COMP832-Week 1 Introduction to the forensics life cycle and gain an overview of management and technical skills required.

下面则是来自fdisk的help文档

┌──(root㉿kali)-[~]
└─# fdisk --help
Usage:
fdisk [options] change partition table
fdisk [options] -l […] list partition table(s)
Display or manipulate a disk partition table.
Options:
-b, --sector-size physical and logical sector size
-B, --protect-boot don't erase bootbits when creating a new label
-c, --compatibility[=] mode is 'dos' or 'nondos' (default)
-L, --color[=] colorize output (auto, always or never)
colors are enabled by default
-l, --list display partitions and exit
-x, --list-details like --list but with more details
-n, --noauto-pt don't create default partition table on empty devices
-o, --output output columns
-t, --type recognize specified partition table type only
-u, --units[=] display units: 'cylinders' or 'sectors' (default)
-s, --getsz display device size in 512-byte sectors [DEPRECATED]
--bytes print SIZE in bytes rather than in human readable format
--lock[=] use exclusive device lock (yes, no or nonblock)
-w, --wipe wipe signatures (auto, always or never)
-W, --wipe-partitions wipe signatures from new partitions (auto, always or never)
-C, --cylinders specify the number of cylinders
-H, --heads specify the number of heads
-S, --sectors specify the number of sectors per track
-h, --help display this help
-V, --version display version
Available output columns:
gpt: Device Start End Sectors Size Type Type-UUID Attrs Name UUID
dos: Device Start End Sectors Cylinders Size Type Id Attrs Boot End-C/H/S
Start-C/H/S
bsd: Slice Start End Sectors Cylinders Size Type Bsize Cpg Fsize
sgi: Device Start End Sectors Cylinders Size Type Id Attrs
sun: Device Start End Sectors Cylinders Size Type Id Flags

这个来自于hexedit的help文档

OPTIONS
-s, --sector
Format the display to have entire sectors.
-m, --maximize Try to maximize the display. --color Display colors. This feature is only available if your operating system supports it. -l<n>, --linelength <n> Explicitly set the number of bytes to display per line to <n>. -h, --help Show the usage.
COMMANDS (quickly)
Moving
<, > : go to start/end of the file
Right: next character
Left: previous character
Down: next line
Up: previous line
Home: beginning of line
End: end of line
PUp: page forward
PDown: page backward
Miscellaneous
F2: save
F3: load file
F1: help
Ctrl-L: redraw
Ctrl-Z: suspend
Ctrl-X: save and exit
Ctrl-C: exit without saving
Tab: toggle hex/ascii Return: go to Backspace: undo previous character Ctrl-U: undo all Ctrl-S: search forward Ctrl-R: search backward
Cut&Paste
Ctrl-Space: set mark
Esc-W: copy
Ctrl-Y: paste
Esc-Y: paste into a file
COMMANDS (full and detailed)
o Right-Arrow, Left-Arrow, Down-Arrow, Up-Arrow - move the cursor.
o Ctrl+F, Ctrl+B, Ctrl+N, Ctrl+P - move the cursor.
o Ctrl+Right-Arrow, Ctrl+Left-Arrow, Ctrl+Down-Arrow, Ctrl+Up-Arrow - move n times the cursor.
o Esc+Right-Arrow, Esc+Left-Arrow, Esc+Down-Arrow, Esc+Up-Arrow - move n times the cursor.
o Esc+F, Esc+B, Esc+N, Esc+P - move n times the cursor.
o Home, Ctrl+A - go the beginning of the line.
o End, Ctrl+E - go to the end of the line.
o Page up, Esc+V, F5 - go up in the file by one page.
o Page down, Ctrl+V, F6 - go down in the file by one page.
o <, Esc+<, Esc+Home - go to the beginning of the file. o >, Esc+>, Esc+End - go to the end of the file (for regular files that have a size).
o Ctrl+Z - suspend hexedit.
o Ctrl+U, Ctrl+_, Ctrl+/ - undo all (forget the modifications).
o Ctrl+Q - read next input character and insert it (this is useful for inserting control characters and bound keys).
o Tab, Ctrl+T - toggle between ASCII and hexadecimal.
o /, Ctrl+S - search forward (in ASCII or in hexadecimal, use TAB to change).
o Ctrl+R - search backward.
o Ctrl+G, F4 - go to a position in the file.
o Return - go to a sector in the file if --sector is used, otherwise go to a position in the file.
o Esc+L - display the page starting at the current cursor position.
o F2, Ctrl+W - save the modifications.
o F1, Esc+H - help (show the man page).
o Ctrl+O, F3 - open another file
o Ctrl+L - redisplay (refresh) the display (useful when your terminal screws up).
o Backspace, Ctrl+H - undo the modifications made on the previous byte.
o Esc+Ctrl+H - undo the modifications made on the previous bytes.
o Ctrl+Space, F9 - set mark where cursor is.
o Esc+W, Delete, F7 - copy selected region.
o Ctrl+Y, Insert, F8 - paste (yank) previously copied region.
o Esc+Y, F11 - save previously copied region to a file.
o Esc+I, F12 - fill the selection with a string
o Esc+T - truncate the file at the current location
o Ctrl+C - unconditional quit (without saving).
o F10, Ctrl+X - quit.
For the Esc commands, it sometimes works to use Alt instead of Esc. Funny things here (especially for froggies :) egrave = Alt+H , ccedilla = Alt+G, Alt+Y = ugrave.

来自于md5sum的help文档

┌──(root㉿kali)-[~]
└─# md5sum --help

Usage: md5sum [OPTION]… [FILE]…
Print or check MD5 (128-bit) checksums.
With no FILE, or when FILE is -, read standard input.
-b, --binary read in binary mode
-c, --check read MD5 sums from the FILEs and check them
--tag create a BSD-style checksum
-t, --text read in text mode (default)
-z, --zero end each output line with NUL, not newline,
and disable file name escaping
The following five options are useful only when verifying checksums:
--ignore-missing don't fail or report status for missing files
--quiet don't print OK for each successfully verified file
--status don't output anything, status code shows success
--strict exit non-zero for improperly formatted checksum lines
-w, --warn warn about improperly formatted checksum lines
--help display this help and exit --version output version information and exit

来自于sha1sum的help文档

┌──(root㉿kali)-[~]
└─# sha1sum --help

Usage: sha1sum [OPTION]… [FILE]…
Print or check SHA1 (160-bit) checksums.
With no FILE, or when FILE is -, read standard input.
-b, --binary read in binary mode
-c, --check read SHA1 sums from the FILEs and check them
--tag create a BSD-style checksum
-t, --text read in text mode (default)
-z, --zero end each output line with NUL, not newline,
and disable file name escaping
The following five options are useful only when verifying checksums:
--ignore-missing don't fail or report status for missing files
--quiet don't print OK for each successfully verified file
--status don't output anything, status code shows success
--strict exit non-zero for improperly formatted checksum lines
-w, --warn warn about improperly formatted checksum lines
--help display this help and exit --version output version information and exit

来自于dd的help文档

┌──(root㉿kali)-[~]
└─# dd --help

Usage: dd [OPERAND]…
or: dd OPTION
Copy a file, converting and formatting according to the operands.
bs=BYTES read and write up to BYTES bytes at a time (default: 512);
overrides ibs and obs
cbs=BYTES convert BYTES bytes at a time
conv=CONVS convert the file as per the comma separated symbol list
count=N copy only N input blocks
ibs=BYTES read up to BYTES bytes at a time (default: 512)
if=FILE read from FILE instead of stdin
iflag=FLAGS read as per the comma separated symbol list
obs=BYTES write BYTES bytes at a time (default: 512)
of=FILE write to FILE instead of stdout
oflag=FLAGS write as per the comma separated symbol list
seek=N skip N obs-sized blocks at start of output
skip=N skip N ibs-sized blocks at start of input
status=LEVEL The LEVEL of information to print to stderr;
'none' suppresses everything but error messages,
'noxfer' suppresses the final transfer statistics,
'progress' shows periodic transfer statistics
N and BYTES may be followed by the following multiplicative suffixes:
c=1, w=2, b=512, kB=1000, K=1024, MB=10001000, M=10241024, xM=M,
GB=100010001000, G=102410241024, and so on for T, P, E, Z, Y.
Binary prefixes can be used, too: KiB=K, MiB=M, and so on.
Each CONV symbol may be:
ascii from EBCDIC to ASCII
ebcdic from ASCII to EBCDIC
ibm from ASCII to alternate EBCDIC
block pad newline-terminated records with spaces to cbs-size
unblock replace trailing spaces in cbs-size records with newline
lcase change upper case to lower case
ucase change lower case to upper case
sparse try to seek rather than write all-NUL output blocks
swab swap every pair of input bytes
sync pad every input block with NULs to ibs-size; when used
with block or unblock, pad with spaces rather than NULs
excl fail if the output file already exists
nocreat do not create the output file
notrunc do not truncate the output file
noerror continue after read errors
fdatasync physically write output file data before finishing
fsync likewise, but also write metadata
Each FLAG symbol may be:
append append mode (makes sense only for output; conv=notrunc suggested)
direct use direct I/O for data
directory fail unless a directory
dsync use synchronized I/O for data
sync likewise, but also for metadata
fullblock accumulate full blocks of input (iflag only)
nonblock use non-blocking I/O
noatime do not update access time
nocache Request to drop cache. See also oflag=sync
noctty do not assign controlling terminal from file
nofollow do not follow symlinks
count_bytes treat 'count=N' as a byte count (iflag only)
skip_bytes treat 'skip=N' as a byte count (iflag only)
seek_bytes treat 'seek=N' as a byte count (oflag only)

来自于dcfldd的help文档

┌──(root㉿kali)-[~]
└─# dcfldd --help

Usage: dcfldd [OPTION]…
Enhanced version of dd for forensics and security.
bs=BYTES force ibs=BYTES and obs=BYTES (default=32768)
cbs=BYTES convert BYTES bytes at a time
conv=KEYWORDS convert the file as per the comma separated keyword list
count=BLOCKS copy only BLOCKS input blocks
limit=BYTES similar to count but using BYTES instead of BLOCKS
ibs=BYTES read BYTES bytes at a time
if=FILE read from FILE instead of stdin
obs=BYTES write BYTES bytes at a time
of=FILE write to FILE instead of stdout
of:=COMMAND exec and write output to process COMMAND
seek=BLOCKS skip BLOCKS obs-sized blocks at start of output
skip=BLOCKS skip BLOCKS ibs-sized blocks at start of input
pattern=HEX use the specified binary pattern as input
textpattern=TEXT use repeating TEXT as input
errlog=FILE send error messages to FILE as well as stderr
hash=NAME do hash calculation (md5, sha1, sha256, sha384 or sha512)
hashlog=FILE send hash output to FILE instead of stderr
hashwindow=BYTES perform a hash on every BYTES amount of data
hashlog:=COMMAND exec and write hashlog to process COMMAND
ALGORITHMlog:=COMMAND also works in the same fashion of hashlog:=COMMAND
hashconv=[before|after] perform the hashing before or after the conversions
hashformat=FORMAT display each hashwindow according to FORMAT
totalhashformat=FORMAT display the total hash value according to FORMAT
status=[on|off] display a continual status message on stderr
statusinterval=N update the status message every N blocks
sizeprobe=[if|of|BYTES] what to use as value to percentage indicator
split=BYTES write every BYTES amount of data to a new file
splitformat=[TEXT|MAC|WIN] the file extension format for split operation
vf=FILE verify that FILE matches the specified input
verifylog=FILE send verify results to FILE instead of stderr
verifylog:=COMMAND exec and write verify results to process COMMAND
diffwr=[on|off] only write to output if destination block content differs

┌──(root㉿kali)-[~]
└─# dc3dd --help

usage:
dc3dd [OPTION 1] [OPTION 2] ... [OPTION N]
*or*
dc3dd [HELP OPTION]
where each OPTION is selected from the basic or advanced options listed below, or HELP OPTION is selected from the help options listed below.

basic options:
if=DEVICE or FILE
Read input from a device or a file (see note #1 below for how to read from standard input). This option can only be used once and cannot be combined with ifs=, pat=, or tpat=.
ifs=BASE.FMT
Read input from a set of files with base name BASE and sequential file name extensions conforming to the format specifier FMT (see note #4 below for how to specify FMT). This option can only be used once and cannot be combined with if=, pat=, or tpat=.
of=FILE or DEVICE
Write output to a file or device (see note #2 below for how to write to standard output). This option can be used more than once (see note #3 below for how to generate multiple outputs).
hof=FILE or DEVICE
Write output to a file or device, hash the output bytes, and verify by comparing the output hash(es) to the input hash(es). This option can be used more than once (see note #3 below for how to generate multiple outputs).
ofs=BASE.FMT
Write output to a set of files with base name BASE and sequential file name extensions generated from the format specifier FMT (see note #4 below for how to specify FMT). This option can be used more than once (see note #3 below for how to generate multiple outputs). Specify the maximum size of each file in the set using ofsz=.
hofs=BASE.FMT
Write output to a set of files with base name BASE and sequential file name extensions generated from the format specifier FMT (see note #4 below for how to specify FMT). Hash the output files and verify by comparing the output hash(es) to the input hash(es). This option can be used more than once (see note #3 below for how to generate multiple outputs). Specify the maximum size of each file in the set using ofsz=.
ofsz=BYTES
Set the maximum size of each file in the sets of files specified using ofs= or hofs= to BYTES (see note #5 below). A default value for this option may be set at compile time using -DDEFAULT_OUTPUT_FILE_SIZE followed by the desired value in BYTES.
hash=ALGORITHM
Compute an ALGORITHM hash of the input and also of any outputs specified using hof=, hofs=, or fhod=, where ALGORITHM is one of md5, sha1, sha256, or sha512. This option may be used once for each supported ALGORITHM. Alternatively, hashing can be activated at compile time using one or more of -DDEFAULT_HASH_MD5,-DDEFAULT_HASH_SHA1, -DDEFAULT_HASH_SHA256, and -DDEFAULT_HASH_SHA512.
log=FILE Log
I/O statistcs, diagnostics, and total hashes of input and output to FILE. If hlog= is not specified, piecewise hashes of multiple file input and output are also logged to FILE. This option can be used more than once to generate multiple logs.
hlog=FILE
Log total hashes and piecewise hashes to FILE. This option can be used more than once to generate multiple logs.
mlog=FILE
Create hash log that is easier for machine to read

advanced options:
fhod=DEVICE
The same as hof=DEVICE, with additional hashing of the entire output DEVICE. This option can be used more than once (see note #3 below for how to generate multiple outputs).
rec=off
By default, zeros are written to the output(s) in place of bad sectors when the input is a device. Use this option to cause the program to instead exit when a bad sector is encountered.
wipe=DEVICE
Wipe DEVICE by writing zeros (default) or a pattern specified by pat= or tpat=.
hwipe=DEVICE
Wipe DEVICE by writing zeros (default) or a pattern specified by pat= or tpat=. Verify DEVICE after writing it by hashing it and comparing the hash(es) to the input hash(es).
pat=HEX
Use pattern as input, writing HEX to every byte of the output. This option can only be used once and cannot be combined with if=, ifs=, or tpat=.
tpat=TEXT
Use text pattern as input, writing the string TEXT repeatedly to the output. This option can only be used once and cannot be combined with if=, ifs=, or pat=.
cnt=SECTORS
Read only SECTORS input sectors. Must be used with pat= or tpat= if not using the pattern with wipe= or hwipe= to wipe a device.
iskip=SECTORS
Skip SECTORS sectors at start of the input device or file.
oskip=SECTORS
Skip SECTORS sectors at start of the output file. Specifying oskip= automatically sets app=on.
app=on
Do not overwrite an output file specified with of= if it already exists, appending output instead.
ssz=BYTES
Unconditionally use BYTES (see note #5 below) bytes for sector size. If ssz= is not specified, sector size is determined by probing the device; if the probe fails or the target is not a device, a sector size of 512 bytes is assumed.
bufsz=BYTES
Set the size of the internal byte buffers to BYTES (see note #5 below). This effectively sets the maximum number of bytes that may be read at a time from the input. BYTES must be a multiple of sector size. Use this option to fine-tune performance.
verb=on
Activate verbose reporting, where sectors in/out are reported for each file in sets of files specified using ifs=, ofs=, or hofs=. Alternatively, verbose reporting may be activated at compile time using -DDEFAULT_VERBOSE_REPORTING.
nwspc=on
Activate compact reporting, where the use of white space to divide log output into logical sections is suppressed. Alternatively, compact reporting may be activated at compile time using -DDEFAULT_COMPACT_REPORTING.
b10=on
Activate base 10 bytes reporting, where the progress display reports 1000 bytes instead of 1024 bytes as 1 KB. Alternatively, base 10 bytes reporting may be activated at compile time using -DDEFAULT_BASE_TEN_BYTES_REPORTING.
corruptoutput=on
For verification testing and demonstration purposes, corrupt the output file(s) with extra bytes so a hash mismatch is guaranteed.