cs.whois.co.kr/faq/?p=list&page=13 >
|
|
