工具：4n6pi - 一款轻量级、开源的取证磁盘映像工具.pdf

《工具：4n6pi - 一款轻量级、开源的取证磁盘映像工具.pdf》由会员分享，可在线阅读，更多相关《工具：4n6pi - 一款轻量级、开源的取证磁盘映像工具.pdf（12页珍藏版）》请在三个皮匠报告上搜索。

1、4n6pi An Open-Source Forensic Disk Imager Egon Lampert Senior Incident Responder at Redguard,Switzerland 8 Years in DFIR automate all the thingsWhoami2 Forensic Investigation on decommissioned hardware with unexpected blade enclosure SOP for Imaging:Sumuris PALADIN Forensic Suite Imaging took over 2

2、4 hours using only Paladin.Only 1 Blade I/O Adapter(USB1.0)Highlighted the inefficiency in our workflow.The Case That Sparked It3 No hardware imagers available,due to cost and missing need In Switzerland it holds up in Court,as long you can proof its forensically sound Legal admissibility varies by

3、jurisdiction.The Gap4 Raspberry Pi 5 as base Open-source tools(libewf,ewfacquire)Workflow based on bash-scripts,systemd services and udev-rules Affordable ScaleableThe Idea5Libewf +=Initially developed as a Redguard-CSIRT internal tool After gaining attention on X,it was clear there was community in

4、terest,which led to open-sourcing the project.From internal tool to Open Source6 Run create-config-stick.sh Modifies UUID of partition Generates YAML template Plug in config stick Power it up Detects config stick by UUID green LED off=ready Automated imaging modes:Image to Disk S3 compatible Buckets

5、 NFS shareHow it works7 No hardware-based write blocker Software-based,read-only mounting Comparable to PaladinWrite Protection8 Centralized control server(WIP)Server discovery through mDNS Approve/Deny Agents Job management and monitoring Future hardware roadmap:Exploring Pi HAT with integrated LCD

6、 and write-blocked USB.Looking for hardware collaborators.Whats next?9 Based on received comments:Affordable unprofessional Open source enables flexibility Community mattersWrapping it up10 4n6pi was reviewed by external forensic experts,bu