��1�”�(sh��)��ȡ�C����1
1.1��(sh��)��ȡ�C�c��Ӕ�(sh��)��(j��)�C��(j��)1
1.1.1��(sh��)��ȡ�C�ĸ���1
1.1.2��Ӕ�(sh��)��(j��)�����C��(j��)2
1.1.3��Ӕ�(sh��)��(j��)���C��(j��)Ч�����C��(j��)�����C�������|(zh��)�C3
1.1.4��Ӕ�(sh��)��(j��)˾���b��4
1.2��(sh��)��ȡ�C�Č�(sh��)ʩ5
1.2.1��(sh��)��ȡ�C��ԭ�t5
1.2.2��(sh��)��ȡ�C��ģ��6
1.2.3��(sh��)��ȡ�C�Č�(sh��)ʩ8
1.3��(sh��)��ȡ�C�ļ��g(sh��)��(bi��o)��(zh��n)�cҎ(gu��)��12
1.3.1���Ҙ�(bi��o)��(zh��n)12
1.3.2�ИI(y��)��(bi��o)��(zh��n)12
1.3.3���H��(bi��o)��(zh��n)14
1.4��(sh��)��ȡ�C�ĬF(xi��n)���c�l(f��)չ15
1.4.1��(sh��)��ȡ�C�Ěvʷ�c�l(f��)չ15
1.4.2��(sh��)��ȡ�C��څ��(sh��)�c����(zh��n)16
1.5��(x��)�}�c���I(y��)19
���…����īI(xi��n)19 ��2�”�(sh��)��ȡ�C���A(ch��)22
2.1��Ҋ�Ĕ�(sh��)���O(sh��)��22
2.1.1Ӌ(j��)��C(j��)22
2.1.2����(w��)��22
2.1.3�惦(ch��)�O(sh��)��23
2.1.4�Ƅ�(d��ng)�K��25
2.1.5ҕ�l�O(ji��n)���O(sh��)��26
2.2��(sh��)��(j��)�Ĵ惦(ch��)26
2.2.1�M(j��n)��26
2.2.2�ֹ�(ji��)���27��(sh��)��ȡ�CĿ�2.2.3��(sh��)��(j��)�ķ��27
2.2.4��(sh��)��(j��)�ľ��a28
2.3��(sh��)��(j��)���^�V28
2.3.1�����ļ����^�V29
2.3.2�����ļ�����^�V29
2.3.3�����ļ������^�V30
2.4��(sh��)��(j��)������31
2.4.1��������31
2.4.2߉݋����31
2.4.3��������32
2.4.4���t���_(d��)ʽ32
2.5��(x��)�}�c���I(y��)33
���…����īI(xi��n)33 ��3����Ӕ�(sh��)��(j��)�ķ�桢�̶�����ȡ34
3.1��Ӕ�(sh��)��(j��)�ķ��34
3.2��Ӕ�(sh��)��(j��)�Ĺ̶�35
3.2.1��(sh��)��(j��)�̶�����35
3.2.2�R���ļ��ĸ�ʽ37
3.3��Ӕ�(sh��)��(j��)����ȡ38
3.3.1�ھ���(sh��)��(j��)39
3.3.2��ʧ�Ԕ�(sh��)��(j��)39
3.3.3����ʧ�Ԕ�(sh��)��(j��)40
3.4��Ӕ�(sh��)��(j��)��У�(y��n)40
3.4.1��ϣ�㷨40
3.4.2��ϣ��ײ41
3.4.3��ϣ��41
3.5��(x��)�}�c���I(y��)42
���…����īI(xi��n)43 ��4���ļ�ϵ�y(t��ng)�c��(sh��)��(j��)�֏�(f��)44
4.1Ӳ�P����44
4.1.1Ӳ�P�Y(ji��)��(g��u)44
4.1.2MBR�օ^(q��)46
4.1.3GPT�օ^(q��)47
4.2NTFS49
4.2.1NTFS����49
4.2.2MFT51
4.3��(sh��)��(j��)�֏�(f��)56
4.3.1�օ^(q��)�֏�(f��)56
4.3.2�����ļ�ϵ�y(t��ng)�Ĕ�(sh��)��(j��)�֏�(f��)57
4.3.3�����ļ������Ĕ�(sh��)��(j��)�֏�(f��)59
4.4��(x��)�}�c���I(y��)60
���…����īI(xi��n)60 ��5��Windowsȡ�C61
5.1��Ҫ�ĺ��E�ļ�61
5.1.1��Ӱ��(f��)��61
5.1.2����վ62
5.1.3�s�ԈD63
5.1.4��ݷ�ʽ64
5.1.5���D(zhu��n)�б�65
5.1.6�A(y��)�xȡ67
5.1.7�h(yu��n)�����澏��68
5.1.8���(d��ng)�vʷӛ�68
5.1.9֪ͨ����69
5.2ע��(c��)��70
5.2.1ע��(c��)���Y(ji��)��(g��u)71
5.2.2ע��(c��)�����I72
5.2.3ע��(c��)�����Æ�Ԫ75
5.2.4ϵ�y(t��ng)��Ϣ75
5.2.5��(y��ng)�ó�����Ϣ78
5.2.6�Ñ���Ϣ78
5.2.7USB�O(sh��)��ʹ�ú��E78
5.2.8MRU79
5.2.9ShellBags80
5.2.10AutoRun81
5.2.11Amcache�cShimcache81
5.3�¼���־82
5.3.1�¼���־����82
5.3.2��ȫ��־�� �~���͵��84
5.3.3RDP�����־86
5.3.4USB�O(sh��)��ͷօ^(q��)�\����־86
5.4��(n��i)��ȡ�C88
5.4.1��(n��i)��ȡ�C����88
5.4.2Volatility88
5.4.3Redline92
5.5��(x��)�}�c���I(y��)92
���…����īI(xi��n)92 ��6��Linuxȡ�C94
6.1Linuxȡ�C���A(ch��)94
6.1.1Linux�l(f��)�а�94
6.1.2Linux�������� 96
6.1.3�űP�O(sh��)����Ϣ98
6.2����űP���99
6.2.1RAID�Ļ�������100
6.2.2��Ҋ��RAID��(j��)�e101
6.2.3RAID�ؽM�ķ���104
6.3߉݋��������105
6.4Linux�ļ�ϵ�y(t��ng)107
6.4.1Ext4107
6.4.2XFS109
6.4.3Btrfs109
6.4.4FHS110
6.5Linuxȡ�C����112
6.5.1ϵ�y(t��ng)����112
6.5.2�����E113
6.5.3��־�ļ�113
6.6��(x��)�}�c���I(y��)114
���…����īI(xi��n)114 ��7��macOSȡ�C116
7.1macOSȡ�C���A(ch��)116
7.1.1macOS����117
7.1.2macOS��ȫ�C(j��)��118
7.2macOS��(sh��)��(j��)�ī@ȡ118
7.2.1�ھ���(sh��)��(j��)��ȡ118
7.2.2�x����(sh��)��(j��)�̶�119
7.2.3�r(sh��)�g�C(j��)�����120
7.2.4��ݔ�(sh��)��(j��)����120
7.3macOS���еĔ�(sh��)��(j��)121
7.3.1耳�Ȧ121
7.3.2Plist�ļ�122
7.3.3FSEvents123
7.3.4DS_Stores123
7.3.5Spotlight123
7.3.6��(y��ng)���124
7.4macOSȡ�C����125
7.4.1ϵ�y(t��ng)��Ϣ125
7.4.2�Ñ���Ϣ126
7.4.3�Ñ��О�126
7.5��(x��)�}�c���I(y��)128
���…����īI(xi��n)128 ��8��Androidȡ�C129
8.1Androidȡ�C���A(ch��)129
8.1.1Androidϵ�y(t��ng)�İl(f��)չ129
8.1.2Androidϵ�y(t��ng)�ļܘ�(g��u)130
8.1.3Android��ȫ�c����133
8.2Root��(qu��n)�޵ī@ȡ�c�i���ܴa���ƽ�137
8.2.1Fastbootģʽ139
8.2.2���iBootLoader139
8.2.3Recoveryģʽ140
8.2.4ˢ��TWRP140
8.2.5ʹ��SuperSU�@ȡRoot��(qu��n)��143
8.2.6�ƽ�Android�O(sh��)����i���ܴa143
8.3Android�O(sh��)�䔵(sh��)��(j��)�ī@ȡ�c����144
8.3.1�Ĕzȡ�C145
8.3.2߉݋�ɼ�145
8.3.3�����ɼ�147
8.3.4�Ɣ�(sh��)��(j��)ȡ�C148
8.3.5Android��(sh��)��(j��)�ķօ^(q��)�Y(ji��)��(g��u)148
8.4Android�O(sh��)���ȡ�C����150
8.4.1ϵ�y(t��ng)��(y��ng)�ú��E150
8.4.2��������(y��ng)�ú��E150
8.4.3APK�������151
8.5��(x��)�}�c���I(y��)155
���…����īI(xi��n)155 ��9��iOSȡ�C156
9.1iOSȡ�C���A(ch��)156
9.1.1iOSϵ�y(t��ng)�İl(f��)չ156
9.1.2iOSϵ�y(t��ng)�ļܘ�(g��u)157
9.2iOS�ļ�ϵ�y(t��ng)157
9.2.1HFS��APFS157
9.2.2iOS��(bi��o)��(zh��n)Ŀ�158
9.3iOS��ȫ�C(j��)��160
9.3.1��ȫ����(d��ng)160
9.3.2����ģʽ160
9.3.3�i���ܴa161
9.3.4Checkm8�����c“Խ�z”161
9.4���͔ܺ�(sh��)��(j��)���o(h��)162
9.4.1��ȫ���x�^(q��)163
9.4.2��(sh��)��(j��)���o(h��)����165
9.4.3iOS�Д�(sh��)��(j��)���o(h��)�Č�(sh��)�F(xi��n)165
9.5iOS�O(sh��)�䔵(sh��)��(j��)�IJɼ��c����167
9.5.1�Ĕz�ɼ�167
9.5.2�����ɼ�167
9.5.3߉݋�ɼ�167
9.5.4iTunes��ݵĽ���168
9.5.5iCloud��(sh��)��(j��)�ɼ�169
9.6iOS�O(sh��)���ȡ�C����170
9.6.1ϵ�y(t��ng)���E170
9.6.2��(y��ng)�ú��E172
9.7��(x��)�}�c���I(y��)173
���…����īI(xi��n)173 ��10�»�“(li��n)�W(w��ng)��(y��ng)�ó���ȡ�C175
10.1�Ɣ�(sh��)��(j��)ȡ�C175
10.1.1�ٶȾW(w��ng)�P175
10.1.2Google Takeout177
10.2���r(sh��)ͨ��ȡ�C178
10.3����]��ȡ�C179
10.3.1����]��ȡ�C����180
10.3.2����]���ā�Դ181
10.3.3��Ҋ������]���ļ���ʽ181
10.3.4����]����(n��i)�ݵĽ���182
10.4�W(w��ng)퓞g�[��ȡ�C183
10.4.1Google Chromeȡ�C183
10.4.2Mozilla Firefoxȡ�C185
10.4.3Internet Explorerȡ�C186
10.5��(x��)�}�c���I(y��)187
���…����īI(xi��n)187 ��11�¸߼�(j��)��(sh��)��ȡ�C188
11.1�^(q��)�K��c��(sh��)��؛��ȡ�C188
11.1.1�^(q��)�K�188
11.1.2��(sh��)��؛��189
11.2��“(li��n)�W(w��ng)�O(sh��)��ȡ�C191
11.2.1��“(li��n)�W(w��ng)ȡ�C����191
11.2.2·����192
11.2.3��������193
11.2.4���ܴ����O(sh��)��193
11.2.5�o�˙C(j��)194
11.2.6�����O(sh��)��195
11.3��܇ȡ�C195
11.3.1܇“(li��n)�W(w��ng)�c������܇195
11.3.2��܇ȡ�C̽��196
11.4���W(w��ng)ȡ�C197
11.4.1���W(w��ng)����197
11.4.2���W(w��ng)���ܼ��g(sh��)198
11.4.3���W(w��ng)�g�[��ʽ199
11.4.4���W(w��ng)ȡ�C˼·199
11.5��(x��)�}�c���I(y��)200
���…����īI(xi��n)201 ��12�”�(sh��)��ȡ�C������(zh��n)202
12.1�����c����202
12.2��(sh��)��(j��)�[��205
12.3��(sh��)��(j��)����207
12.4��������208
12.5��(x��)�}�c���I(y��)209
���…����īI(xi��n)209