# Basic Forensic Methodology

<details>

<summary><strong>从零开始学习AWS黑客技术，成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE（HackTricks AWS红队专家）</strong></a><strong>！</strong></summary>

* 您在**网络安全公司**工作吗？想要在HackTricks中看到您的**公司广告**吗？或者想要访问**PEASS的最新版本或下载HackTricks的PDF**吗？查看[**订阅计划**](https://github.com/sponsors/carlospolop)！
* 发现我们的独家[NFT收藏品**The PEASS Family**](https://opensea.io/collection/the-peass-family)
* 获取[**官方PEASS和HackTricks周边**](https://peass.creator-spring.com)
* **加入** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或在**Twitter**上关注我 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
* 通过向[hacktricks repo](https://github.com/carlospolop/hacktricks)和[hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)提交PR来分享您的黑客技巧。

</details>

## 创建和挂载镜像

{% content-ref url="/pages/fYXFr611WCdQcIJ8h5bp" %}
[Image Acquisition & Mount](/generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.md)
{% endcontent-ref %}

## 恶意软件分析

这**不一定是在获得镜像后执行的第一步**。但是，如果您有文件、文件系统镜像、内存镜像、pcap等，您可以独立使用这些恶意软件分析技术，因此**记住这些操作**是很有用的：

{% content-ref url="/pages/AFkJWcUpYjxhknRqk3TL" %}
[Malware Analysis](/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md)
{% endcontent-ref %}

## 检查镜像

如果您获得了设备的**取证镜像**，您可以开始**分析分区、使用的文件系统**并**恢复**可能**有趣的文件**（甚至是已删除的文件）。在以下位置了解如何操作：

{% content-ref url="/pages/FEphlNPNIgkls7yGdCKs" %}
[Partitions/File Systems/Carving](/generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving.md)
{% endcontent-ref %}

根据使用的操作系统甚至平台，应搜索不同的有趣的证据：

{% content-ref url="/pages/ykoz3zsbAu4erV7CUmJj" %}
[Windows Artifacts](/generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics.md)
{% endcontent-ref %}

{% content-ref url="/pages/oVsJSNoFq5w0kOSy2srd" %}
[Linux Forensics](/generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.md)
{% endcontent-ref %}

{% content-ref url="/pages/iSvAMqfYjXgL23HhGhzF" %}
[Docker Forensics](/generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics.md)
{% endcontent-ref %}

## 对特定文件类型和软件进行深入检查

如果您有一个非常**可疑的文件**，那么**根据文件类型和创建它的软件**，可能会有几种**技巧**很有用。\
阅读以下页面以了解一些有趣的技巧：

{% content-ref url="/pages/pI9JRjls0cc8aKSAoJq9" %}
[Specific Software/File-Type Tricks](/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks.md)
{% endcontent-ref %}

我想特别提到页面：

{% content-ref url="/pages/8iPu0c7ZAsqDdLY0ln1K" %}
[Browser Artifacts](/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md)
{% endcontent-ref %}

## 内存转储检查

{% content-ref url="/pages/4o8Zq3oXwodn8ODQ5U81" %}
[Memory dump analysis](/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis.md)
{% endcontent-ref %}

## Pcap检查

{% content-ref url="/pages/bXoxFFucoHBjvTCp3rvP" %}
[Pcap Inspection](/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection.md)
{% endcontent-ref %}

## **反取证技术**

请记住可能使用反取证技术：

{% content-ref url="/pages/lL3dDwWomcJ2QxppRKJJ" %}
[Anti-Forensic Techniques](/generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.md)
{% endcontent-ref %}

## 威胁猎杀

{% content-ref url="/pages/3YukXsWK5ozpKZSdy5FA" %}
[Baseline Monitoring](/generic-methodologies-and-resources/basic-forensic-methodology/file-integrity-monitoring.md)
{% endcontent-ref %}

<details>

<summary><strong>从零开始学习AWS黑客技术，成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE（HackTricks AWS红队专家）</strong></a><strong>！</strong></summary>

* 您在**网络安全公司**工作吗？想要在HackTricks中看到您的**公司广告**吗？或者想要访问**PEASS的最新版本或下载HackTricks的PDF**吗？查看[**订阅计划**](https://github.com/sponsors/carlospolop)！
* 发现我们的独家[NFT收藏品**The PEASS Family**](https://opensea.io/collection/the-peass-family)
* 获取[**官方PEASS和HackTricks周边**](https://peass.creator-spring.com)
* **加入** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或在**Twitter**上关注我 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
* 通过向[hacktricks repo](https://github.com/carlospolop/hacktricks)和[hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)提交PR来分享您的黑客技巧。

</details>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://hacktricks.xsx.tw/generic-methodologies-and-resources/basic-forensic-methodology.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.