在OpenBSD上会多些步骤，在加载之前，镜像需要被配置在vnode磁盘设备上，下面是一个实例：


mounting a file system image in OpenBSD:
##==
##== associate the image with the vnode pseudo disk device
# vnconfig -v -c svnd0 /var/space/images/2003_02_17_openbsd_attack.bin
svnd0: 7277544448 bytes on /var/space/images/2003_02_17_openbsd_attack.bin
##==
##== mount the image read-only so that the image doesn't change on disk
# mount -o ro /dev/svnd0c /mnt
##==
##== mount the image read-only so that the image doesn't change on disk
# ls -la /mnt
total 9026
drwxr-xr-x 14 root wheel 512 Nov 4 2002 .
drwxr-xr-x 14 root wheel 512 Nov 4 2002 ..
-rw-r--r-- 2 root wheel 685 Nov 4 2002 .cshrc
-rw-r--r-- 2 root wheel 179 Nov 4 2002 .profile
drwxr-xr-x 2 root wheel 512 Oct 4 2002 altroot
drwxr-xr-x 2 root wheel 1024 Oct 4 2002 bin
-r-xr-xr-x 1 root wheel 53248 Nov 4 2002 boot
-rw-r--r-- 1 root wheel 4515116 Nov 4 2002 bsd
drwxr-xr-x 4 root wheel 19968 Sep 12 11:56 dev
drwxr-xr-x 19 root wheel 2048 Mar 28 12:44 etc
[ output deleted ]
##==
##== unmount the image
# umount /mnt
##==
##== dis-associate the image from the vnode pseudo disk device
# vnconfig -v -u svnd0
svnd0: cleared


fsdb是OpenBSD的FFS（fast file system）编辑器。 fsdb没有只读属性，因此镜像拷贝在这里就更重要了。而且在fsdb中的cd命令也可能跟ci命令一样有写操作，这会改变[active]inode。

using fsdb on a file system image in OpenBSD:
##==
##== associate the image with the vnode pseudo disk device
# vnconfig -vc svnd0 /var/space/images/2003_02_17_openbsd_attack.bin
svnd0: 7277544448 bytes on /var/space/images/2003_02_17_openbsd_attack.bin
##==
##== start fsdb on /dev/svnd0c
# fsdb -f /dev/rsvnd0c
** /dev/rsvnd0c
** File system is already clean
Editing file system `/dev/rsvnd0c'
Last Mounted on /mnt
current inode: directory
I=2 MODE=40755 SIZE=512
MTIME=Nov 4 19:49:30 2002 [0 nsec]
CTIME=Nov 4 19:49:30 2002 [0 nsec]
ATIME=Apr 11 14:06:57 2003 [0 nsec]
OWNER=root GRP=wheel LINKCNT=14 FLAGS=0 BLKCNT=2 GEN=e32f2a77
fsdb (inum: 2)> ls
slot 0 ino 2 reclen 12: directory, `.'
slot 1 ino 2 reclen 12: directory, `..'
slot 2 ino 0 reclen 16: regular, `boot'
slot 3 ino 7488 reclen 16: directory, `altroot'
slot 4 ino 33216 reclen 12: directory, `bin'
slot 5 ino 14016 reclen 12: directory, `dev'
slot 6 ino 42816 reclen 12: directory, `etc'
slot 7 ino 42048 reclen 16: directory, `home'
slot 8 ino 59904 reclen 12: directory, `mnt'
slot 9 ino 6528 reclen 16: directory, `root'
slot 10 ino 5568 reclen 16: directory, `sbin'
slot 11 ino 45888 reclen 16: directory, `stand'
slot 12 ino 27072 reclen 12: directory, `tmp'
slot 13 ino 41472 reclen 12: directory, `usr'
slot 14 ino 6336 reclen 12: directory, `var'
slot 15 ino 6529 reclen 16: regular, `.cshrc'
slot 16 ino 6532 reclen 20: regular, `.profile'
slot 17 ino 4 reclen 12: symlink, `sys'
slot 18 ino 0 reclen 260: regular, `bsd'
fsdb (inum: 2)> cd etc/passwd
component `passwd': current inode: regular file
I=42860 MODE=100644 SIZE=1033
MTIME=Feb 27 21:38:23 2003 [0 nsec]
CTIME=Feb 27 21:38:23 2003 [0 nsec]
ATIME=Apr 11 13:49:57 2003 [0 nsec]
OWNER=root GRP=wheel LINKCNT=1 FLAGS=0 BLKCNT=4 GEN=4bf628a5
fsdb (inum: 42860)> quit
##==
##== dis-associate the image from the vnode pseudo disk device
# vnconfig -vu svnd0
svnd0: cleared


类似OpenBSD，在Solaris上处理镜像也需要多点步骤。Solaris有一个被称为lofi（即 loopback file）的驱动。在用lofiadm之前，核心不会表明lofi模块被安装了，启用lofiadm后，应该找到加载到核心的lofi驱动。用modinfo命令来显示当前加载的核心模块。lofiadm命令包含在SUNWcsu包中，而不需要安装任何其他的包或者工具。下面是一个实例：


mounting a file system image in Solaris:
##==
##== register the image available as a block device via the loopback driver:
# lofiadm -a /mnt/images/2003_02_17_attack.bin
/dev/lofi/1
##==
##== verify that the image is registered
# lofiadm
Block Device File
/dev/lofi/1 /var/space/images/2003_02_17_attack.bin
##==
##== mount the image read-only so that the image doesn't change on disk
# mount -o ro /dev/lofi/1 /mnt
##==
##== mount the image read-only so that the image doesn't change on disk
# ls -la /mnt
/mnt:
total 586
drwxr-xr-x 21 root root 512 Dec 3 04:10 .
drwxr-xr-x 21 root root 512 Dec 3 04:10 ..
-rw------- 1 root other 4432 Feb 17 04:25 .sh_history
lrwxrwxrwx 1 root root 9 Nov 28 06:07 bin -> ./usr/bin
drwxr-xr-x 2 root nobody 512 Nov 28 07:32 cdrom
drwxr-xr-x 15 root sys 4096 Feb 17 04:14 dev
drwxr-xr-x 4 root sys 512 Nov 28 06:29 devices
drwxr-xr-x 41 root sys 3584 Feb 16 17:00 etc
[ output deleted ]
##==
##== un-mount the image
# umount /mnt
##==
##== unregister the image from the loopback driver
# lofiadm -d /dev/lofi/1


fsdb是一个值得花时间的工具。如果你能够掌握这个工具，那么它的命令可能很复杂。最有用的文档是OS提供的fsdb_ufs(1M) man手册。


using fsdb on a file system image in Solaris:
##==
##== register the image available as a block device via the loopback driver:
# lofiadm -a /mnt/images/2003_02_17_attack.bin
/dev/lofi/1
##==
##== verify that the image is registered:
# lofiadm
Block Device File
/dev/lofi/1 /mnt/images/2003_02_17_attack.bin
##==
##== browse the image using fsdb:
# fsdb /dev/lofi/1
fsdb of /dev/lofi/1 (Read only) -- last mounted on /
fs_clean is currently set to FSCLEAN
fs_state consistent (fs_clean CAN be trusted)
##==
##== print the super block
/dev/lofi/1 > :sb
super block:
magic 11954 format dynamic time Mon Feb 17 18:36:05 2003
nbfree 605536 ndir 6363 nifree 889612 nffree 8252
ncg 290 ncyl 4631 size 8314960 blocks 8187339
bsize 8192 shift 13 mask 0xffffe000
fsize 1024 shift 10 mask 0xfffffc00
frag 8 shift 3 fsbtodb 1
cpg 16 bpg 3591 fpg 28728 ipg 3392
minfree 1% optim time maxcontig 16 maxbpg 2048
rotdelay 0ms fs_id[0] 0x0 fs_id[1] 0x0 rps 120
ntrak 27 nsect 133 npsect 133 spc 3591
trackskew 0 interleave 1
nindir 2048 inopb 64 nspf 2
sblkno 16 cblkno 24 iblkno 32 dblkno 456
sbsize 5120 cgsize 5120 cgoffset 72 cgmask 0xffffffe0
csaddr 456 cssize 5120 shift 9 mask 0xfffffe00
cgrotor 187 fmod 0 ronly 0
blocks available in each of 8 rotational positions
cylinder number 0:
[ output deleted ]
##==
##== show current entries in this directory:
/dev/lofi/1 > :ls -l
/:
i#: 2 ./
i#: 2 ../
i#: 2bc0 etc/
i#: 8c02 kernel/
i#: 3 lost+found/
i#: 8c0 usr/
[ output deleted ]
##==
##== set the current block to be examined to block 2bc0 (/etc) and display the
##== information in block 2bc0 as an inode:
##== note that :pwd will still show the current location as / because you're
##== examining data blocks on the file system. You haven't actually left /.
##== To navigate the directory hierarchy, you need to use :cd
/dev/lofi/1 > 2bc0:inode?i
i#: 2bc0 md: d---rwxr-xr-x uid: 0 gid: 3
ln: 29 bs: 8 sz : c_flags : 0 e00

db#0: 65a8
accessed: Tue May 27 04:38:06 2003
modified: Mon May 26 17:00:44 2003
created : Tue May 27 04:38:06 2003
/dev/lofi/1 > :ls -l
i#: 2c25 nsswitch.conf
i#: 2c21 passwd
i#: 2c1e path_to_inst
i#: 2c3e pwck@
i#: 2bee rc0@
i#: 6042 rc0.d/
i#: 2bef rc1@
i#: 6901 rc1.d/
i#: 2bf0 rc2@
i#: 71c2 rc2.d/
i#: 2bf1 rc3@
i#: 7a82 rc3.d/
i#: 2bf2 rc5@
i#: 2bf3 rc6@
i#: 2bf4 rcS@
i#: 834e rcS.d/
i#: 2c2d shadow
i#: 2c27 syslog.conf
[ output deleted ]
##==
##== set the current block to be examined to block 2c21 (/etc/passwd) and display the
##== information in block 2c21 as an inode:
/dev/lofi/1 > 2c21:inode?i
i#: 2c21 md: ----r--r--r-- uid: 0 gid: 3
ln: 1 bs: 2 sz : c_flags : 0 20f

db#0: 6554
accessed: Tue May 27 04:37:58 2003
modified: Thu Nov 28 08:18:06 2002
created : Tue May 27 04:37:58 2003
##==
##== display the information in current block as ASCII data:
##== you can display the block in hex using: 0:db:block,*/X
/dev/lofi/1 > 0:db:block,*/c
1955000: r o o t : x : 0 : 1 : S u p e r
1955010: - U s e r : / : / s b i n / s h
1955020: d a e m o n : x : 1 : 1 : : /
1955030: : b i n : x : 2 : 2 : : / u s
1955040: r / b i n : s y s : x : 3 : 3
1955050: : : / : a d m : x : 4 : 4 : A
1955060: d m i n : / v a r / a d m : l
1955070: p : x : 7 1 : 8 : L i n e P r
1955080: i n t e r A d m i n : / u s r
1955090: / s p o o l / l p : u u c p :
19550a0: x : 5 : 5 : u u c p A d m i n
19550b0: : / u s r / l i b / u u c p :
19550c0: n u u c p : x : 9 : 9 : u u c p
19550d0: A d m i n : / v a r / s p o o
19550e0: l / u u c p p u b l i c : / u s
19550f0: r / l i b / u u c p / u u c i c
1955100: o s m m s p : x : 2 5 : 2 5 :
1955110: S e n d M a i l M e s s a g e
1955120: S u b m i s s i o n P r o g
1955130: r a m : / : l i s t e n : x :
1955140: 3 7 : 4 : N e t w o r k A d m
1955150: i n : / u s r / n e t / n l s :
1955160: n o b o d y : x : 6 0 0 0 1 :
1955170: 6 0 0 0 1 : N o b o d y : / :
1955180: n o a c c e s s : x : 6 0 0 0 2
1955190: : 6 0 0 0 2 : N o A c c e s s
19551a0: U s e r : / : n o b o d y 4
19551b0: : x : 6 5 5 3 4 : 6 5 5 3 4 : S
19551c0: u n O S 4 . x N o b o d y :
19551d0: / : k r h : x : 1 1 1 9 : 1 1
19551e0: 1 9 : K r 4 D H a X 0 R y o
19551f0: : / e x p o r t / h o m e / k r
1955200: h : / u s r / b i n / k s h
[ output deleted ]
##==
##== unregister the image from the loopback driver:
# lofiadm -d /dev/lofi/1


有时也需要察看镜像的原始信息，而不是经过文件系统调试器解释过的。这里有几种这样的工具来达到目的。

十六进制编辑器，如hexedit，这个工具作为了Redhat的一部分，也可以在OpenBasd中安装（/usr/ports）[1]。如果没有十六进制编辑器，也可以用emacs或者vim。用emacs 可以察看镜像，使用'Esc-x toggle-read-only'以只读模式使用。要改变到十六进制编辑器，则使用'Esc-x hexl-mode'，要退出，则用'Ctrl-x Ctrl-c'. 要察看emacs的更多信息，可以用'Ctrl-h t'来察看emacs手册。

vim的十六进制编辑支持能力相对emacs来说就差多了。以只读模式而没有交换文件启动vim，可以用：vim -nRb 。然后输入'Esc:%!xxd'转换文件显示为十六进制。退出则输入'esc:q!'。可以用F1键察看vim的帮助。


因为RAM和swap是有限的，因此也限制了编辑器察看大文件。一旦系统开始交换swap，会话就会慢下来。可以用split和csplit将文件系统镜像分成多个文件。你进行的改变越多（分文件，压缩），那么下结论就更需要小心。

如果emacs和vim不可用，那么对于Solaris可以使用od，并跟上less，more来作页显示。OpenBSD,Redhat,Solaris都有pg.od 。od可以以多种格式导出数据。 od -vxca以十六进制导出数据，并以C类型显示字符，和它们的ASCII字符。


Transferring data from the compromised host

如果需要在创建取证镜像，从在线主机中传输出来，有一些问题需要考虑：
* 传输要尽可能小地保证文件系统不会被干扰
* 要通过安全的隧道传输到可信主机
* 不应该运行有问题主机的程序，而应该从CD中运行
* 如果调查需要法律介入，那么就应该遵循法律调查员的步骤流程
* 如果在使用存储数据主机的认证信任证书，那么，有可能攻击者也在用或者盗取你的信任书。

有多种办法可以保存最重要的数据。可以用HUB或者交叉线传输，或者使用ssh或者用其他工具通过TLS/SSL传输。

将需要分析的被入侵的主机连接到保存取证数据的安全主机所在的私有网络，这种办法有一些缺陷：
* 一旦主机不再连，那么其他远程主机的连接也丢失了。
* 很难能再观察攻击者的行为
* 观察攻击者安装的程序也会更困难。比如攻击者安装客户端同远程主机连接，当远程主机无法通讯的时候，就很难检查客户端-服务器端之间的交互。
* 因为攻击者无法再连接主机，要指出攻击者怎么连接主机也会更困难。

总之，在作出判断之前，还需要有一些需要权衡考虑计划的地方。
1、建立物理层。
* 用交叉线连接信息中心NIC
* 通过HUB连接两个NIC
2、在受入侵主机的相同IP网络架设取证数据存储服务器
3、用netcat和dd传输取证数据到存储服务器。


moving data with dd and netcat:
sechost# nc -lp 8091 >
##== use a tcp over ethernet friendly block size of 1460
hckdhost# dd if=/dev/hda bs=1460|nc -w10 8091
sechost# od -xvca |less


另外一个工具是socat[6]，这个工具相对netcat来说功能更多，它可以用多种方式传输数据。注意：下面命令都使用了ignoreof选项。

moving data via socat:
##== use a tcp over ethernet friendly block size of 1460
sechost# /usr/local/socat/bin/socat -b 1460 -t5 OPEN:/dev/hda,ignoreeof,rdonly TCP4::8091
hckdhost# /usr/local/socat/bin/socat -b 1460 -t5 TCP4-LISTEN:8091 OPEN:>save_file<,create,excl,largefile,ignoreeof
sechost# od -xvca |less


如果不愿意或者不能把主机离线，可以用ssh安全传输数据。下面的脚本将当前的网络连接状态，当前的进程列表，多个系统信息以及文件系统镜像保存在远程主机，

example script for moving data to a secure host via ssh:
#!/bin/bash

# This is a quick hack for demonstration purpose only. It needs
# to be adapted to your environment. This script works on Linux.
# YMMV elsewhere.

rem_host="192.168.27.23"

ssh="ssh forensics@${rem_host}"

# get uname -a, uptime, and Debian or RedHat version info
echo -e `uname -a` " " `uptime` " "
`[ -s /etc/debian_version ] &&
echo Debian $(cat /etc/debian_version) || cat /etc/redhat-release`
| ${ssh} "dd of=/var/tmp/incidents/sysinfo"

# save process information
ps auwwx | ${ssh} "dd of=/var/tmp/incidents/processes_bsd"
ps -eflyc | ${ssh} "dd of=/var/tmp/incidents/processes_sysv"

# save list of open files
lsof | ${ssh} "dd of=/var/tmp/incidents/lsof"

# save networking information
netstat -A INET -anv | ${ssh} "dd of=/var/tmp/incidents/netstat_infos"
lsof -Pni | ${ssh} "dd of=/var/tmp/incidents/lsofnet_infos"

# save loaded modules
# use modinfo on Solaris, modstat on OpenBSD
lsmod | ${ssh} "dd of=/var/tmp/incidents/modules"

# wtmp info from last
# snagging /var/log/[wu]tmp* might not be bad idea
last | ${ssh} "dd of=/var/tmp/incidents/last"

# info from process accounting
# snagging /var/account/* might not be a bad idea
# lastcomm is used here, dump-acct can work too
# system accounting (sar) if enable can be useful too. files are usually ing
# /var/log/sysstat
lastcomm | ${ssh} "dd of=/var/tmp/incidents/last"

# save /etc and logs
tar cvjf - /etc /var/log/* | ${ssh} "dd of=/var/tmp/incidents/files_and_logs.tar.bz2"

# use mount to determine currently mounted drives to image. This might need
# tweaking depending on your system, so that it only picks up the drives you want.
# Is compressing with bzip2 ok for forensics in your world? Since you're applying
# a transform before taking an md5sum, it's possible it could cause an issue. Consult
# LE or Legal.
#
# This doesn't handle swap if swap lives on a drive that isn't in the list that
# mount generates. Use 'swapon -s'.
#
# bzip2 can run on whichever machine is faster, or it can be used before the
# data goes over the network. If your network is fast enough, bziping on the remote
# host is a good idea to conserve space. Software compression can take more time than
# it takes to move uncompressed data across a network, if the network is fast enough.
# In these situations compress only if you're worried about space, or compress after
# the transfer is done.
for drive in `mount |grep '^/dev.* (rw'|awk '{print $1}'|sed 's/[0-9]+$//'|sort|uniq`
do
drive_name=`basename ${drive}`
dd if=${drive} |${ssh} "bzip2 -9c|dd of=/var/tmp/incidents/${drive_name}.raw.bz2"
done


另一种安全传输信息的方法是使用socat[16]。socat目前不支持接受TLS/SSL连接，如果要用这种方式，可以使用stunnel[17]来代替。

下面的步骤表示怎么用socat和stunnel来传输数据：
1、创建自签名证书[18]
2、将diffe-hellman 参数附加到自签名证书
3、用cert的hash创建到cert的symlink
4、编辑主机上的hosts.allow，以便合适的主机可以连接
5、启动stunnel，并对每个接入的连接执行frecv.pl
6、用socat发送需要的文件。

moving data using socat and stunnel:
##== 1
sechost# openssl req -new -x509 -nodes -days 365 -out stunnel.pem -keyout stunnel.pem
##== 2
sechost# dd if=/dev/urandom count=8 |openssl dhparam 512 >> stunnel.pem
##== 3
sechost# ln -sf stunnel.pem `openssl x509 -noout -hash < stunnel.pem`.0
##== 4
sechost# vi /etc/hosts.allow
##== 5
sechost# stunnel -fd :9001 -l ./frecv.pl -p stunnel.pem -P none
##== use a tcp over ethernet friendly block size of 1460
##== 6
hckdhost# /usr/local/socat/bin/socat -b 1460 -t5 OPEN:/dev/hda,ignoreeof,rdonly OPENSSL::9001
sechost# od -xvca |less


在上面的示例中，stunnel执行frecv.pl程序。dd来写流数据，但是dd不能很聪明地创建一个文件名，如果stunnel重复执行dd就会覆盖先前保存的文件。frecv.pl就创建随机的文件名，并且用file来猜测后面写入的数据类型。它写入相关信息到一个描述文件来帮助取证调查员理解他们要处理的是什么数据。frecv.pl的一个协同程序是fsend.l，它发送文件或者执行一个命令，并发送结果给frecv.pl，而且也创建hash来验证数据是完整无误的。下面的地址可以下载到这两个脚本。[Further Study and Resourses： http://www.securityfocus.com/infocus/1738#furtherstudy]


在进一步研究和更多资源（Further Study and Resourses） 一节中，可以获得更多的工具和资源。因为Infocus作者和其他的文章也进行了描述，所以这里就不再挨个介绍了。

总结

本文覆盖了一些在进行调查取证检查文件系统的时候用到的工具。一定要使用多种工具来验证某个工具的显示结果。如果要用到ls，最好是先用find -ls来验证一下。一定要使用强hash算法比如MD5或SHA1的工具。确认在不离线情况下移动数据的时候，要保证这些数据的安全。创建有效的事件响应处理流程更能帮助你规范地收集信息。保持技术和经验领先趋势，你的调查就更容易！