2019-02-09-玩一玩取证

2019-02-09-玩一玩取证

大名鼎鼎的取证工具:
Oxygen Forensic Suite 2014

0daydown找的是假的破解,win7一直出错,后来才在下载站发现人生。

7down

能用的取证软件不多,安卓更是如此。

PC有数据恢复等很多专业软件了所以没必要管这个。

image.png

三次试了三星c5 ,苹果5s ,vivo Y13都连接不上,是因为没有新key-crack了。

都已经root。

三星做过TWRP备份,所以用本地存档。
image.png

把包含下面的文件夹含进来。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
"M:\TWRP\BACKUPS\95d6e0b1\2018-12-01--09-17-00_MMB29M.C5000ZCU1API2\system_image.emmc.win.md5
M:\TWRP\BACKUPS\95d6e0b1\2018-12-01--09-17-00_MMB29M.C5000ZCU1API2\boot.emmc.win
M:\TWRP\BACKUPS\95d6e0b1\2018-12-01--09-17-00_MMB29M.C5000ZCU1API2\boot.emmc.win.md5
M:\TWRP\BACKUPS\95d6e0b1\2018-12-01--09-17-00_MMB29M.C5000ZCU1API2\data.ext4.win000
M:\TWRP\BACKUPS\95d6e0b1\2018-12-01--09-17-00_MMB29M.C5000ZCU1API2\data.ext4.win000.md5
M:\TWRP\BACKUPS\95d6e0b1\2018-12-01--09-17-00_MMB29M.C5000ZCU1API2\data.ext4.win001
M:\TWRP\BACKUPS\95d6e0b1\2018-12-01--09-17-00_MMB29M.C5000ZCU1API2\data.ext4.win001.md5
M:\TWRP\BACKUPS\95d6e0b1\2018-12-01--09-17-00_MMB29M.C5000ZCU1API2\data.ext4.win002
M:\TWRP\BACKUPS\95d6e0b1\2018-12-01--09-17-00_MMB29M.C5000ZCU1API2\data.ext4.win002.md5
M:\TWRP\BACKUPS\95d6e0b1\2018-12-01--09-17-00_MMB29M.C5000ZCU1API2\data.info
M:\TWRP\BACKUPS\95d6e0b1\2018-12-01--09-17-00_MMB29M.C5000ZCU1API2\efs1.emmc.win
M:\TWRP\BACKUPS\95d6e0b1\2018-12-01--09-17-00_MMB29M.C5000ZCU1API2\efs1.emmc.win.md5
M:\TWRP\BACKUPS\95d6e0b1\2018-12-01--09-17-00_MMB29M.C5000ZCU1API2\efs2.emmc.win
M:\TWRP\BACKUPS\95d6e0b1\2018-12-01--09-17-00_MMB29M.C5000ZCU1API2\efs2.emmc.win.md5
M:\TWRP\BACKUPS\95d6e0b1\2018-12-01--09-17-00_MMB29M.C5000ZCU1API2\efs3.emmc.win
M:\TWRP\BACKUPS\95d6e0b1\2018-12-01--09-17-00_MMB29M.C5000ZCU1API2\efs3.emmc.win.md5
M:\TWRP\BACKUPS\95d6e0b1\2018-12-01--09-17-00_MMB29M.C5000ZCU1API2\modem.emmc.win
M:\TWRP\BACKUPS\95d6e0b1\2018-12-01--09-17-00_MMB29M.C5000ZCU1API2\modem.emmc.win.md5
M:\TWRP\BACKUPS\95d6e0b1\2018-12-01--09-17-00_MMB29M.C5000ZCU1API2\recovery.emmc.win
M:\TWRP\BACKUPS\95d6e0b1\2018-12-01--09-17-00_MMB29M.C5000ZCU1API2\recovery.emmc.win.md5
M:\TWRP\BACKUPS\95d6e0b1\2018-12-01--09-17-00_MMB29M.C5000ZCU1API2\recovery.log
M:\TWRP\BACKUPS\95d6e0b1\2018-12-01--09-17-00_MMB29M.C5000ZCU1API2\system.ext4.win000
M:\TWRP\BACKUPS\95d6e0b1\2018-12-01--09-17-00_MMB29M.C5000ZCU1API2\system.ext4.win000.md5
M:\TWRP\BACKUPS\95d6e0b1\2018-12-01--09-17-00_MMB29M.C5000ZCU1API2\system.ext4.win001
M:\TWRP\BACKUPS\95d6e0b1\2018-12-01--09-17-00_MMB29M.C5000ZCU1API2\system.ext4.win001.md5
M:\TWRP\BACKUPS\95d6e0b1\2018-12-01--09-17-00_MMB29M.C5000ZCU1API2\system.info
M:\TWRP\BACKUPS\95d6e0b1\2018-12-01--09-17-00_MMB29M.C5000ZCU1API2\system_image.emmc.win"

自动分析数据生成database
然后可以选择生成ofb备份文件。
关键的来啦:
image.png

可以分析通话记录和短信记录。还有通讯录。接下来是文件系统,包含部分文件。
有分析功能的部分不可以。
image.png