We could take advantage of forensic tools to examine and analyze the evidence, but heavily reliance on forensic tools is risky. It's us that determine what clue is important or not, not forensic tools.  There is a scenario about malware and hacker. Agent 007 finds Carrie's computer infected by CyrptoLocker, and he try to fingure out what's going on. 007 use lots of forensic tools to analye for a very long time, and he recover the malware in partition D. Unfortunately he could not find where the malware is from.

Agent 008 take over this case and start to review 007's report. 008 go back to the evidence and take a look at all e-mails in .pst files. Fortunately he found what's going on between Carrie and her colleague Rick, and the malware pretending a normal anti-virus update file. Look at the pic as below, you could see that the caption of sender is "Sysadmin@mnd.gov.tw", but when you look into the mail header, you will know the authenicatied sender is "rick@mnd.gov.tw".

What forensic tools do is reduce the scope and you could analyze the evidence efficiently. Forensic tools could not "tell" you that it is very suspicious the actual sender is Rick, not Sysadmin, you have to figure it out on your own.

By the way, an experienced forensic guy knows that the caption of sender could be faked, so he/she will take a look at authenicated sender to see if anything strange. The more experience about computer hardware/software, the fewer mistakes you will make.

Heavily reliance on forensic tools is risky的更多相关文章

  1. iTunes - Forensic guys' best friend

    What chances do you think to acquire suspect's data from his/her iDevice? If suspects also use iTune ...

  2. The Best Hacking Tools

    The Best Hacking Tools Hacking Tools : List of security tools specifically aimed toward security pro ...

  3. 八大最安全的Linux发行版,具备匿名功能,做服务器的首选,web,企业服务器等

    10 best Linux distros for privacy fiends and security buffs in 2017 Introduction The awesome operati ...

  4. Linux VM acquisition

    The evidence is a VM as below. The flat vmdk is the real disk, and the vmdk only 1kb is just a descr ...

  5. Device Path in WinPrefetchView

    As we know that the Prefetch file is used for optimizing the loading time of the application in the ...

  6. metasploit-post模块信息

    Name                                             Disclosure Date  Rank    Description ----           ...

  7. Use BEC to do mobile phone forensics

    Belkasoft Evidence Center makes me very impressed that it supports lots of evidence type. I have to ...

  8. Save a bricked Samsung Note 3 and do extraction

    The case scenario was about bank robery and the suspect threw his Samsung Note 3 into the river. For ...

  9. WeChat 6.3 wipe deleted chat messages as well as LINE 5.3 and above

    Let me show you the WeChat version first. It is 6.3. What will happen to WeChat deleted chat message ...

随机推荐

  1. HTML 表单验证和事件

    1.表单验证<form></form> (1).非空验证(去空格) (2).对比验证(跟一个值对比) (3).范围验证(根据一个范围进行判断) (4).固定格式验证:电话号码, ...

  2. c# 函数及out传值

    使用 out传值的时候仅仅是将变量名(箱子)拿过来,并不会管之前是什么值函数体结束之前必须对该out的参数进行赋值,否则报错(不好意思还回去)out传值,可以进行多个值的传回 public void ...

  3. EditText获取焦点显示输入法时布局自动改变的解决方案

    最近在调试Android时,发现当屏幕下方的EditText获取焦点,显示输入法时候.页面布局重新调整而不是整体上移.导致部分控件显示不完全. 最终解决方案是修改项目AnroidManifest.xm ...

  4. Eclipse中构建Fluent风格到Formatter

    The place to set this is on the "Line Wrapping" tab of the code formatting preferences pag ...

  5. AD按键-矩阵按键:

    原理:利用数组分压+AD采集: 优点:一个IO口可以做成多个按键,节省IO口(矩阵键盘在>4时优点才能体现出来):可备用作为AD基准输入. 缺点:不能做成组合按键(或者电阻要精确选择):且离IO ...

  6. Ecshop(二次开发) - 后台添加左侧菜单导航

    1.链接地址:修改 admin\includes\inc_menu.php 文件. $modules['17_syn_data']['view_syn']        =    'synchroni ...

  7. 如何利用jQuery进行简单表单验证

    <!DOCTYPE html><html><head><meta charset="utf-8"><meta name=&qu ...

  8. jdk之jhat命令

    jhat命令 -- JavaHeap Analyse Tool 用途:是用来分析Java堆的命令,可以将堆中的对象以html的形式显示出来,包括对象的数量,大小等等,并支持对象查询语言第一步:导出堆  ...

  9. IDEA Community(社区版) 使用Maven创建Web工程 并部署tomcat

    由于IDEA社区版(Community)无法直接New一个Web Appplication 所以要使用maven来创建 1.创建一个Project 2. 3. 4.这里在Properties中添加一个 ...

  10. 《一课经济学》书摘笔记I

    人在经济活动中追求私利的天性,以及天生短视的倾向(即总是只关注某项政策的即时影响,或者只关注政策对某个特殊群体产生的影响,而不去探究那项政策对所有群体造成的长远影响)以上种种致使经济规律的研究复杂艰难 ...