Commands Flashcards
lsblk
list disks and partitions attached to system
What command can be used to display mounted devices and paritions
lsblk
What commands can be used to create or list partitions
fdisk -l <dev>
gdisk -l <dev></dev></dev>
fdisk -l
list partitions
gdisk
likes GPT partitions
su -
switch user to root
uname
identify kernel version
sudo
use root for one specific command
What commands can be used to identify hard ware
lspci
lsusb
usb-devices
-v (verbose)
-k (expanded output)
cat <file></file>
stream contents of file to terminal/shell
What commands can be used to identify USB serial number
lsusb -v
usb-devices
man <command></command>
user manual / information on the command
What commands can be used to identify disk information
lsscsi (does not show partitions)
file -s
fdisk - l </dev/>
What is the order of commands to use to identify a device, partition, and file system
lsblk = mounted devices
fdisk -l <> = partition information
file -s <> = file system
lsscsi
list the scsi partitions
file -s </dev/sdaX>
identify the file system of a device
dmesg
device messages / information about a device received directly from kernel
can contain serial number, model, date/time connected/disconnected
what is the /bin folder
binary folder which contains standard commands like ls, cd, pwd, etc
what is the /boot folder
contains files needed at bool (LILO or GRUB)
what is the /dev folder
files that represent devices on a system (device nodes)
what is the /etc folder
contains administrative configuration files and scrips
what is the /home folder
user home directory
what is the /lib folder
32bit software libraries (program files)
what is the /lib64 folder
64bit software libraries (program filesx64)
what is the /media folder
udisks mount points / standard place to mount system removable media
what is the /mnt folder
temporary mount points for external, remote, removeable file systems
what is the /opt folder
folder for optional software files
what is the /sbin folder
administrative commands (fdisk, ifconfig, etc.)
what is the /usr folder
contains local software, libraries, and user specific installer files
what is the /var folder
contains logs and other variable files
what is the /run directory
contains dynamic run files for system daemons like udev and udisks
mount
manually mount a specific device
example:
mount -t <file> -o <option> <device> <mountpoint></mountpoint></device></option></file>
what command can be used to unmount a mount point
umount
what does the /etc/fstab file contain
file system table of device, mountpoint, file system type, and default options
What is the userspace command to mount / unmount a device
udiskctl mount
udiskctl unmount
-b (specifies block device to mount)
will mount under /run/media
grep < pattern > < filename >
search for occurrences of the pattern within the file name
find <start directory <criteria></criteria>
searches for files based on criteria
what is this find command looking for
find /etc -iname fstab
find, starting in the /etc directory, a filename fstab (case insensitive)
file
categorizes files based on a file signature comparison (to magic files)
ps
list current running processes
strings
prints out readable characters from a file
used to search data files and extract useful strings
chmod
change permissions on a file
chown
change owner (and group) of a file
what information is outputted for ls -l
file type (. - regular file, d-directory, b-block device, c-character device, l-link)
permissions (owner, group, others)
user
group
size in bytes
date modified
filename
What does > do
output to a file (stdout)
What does»_space; do
append to a file
What does 2> do
output error messages (stderr)
bc
basic calculator
Explain the command:
echo “scale =2”; 5/3” | bc
Divide 5/3 with decimal place of 2
Output: 1.66
explain the command:
echo “ibase=16;4C | bc”
calculate the hex to decimal value of 4C
output = 76
What is a base shell arithmetic expansion
echo $((Calculation))
Explain the command:
echo $((0x4c-70))
Calculate the hex to decimal value of 4C (76) and subtract 70
Output = 6
What file stores the history of a bash shell
.bash_history
vi
virtual editor
What are the edit modes in vi
i = insert
a= append
o=open a new line under current line
0 = open a new line above current line
Explain the following commands in vi
0-
$-
x-
X-
dd-
y-
p-
P-
:wq
:w
:q!
:wq!
:w fname
/string
0-move cursor to beginning of line
$-move cursor to end of line
x-delete character under the cursor
X-delete the character before the cursor
dd- delete the entire line the cursor is on
y-yank/copy
p-paste after the cursor
P-paste before the cursor
:wq- save and quit
:w- save and continue editing
:q! - quit and discard changes
:wq! - save and quit without prompt
:w - save as filename
/string - search for strings\
What file controls the init program
/etc/inittab
What does /etc/profile contain
global bash initialization file for login shells
What is a runlevel
A description of a system state (shutdown, single user mode, reboot, graphical login) for BSD startup
what does the /.bash_profile contain
used by bash to load configuration for login shell for each user
what does the /.bashrc contain?
used by bash to load configuration for non-login shells
What files are used to control access to the linux system
/etc/hosts.deny
/etc/hosts.allow
iptables
used to block network traffic at physical network interface (IP level)
what command is used in Slackware for package management
slackpkg
Explain compiling from source
distribution agnostic
can tailor to your specific environment
without careful manipulation, the executables and libraries placed in less than optimal locations
can be difficult to manage upgrade paths or remembering what has been installed
tar
used to extract/create tar archives
make
used to create an install package
Explain distribution packages
package manager
handles the work of adding and removing software packages from your system
wget
download files from website
sbotools
install and building software on slackware
sbointsall
install a package (and is dependencies)
hdparm -I /dev/sdd
used to identify hard drive detailed information
md5sum <file></file>
calculates md5 hash
sha1sum <file></file>
calculate sha1sum
explain the following command:
dd if=/dev/sdd of=/path/image.raw bs=512
using dd, image /dev/sdd to file image.raw with block size 512
what is conv=noerror,sync when used with dd
pass copying sectors with errors and pad those sectors with zeros
How can you split a raw image
split <file> <output></output></file>
-d (output file uses numerical numbers)
-aN (suffix length and N= length of characters i.e. a3 for .001)
-bXG (treat input as binary and line are ignored, XG=size in GB i.e. 4GB)
How can you use cat to merge split image files
cat image.raw.* > image.raw.new
What are the command line imaging tools used
dd
dc3dd
ewfacquire
ddrescue
Explain the following command:
dc3dd if=/dev/sdc hofs=dc3dd.raw ofsz=512M hash=sha1 hash=md5 log=dc3dd.log
hof = hash of input, output
ofs = split output file
hofs = hashes and splits
ofsz = output file size
hash = algorithm
log=FILEname for logfile
hlog = write hash log of image and any split files to the log file
ewfacquire
example: ewfacquire -C “2019-001” -d sha1 -D “thumb drive seized from bad buy” -e “Barry Grundy” -E “2019-001-002” -m removable -M physical -S 512M -t case.disk2 -u /dev/sdb
acquire a specific device (forensic image) with added features of adding metadata into E01 files
ewfinfo
reads the metadata that was entered during the imaging process
ewfverify
hashes the forensic image file / allows to verify against original media
ewfexport
ewfexport -t < file> -f raw -u < file>.E01
take an ewf file and convert it to bit stream image file (raw file)
-t(target) - to write a file
-f - file format
-u - accept remaining defaults / run unsupervise
ddrescue
ddrescue /dev/sdb ddres_image.raw ddress.map.txt
ddrescue <device> <extracted> <map file></extracted></device>
when there are errors in disk when creating an image (conv=noerror,sync) this can use a map file to recreate
will read the healthy portions of a disk first then fall back to recovery mode, trying to read data from bad sectors, allowing ddrescue to resume any imaging job given a map file (of bad sectors) to work off of
what does tar tzvf < file> do
tar command will extract a zip
t-list
z-decompress
v-
f-file
x-extract
what command would you use to listen for a netcat command on port 2525 and output to a raw file
nc -l -p 2525 | dd of=/mnt/vidence/net.dd.raw
Explain what this command is doing:
dd if=/dev/sda | nc 192.168.0.1 2525
Pipes the output of dd command of /dev/sda to the IP address through port 2525
What does ewfacquirestream do
similar to ewfacwuire but through a netcat / stream command
example: nc -l -p 2524 | ewfacquirestream -M physical -t / mnt/evidence/net_ewfstream
What are these flags for ewfacquirestream
-C
-D
-e
-E
-f
-m
-M
-N
-t
-C=case number
-D=description
-e=examiner
-E=evidence number
-f=encase format (-f encase6)
-m=media type
-M=media flags
-N=notes
-t=target path and file name
What does gzip do
compresses and decompresses files
-c compress
-d decompress
What commands can be used to wipe /dev/sda with block size 4kb chunks
dd if=/dev/zero of=/dev/sda bs=4k
dc3dd wipe=/dev/sdb
What commands can be used to check to see if a wipe was complete
xxd -a /dev/sda
-a = autoskip option to find next character
dc3dd hwipe=/dev/sda hash=sha1
What steps can you take to mount an image
- identify structure (fdisk -l, mmls)
- identify the file system (file -s)
- Mount using mount or loop (mount -t <> -o ro,loop <image> <location>, losetup /dev/loop0 <image>)</image></location></image>
- If using losetup, mount to directory (mount /dev/loop0p1 /mnt/tmp)
- unmount (umount , losetup -d)
Explain this command:
mount -t vfat -o ro,loop fat_fs.raw /mnt/analysis
mounting fat_fs.raw to the mount location /mnt/analysis with read only permissions and file structure of ‘vfat’ using loop device to mount thf file system within the image
What command can be used to loop a mount device
losetup /dev/sda <image></image>
What command resulted in this output:
Disk NTFS_Pract_2017.raw: 500 MiB, 524288000 bytes, 1024000 sectors
Units: sectors of 1 *512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xe8dd21ee
Device Boot Start End Sectors Size Id Type
NTFS_Pract_2017.raw1 2048 1023999 1021952 499M 7 HPFS/NTFS/exFAT
fdisk -l NFTS_Pract_2017.raw
What is the offset starting sector and respective bytes
Units: sectors of 1 *512 = 512 bytes
Device Boot Start End Sectors Size Id Type
NTFS_Pract_2017.raw1 2048 1023999 1021952 499M 7 HPFS/NTFS/exFAT
2048, (2048*512)
What command would be used to mount the partition
Units: sectors of 1 *512 = 512 bytes
Device Boot Start End Sectors Size Id Type
NTFS_Pract_2017.raw1 2048 1023999 1021952 499M 7 HPFS/NTFS/exFAT
mount -o ro,loop,offset=1048576 NTFS_Pract_2017.raw /mnt/tmp
losetup -o $((2048512)) –sizelimit
$((1021952512))/dev/loop0 NTFS_Pract_2017.raw
What does the flag -P mean for losetup
what about -r and -f
automatically maps partitions to separate loop devices
-r = read only
-f = find first available loop device
What command can be used to mount a split image
affuse <image> <mount></mount></image>
example: affuse able3.000 /mnt/aff
What is the unmount command for affuse
fusermount -u /mnt/aff
What ewf command can be used to mount an imag
ewfmount
ewfmount NTFS_Pract_2017.E01 /mnt/ewf
Explain how to mount an ewf image
Using fdisk -l, we see the structure of the image.
We use losetup -P with the read-only
option (-r), find the first available loop device (-f) to add the loop mapping for the partition.
We use the the file command with the (-s) option to confirm the file system type. In this case we see it is NTFS.
Finally we mount the volume with the mount command using the ntfs-3g22 file system driver (-t ntfs-3g).
Explain this command:
grep -abif analysis/searchlist.txt fat_fs.raw >
analysis/hits.txt
searching using grep through fat_fs.raw for any phrases in searchlist.txt and output results to hits.txt
-a = process file as text
-b=provide byte offset of hit
-i=ignore upper and lower case
-f=read file in for search terms
Explain the command:
xxd -s 1261479 fat_fs.raw | head -n 5
display top 5 lines for hex view of fat_fs.raw starting at byte offset 1261479
What does the awk command do
allows files to be displayed as columns based on delimiter
example: awk ’{print $1” “$2}’
What are the steps taken to carve a file using dd
- Find the start of the JPEG (xxd and grep)
- xxd image_carve_2017.raw | grep ffd8
(location 36AC0)
- echo “ibase=16;36AC0” | bc - Find the end of the JPEG (xxd and grep)
- xxd -s 223942 image_carve_2017.raw | grep ffd9 (location 0005D3C6)
-echo “ibase=16;0005D3C6” | bc - Calculate the size of the JPEG in bytes (bc)
-echo “381906-223942” | bc (157964) - Cut from the calculated start - the calculated number of bytes and output to a file (dd)
-dd if=image_carve_2017.raw of=carved.jpg bs=1 skip=223942 count=157964
Describe how to carve a partition using dd
- fdisk -l < image > to find the offset
- starts at 2048, number of sectors 102400 - use dd to extract using start and total sectors
dd if=able_3.raw of=able_3.part1.raw bs=512 skip=2048
count=102400
What commands will help identify file system layer
file
fsstat
fls
What commands will help identify physical device layer
lshw
lsscsi
hdparm
What commands will help identify media layer
fdisk
gdisk
file -s
mmls
mmcat
mmstat
What commands will help identify the metadata (inode) layer
icat
ils
ifind
istat
What commands will help identify content/data layer
blkcalc
blkcat
blkls
blkstat
mmls
provides partition table and offsets
similar to fdisk and gdisk
fsstat
gather file system information
example: fsstat -o 2048 <image></image>
fls
list file names and directories contained in directory or specific metadata identifier
example: fls -o 10260 able2.dd 2
Explain the command
fls -o 10260 -Frd able2.dd
displays directory information against the partition in able2.dd starting at sector offset 10260 (-o 10260), showing only file entries (-F), descending into directories recursively (-r), and displaying deleted (unallocated) entries (-d).
- asterisk listed before the node means it is deleted/unallocated
ffind
find all file names associated with particular metadata entry by using the ffind command
example: ffind -o 10260 -a able2.dd 2139
Explain command:
ffind -o 10260 -a able2.dd 2139
find all entries for offset / partition at 10260 that are associated with metadata id /inode 2139
-a=get all nodes associated with inode
istat
gather file information on inode, data blocks can be used to extract data using icati
example: istat -o 10260 able2.dd 2139
icat
stream contents from inode to a file
example: icat -o 10260 able2.dd 2139 > lrkn.tgz.2139
Explain the command:
icat -o 10260 able2.dd 11108 | file -
stream contents from partition starting at offset 10260 all data blocks associated with inode 11108 and result of contents is run through file to identify the file type
Explain the order of identifying information from an image using TSK
- mmls (get offset information
- fsstat -o (get file system information)
- fls -o <offset> -r < image> (file directories / inodes)</offset>
- istat -o <offset> <image> < node ></image></offset>
- icat -o <offset> <image> < node> | xxd or file -</image></offset>
Explain the command
grep -abi cybernetik able2.dd
Search for phrase cybernetik to get case insensitive results with the byte offset and treating the .dd file as a text file
Explain how to find file based on grep results
- Search grep
- use resulting byte to calculate sector (echo “10561603/512” | bc = 20628)
- mmls to find what partition the sector is located in (10260)
- find offset of partition in sectors (echo “10260*512” | bc=5253120)
- find volume offset (echo “10561603-5253120” | bc =5308483)
- ffstat to get information file system (fsstat -o 10260 able2.dd)
- find data block (echo “5308483/1024” | bc=5184)
- get block data for the block (blkstat -o 10260 able2.dd 5184)
- find which inode consists of that block (ifind -o 10260 -d 5184 able2.dd)
- identify file information for file in that inode (istat -o 10260 able2.dd 10090)
- stream contents of file (icat -o 10260 able2.dd 10090 | less)
blkls
list all data blocks unallocated
-e = copy every block
Explain the command
blkls -o 10260 able2.dd > able2.blkls
in the partition starting at offset 10260 extract all unallocated blocks to file .blkls
blkcalc
blkcalc with the -u option to specify that we want to calculate the block address from an extracted unallocated image
example: blkcalc -o 10260 -u 1593 able2.dd
Explain the command
blkstat -o 10260 able2.dd 5184
output for block 5184 in the original image to determine if it is unallocated, fragmented
What command would you use to find an inode based on a block
ifind
example: ifind -o 10260 -d 5184 able2.dd
output: 10090
istat -o 10260 able2.dd 10090
What is a difference between examining FAT and NTFS file systems in TSK
NTFS file system allows for alternate data streams (ADS)
Example:
39-128-1
39-128-3
bulk_extractor
used to identify particular features from a set of data
photorec
scalpel
file carving tool
