We could take advantage of forensic tools to examine and analyze the evidence, but heavily reliance on forensic tools is risky. It's us that determine what clue is important or not, not forensic tools.  There is a scenario about malware and hacker. Agent 007 finds Carrie's computer infected by CyrptoLocker, and he try to fingure out what's going on. 007 use lots of forensic tools to analye for a very long time, and he recover the malware in partition D. Unfortunately he could not find where the malware is from.

Agent 008 take over this case and start to review 007's report. 008 go back to the evidence and take a look at all e-mails in .pst files. Fortunately he found what's going on between Carrie and her colleague Rick, and the malware pretending a normal anti-virus update file. Look at the pic as below, you could see that the caption of sender is "Sysadmin@mnd.gov.tw", but when you look into the mail header, you will know the authenicatied sender is "rick@mnd.gov.tw".

What forensic tools do is reduce the scope and you could analyze the evidence efficiently. Forensic tools could not "tell" you that it is very suspicious the actual sender is Rick, not Sysadmin, you have to figure it out on your own.

By the way, an experienced forensic guy knows that the caption of sender could be faked, so he/she will take a look at authenicated sender to see if anything strange. The more experience about computer hardware/software, the fewer mistakes you will make.

Heavily reliance on forensic tools is risky的更多相关文章

  1. iTunes - Forensic guys' best friend

    What chances do you think to acquire suspect's data from his/her iDevice? If suspects also use iTune ...

  2. The Best Hacking Tools

    The Best Hacking Tools Hacking Tools : List of security tools specifically aimed toward security pro ...

  3. 八大最安全的Linux发行版,具备匿名功能,做服务器的首选,web,企业服务器等

    10 best Linux distros for privacy fiends and security buffs in 2017 Introduction The awesome operati ...

  4. Linux VM acquisition

    The evidence is a VM as below. The flat vmdk is the real disk, and the vmdk only 1kb is just a descr ...

  5. Device Path in WinPrefetchView

    As we know that the Prefetch file is used for optimizing the loading time of the application in the ...

  6. metasploit-post模块信息

    Name                                             Disclosure Date  Rank    Description ----           ...

  7. Use BEC to do mobile phone forensics

    Belkasoft Evidence Center makes me very impressed that it supports lots of evidence type. I have to ...

  8. Save a bricked Samsung Note 3 and do extraction

    The case scenario was about bank robery and the suspect threw his Samsung Note 3 into the river. For ...

  9. WeChat 6.3 wipe deleted chat messages as well as LINE 5.3 and above

    Let me show you the WeChat version first. It is 6.3. What will happen to WeChat deleted chat message ...

随机推荐

  1. python(5)字符串处理 (sub,replace,find,index,upper,strip,split,sub翻页

    一,sub和replace的用法 re.sub 函数进行以正则表达式为基础的替换工作 re.sub替换到目标字符串中的a,b或者c,并全部替换 另加上sub翻页操作: re.sub('start=\d ...

  2. 点击Listview弹出PopWindow的用法

    先来张截图: 如图点击listview中的Item在item的下方弹出一个框框,这个框框就是用的Popwindow.    用法很简单:首先写一个PopupWindow并自定义它的布局:       ...

  3. Cassandra安装及其简单试用

    官方主页:http://cassandra.apache.org/ 简介: The Apache Cassandra Project develops a highly scalable second ...

  4. jsp页面编译成Servlet类文件

    package org.apache.jsp; import javax.servlet.*; import javax.servlet.http.*; import javax.servlet.js ...

  5. Maven pom.xml 配置详解

    http://niuzhenxin.iteye.com/blog/2042102 http://blog.csdn.net/u012562943/article/details/51690744 po ...

  6. Dubbo 应用容器

    Dubbo的容器模块,是一个独立的容器,因为服务通常不需要Tomcat/JBoss等Web容器的特性,没必要用Web容器去加载服务. 服务容器只是一个简单的Main方法,并加载一个简单的Spring容 ...

  7. LeetCode 58. Length of Last Word

    Given a string s consists of upper/lower-case alphabets and empty space characters ' ', return the l ...

  8. nyoj 54-小明的存钱计划

    点击打开链接 小明的存钱计划 时间限制:3000 ms  |  内存限制:65535 KB 难度:2 描述 小明的零花钱一直都是自己管理.每个月的月初妈妈给小明300元钱,小明会预算这个月的花销,并且 ...

  9. Hardwood Species(水)

    Time Limit:10000MS    Memory Limit:65536KB    64bit IO Format:%I64d & %I64u SubmitStatus Descrip ...

  10. HashCode equals

    HashCode: hashcode就是一个签名.当两个对象的hashcode一样时,两个对象就有可能一样.如果不一样的话两个对象就肯定不一样.一般用hashcode来进行比较两个东西是不是一样的,可 ...