-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathGetSectors.html
307 lines (283 loc) · 16.6 KB
/
GetSectors.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.19: https://docutils.sourceforge.io/" />
<title>GetSectors — DFIR ORC documentation</title>
<link rel="stylesheet" type="text/css" href="_static/pygments.css" />
<link rel="stylesheet" type="text/css" href="_static/solar.css" />
<link rel="stylesheet" type="text/css" href="_static/css/custom.css" />
<script data-url_root="./" id="documentation_options" src="_static/documentation_options.js"></script>
<script src="_static/jquery.js"></script>
<script src="_static/underscore.js"></script>
<script src="_static/_sphinx_javascript_frameworks_compat.js"></script>
<script src="_static/doctools.js"></script>
<script src="_static/sphinx_highlight.js"></script>
<link rel="index" title="Index" href="genindex.html" />
<link rel="search" title="Search" href="search.html" />
<link rel="next" title="NTFSInfo" href="NTFSInfo.html" />
<link rel="prev" title="GetSamples" href="GetSamples.html" /><link href='http://fonts.googleapis.com/css?family=Source+Code+Pro|Open+Sans:300italic,400italic,700italic,400,300,700' rel='stylesheet' type='text/css'>
<link href="_static/solarized-dark.css" rel="stylesheet">
</head><body>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="right" >
<a href="NTFSInfo.html" title="NTFSInfo"
accesskey="N">next</a>
<li class="right" >
<a href="GetSamples.html" title="GetSamples"
accesskey="P">previous</a>
|</li>
<li class="nav-item nav-item-0"><a href="index.html">DFIR ORC documentation</a> »</li>
<li class="nav-item nav-item-1"><a href="embedded_tool_suite.html" accesskey="U">Embedded Tool Suite</a> »</li>
</ul>
</div>
<div class="sphinxsidebar" role="navigation" aria-label="main navigation">
<div class="sphinxsidebarwrapper">
<p class="logo"><a href="index.html">
<img class="logo" src="_static/logo.jpg" alt="Logo"/>
</a></p>
<h3><a href="index.html">Table of Contents</a></h3>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="index.html">Introduction</a></li>
<li class="toctree-l1"><a class="reference internal" href="tuto.html">Tutorial</a></li>
<li class="toctree-l1"><a class="reference internal" href="platforms.html">Requirements</a></li>
<li class="toctree-l1"><a class="reference internal" href="intro_to_data_collection.html">Design and Architecture</a></li>
<li class="toctree-l1"><a class="reference internal" href="configuration.html">Configuration</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="embedded_tool_suite.html">Embedded Tool Suite</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="info_tools.html">Common Options & Properties</a></li>
<li class="toctree-l2"><a class="reference internal" href="FatInfo.html">FatInfo</a></li>
<li class="toctree-l2"><a class="reference internal" href="FastFind.html">FastFind</a></li>
<li class="toctree-l2"><a class="reference internal" href="GetThis.html">GetThis</a></li>
<li class="toctree-l2"><a class="reference internal" href="GetSamples.html">GetSamples</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="#">GetSectors</a></li>
<li class="toctree-l2"><a class="reference internal" href="NTFSInfo.html">NTFSInfo</a></li>
<li class="toctree-l2"><a class="reference internal" href="NTFSUtil.html">NTFSUtil</a></li>
<li class="toctree-l2"><a class="reference internal" href="ObjInfo.html">ObjInfo</a></li>
<li class="toctree-l2"><a class="reference internal" href="RegInfo.html">RegInfo</a></li>
<li class="toctree-l2"><a class="reference internal" href="USNInfo.html">USNInfo</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="licenses.html">Licenses</a></li>
</ul>
<div id="searchbox" style="display: none" role="search">
<h3 id="searchlabel">Quick search</h3>
<div class="searchformwrapper">
<form class="search" action="search.html" method="get">
<input type="text" name="q" aria-labelledby="searchlabel" />
<input type="submit" value="Go" />
</form>
</div>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
</div>
</div>
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body" role="main">
<section id="getsectors">
<h1>GetSectors<a class="headerlink" href="#getsectors" title="Permalink to this heading">¶</a></h1>
<section id="description">
<h2>Description<a class="headerlink" href="#description" title="Permalink to this heading">¶</a></h2>
<p>GetSectors is designed to collect low-level disk data, i.e. data not related to the file system.
As such, it can typically be used to collect the boot sector, the boot code, the partition tables, slack space on the disk (typically the available sectors after the last partition), etc.</p>
</section>
<section id="output">
<h2>Output<a class="headerlink" href="#output" title="Permalink to this heading">¶</a></h2>
<p>GetSectors generates the requested dump(s) in an archive or a folder. The tool also generates a CSV file, GetSectors.csv, which contains the metadata about the dump(s) with the following columns.</p>
<table class="docutils align-left">
<thead>
<tr class="row-odd"><th class="head"><p>Value</p></th>
<th class="head"><p>Description</p></th>
</tr>
</thead>
<tbody>
<tr class="row-even"><td><p>ComputerName</p></td>
<td><p>The computer name</p></td>
</tr>
<tr class="row-odd"><td><p>Disk</p></td>
<td><p>The disk from which the dump is extracted</p></td>
</tr>
<tr class="row-even"><td><p>DumpDescription</p></td>
<td><p>The type of dump (MBR, GPT primary header,…)</p></td>
</tr>
<tr class="row-odd"><td><p>DumpName</p></td>
<td><p>The dump file name in output</p></td>
</tr>
<tr class="row-even"><td><p>DumpOffset</p></td>
<td><p>The starting offset of the dumped region (on the disk)</p></td>
</tr>
<tr class="row-odd"><td><p>DumpSize</p></td>
<td><p>The size of the dump in bytes</p></td>
</tr>
<tr class="row-even"><td><p>ReadingTime</p></td>
<td><p>Time to read the dumped region</p></td>
</tr>
<tr class="row-odd"><td><p>DiskInterfaceUsed</p></td>
<td><p>Actual device used to read the dump region</p></td>
</tr>
<tr class="row-even"><td><p>DiskSectorSize</p></td>
<td><p>The disk sector size in bytes</p></td>
</tr>
</tbody>
</table>
<p>The dump name inside the output directory/archive is generated by the concatenation of</p>
<ul>
<li><p>the disk name (where “\\” is replaced by “_”),</p></li>
<li><p>“_off_” followed by the offset of the data collected (in bytes),</p></li>
<li><p>“_len_” followed by the length of the data collected (in bytes),</p></li>
<li><p>a description of the dump:</p>
<blockquote>
<div><table class="docutils align-left">
<thead>
<tr class="row-odd"><th class="head"><p>Value</p></th>
<th class="head"><p>Description</p></th>
</tr>
</thead>
<tbody>
<tr class="row-even"><td><p>EFI-partition</p></td>
<td><p>Full UEFI partition</p></td>
</tr>
<tr class="row-odd"><td><p>MBR</p></td>
<td><p>Master Boot Record</p></td>
</tr>
<tr class="row-even"><td><p>VBR-of-<Partition Description></p></td>
<td><p>Volume Boot Record</p></td>
</tr>
<tr class="row-odd"><td><p>VBR-backup-of-<Partition Description></p></td>
<td><p>Volume Boot Record backup</p></td>
</tr>
<tr class="row-even"><td><p>IPL-of-<Partition Description></p></td>
<td><p>Initial Program Loader</p></td>
</tr>
<tr class="row-odd"><td><p>GPT-primary-header</p></td>
<td><p>Primary GPT header</p></td>
</tr>
<tr class="row-even"><td><p>Disk-slack-space</p></td>
<td><p>Slack space located after the last partition on disk</p></td>
</tr>
<tr class="row-odd"><td><p>Custom-sample</p></td>
<td><p>Custom portion of disk</p></td>
</tr>
</tbody>
</table>
</div></blockquote>
</li>
</ul>
<p>Dump file extension is <code class="docutils literal notranslate"><span class="pre">.bin</span></code>.</p>
<p>As an example, <code class="docutils literal notranslate"><span class="pre">__._PhysicalDrive0_off_0_len_512_MBR.bin</span></code> is the name of a MBR dump.</p>
<p>An output for logging purposes can be used with the syntax found in <a class="reference internal" href="configuring_console_output.html"><span class="doc">Configuring Console Output</span></a>.</p>
</section>
<section id="usage">
<h2>Usage<a class="headerlink" href="#usage" title="Permalink to this heading">¶</a></h2>
<p>A typical syntax to use GetSectors looks like the following:</p>
<div class="highlight-bat notranslate"><div class="highlight"><pre><span></span>DFIR-Orc.exe GetSectors /LegacyBootCode /SlackSpace /Out=BootCode.7z
DFIR-Orc.exe GetSectors /UefiFull /Out=UefiFull.7z
</pre></div>
</div>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>In order to specify something for the tool to dump, at least one option amongst <code class="docutils literal notranslate"><span class="pre">/LegacyBootCode</span></code>, <code class="docutils literal notranslate"><span class="pre">/UefiFull</span></code>, <code class="docutils literal notranslate"><span class="pre">/SlackSpace</span></code> or <code class="docutils literal notranslate"><span class="pre">/Custom</span></code> must be specified.</p>
</div>
<section id="disk-device-option">
<h3><code class="docutils literal notranslate"><span class="pre">/Disk=<Device></span></code> Option<a class="headerlink" href="#disk-device-option" title="Permalink to this heading">¶</a></h3>
<p><em>optional=yes, default=Windows boot disk</em></p>
<p>Specifies the name of the disk device to read sectors from. A disk image file can also be used.</p>
<div class="highlight-bat notranslate"><div class="highlight"><pre><span></span>/Disk=\\.\PhysicalDrive0
/Disk=D:\MyImage.dd
</pre></div>
</div>
<p>Access path examples are also proposed in <a class="reference internal" href="configuring_locations.html"><span class="doc">Configuring Locations</span></a> but some are not allowed or do not make sense.</p>
</section>
<section id="legacybootcode-option">
<h3><code class="docutils literal notranslate"><span class="pre">/LegacyBootCode</span></code> Option<a class="headerlink" href="#legacybootcode-option" title="Permalink to this heading">¶</a></h3>
<p><em>optional=yes, default=N/A</em></p>
<p>Predefined logic to dump MBR, VBRs and IPLs (cf. <a class="reference external" href="https://en.wikipedia.org/wiki/Booting">https://en.wikipedia.org/wiki/Booting</a>).</p>
</section>
<section id="uefifull-option">
<h3><code class="docutils literal notranslate"><span class="pre">/UefiFull</span></code> Option<a class="headerlink" href="#uefifull-option" title="Permalink to this heading">¶</a></h3>
<p><em>optional=yes, default=Off</em></p>
<p>Dumps the entire EFI partition.</p>
</section>
<section id="uefifullmaxsize-option">
<h3><code class="docutils literal notranslate"><span class="pre">/UefiFullMaxSize</span></code> Option<a class="headerlink" href="#uefifullmaxsize-option" title="Permalink to this heading">¶</a></h3>
<p><em>optional=yes, default=400M</em></p>
<p>Used in combination of the <code class="docutils literal notranslate"><span class="pre">/UefiFull</span></code> option to specify a maximum size to dump. A larger partition will be truncated.</p>
</section>
<section id="slackspace-option">
<h3><code class="docutils literal notranslate"><span class="pre">/SlackSpace</span></code> Option<a class="headerlink" href="#slackspace-option" title="Permalink to this heading">¶</a></h3>
<p><em>optional=yes, default=Off</em></p>
<p>Predefined logic to dump sectors samples outside any partition.</p>
</section>
<section id="slackspacedumpsize-size-option">
<h3><code class="docutils literal notranslate"><span class="pre">/SlackSpaceDumpSize=<Size></span></code> Option<a class="headerlink" href="#slackspacedumpsize-size-option" title="Permalink to this heading">¶</a></h3>
<p><em>optional=yes, default=5MB</em></p>
<p>Maximum size, in bytes, of the collected slackspace (disk unallocated space starting after the end of the last partition).
This option is only used when the <code class="docutils literal notranslate"><span class="pre">/SlackSpace</span></code> option is active.</p>
</section>
<section id="custom-option">
<h3><code class="docutils literal notranslate"><span class="pre">/Custom</span></code> Option<a class="headerlink" href="#custom-option" title="Permalink to this heading">¶</a></h3>
<p><em>optional=yes, default=Off</em></p>
<p>Dumps a specific disk extent. Must be followed with <code class="docutils literal notranslate"><span class="pre">/CustomOffset</span></code> and/or <code class="docutils literal notranslate"><span class="pre">/CustomSize</span></code>.</p>
</section>
<section id="customoffset-size-option">
<h3><code class="docutils literal notranslate"><span class="pre">/CustomOffset=<Size></span></code> Option<a class="headerlink" href="#customoffset-size-option" title="Permalink to this heading">¶</a></h3>
<p><em>optional=yes, default=0</em></p>
<p>Specifies the specific disk extent offset in bytes.</p>
</section>
<section id="customsize-size-option">
<h3><code class="docutils literal notranslate"><span class="pre">/CustomSize=<Size></span></code> Option<a class="headerlink" href="#customsize-size-option" title="Permalink to this heading">¶</a></h3>
<p><em>optional=yes, default=512</em></p>
<p>Specifies the specific disk extent size in bytes.</p>
</section>
<section id="out-path-option">
<h3><code class="docutils literal notranslate"><span class="pre">/Out=<Path></span></code> Option<a class="headerlink" href="#out-path-option" title="Permalink to this heading">¶</a></h3>
<p><em>optional=yes, default=.\GetSectors.7z</em></p>
<p>Specifies the name of the result container. The container can be a folder or an archive (7z, zip, cab). For more details on this option, please refer to the <a class="reference internal" href="configuring_tool_output.html"><span class="doc">output documentation</span></a>.</p>
</section>
<section id="notlowinterface-option">
<h3><code class="docutils literal notranslate"><span class="pre">/NotLowInterface</span></code> Option<a class="headerlink" href="#notlowinterface-option" title="Permalink to this heading">¶</a></h3>
<p><em>optional=yes, default=False</em></p>
<p>The tool does not try to obtain a low interface on the disk device using the setupAPI functions.
Indeed, GetSectors attempts to use the lowest user mode accessible means to open the specified disk (usually, the bus interface); <code class="docutils literal notranslate"><span class="pre">/NotLowInterface</span></code> disables this behavior.</p>
</section>
</section>
</section>
<div class="clearer"></div>
</div>
</div>
</div>
<div class="clearer"></div>
</div>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="right" >
<a href="NTFSInfo.html" title="NTFSInfo"
>next</a>
<li class="right" >
<a href="GetSamples.html" title="GetSamples"
>previous</a>
|</li>
<li class="nav-item nav-item-0"><a href="index.html">DFIR ORC documentation</a> »</li>
<li class="nav-item nav-item-1"><a href="embedded_tool_suite.html" >Embedded Tool Suite</a> »</li>
</ul>
</div>
<div class="footer">
© Copyright 2019, ANSSI. The contents of this documentation is available under the Open License version 2.0 as published by Etalab (French task force for Open Data). The name DFIR ORC and the associated logo belong to ANSSI, no use is permitted without its express approval. Le contenu de cette documentation est disponible sous license Open License version 2.0 telle que publiée par Etalab (organisation francaise pour Open Data). Le nom DFIR ORC et le logo associé appartiennent à l'ANSSI, tout usage doit être expressément autorisé par l'ANSSI..
Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> 5.3.0.Theme is <a href="http://github.com/vimalkvn/solar-theme">Solar</a>
</div>
<script type="text/javascript">
$(document).ready(function() {
$(".toggle > *").hide();
$(".toggle .header").show();
$(".toggle .header").click(function() {
$(this).parent().children().not(".header").toggle(400);
$(this).parent().children(".header").toggleClass("open");
})
});
</script>
</body>
</html>