We could take advantage of forensic tools to examine and analyze the evidence, but heavily reliance on forensic tools is risky. It's us that determine what clue is important or not, not forensic tools.  There is a scenario about malware and hacker. Agent 007 finds Carrie's computer infected by CyrptoLocker, and he try to fingure out what's going on. 007 use lots of forensic tools to analye for a very long time, and he recover the malware in partition D. Unfortunately he could not find where the malware is from.

Agent 008 take over this case and start to review 007's report. 008 go back to the evidence and take a look at all e-mails in .pst files. Fortunately he found what's going on between Carrie and her colleague Rick, and the malware pretending a normal anti-virus update file. Look at the pic as below, you could see that the caption of sender is "Sysadmin@mnd.gov.tw", but when you look into the mail header, you will know the authenicatied sender is "rick@mnd.gov.tw".

What forensic tools do is reduce the scope and you could analyze the evidence efficiently. Forensic tools could not "tell" you that it is very suspicious the actual sender is Rick, not Sysadmin, you have to figure it out on your own.

By the way, an experienced forensic guy knows that the caption of sender could be faked, so he/she will take a look at authenicated sender to see if anything strange. The more experience about computer hardware/software, the fewer mistakes you will make.

Heavily reliance on forensic tools is risky的更多相关文章

  1. iTunes - Forensic guys' best friend

    What chances do you think to acquire suspect's data from his/her iDevice? If suspects also use iTune ...

  2. The Best Hacking Tools

    The Best Hacking Tools Hacking Tools : List of security tools specifically aimed toward security pro ...

  3. 八大最安全的Linux发行版,具备匿名功能,做服务器的首选,web,企业服务器等

    10 best Linux distros for privacy fiends and security buffs in 2017 Introduction The awesome operati ...

  4. Linux VM acquisition

    The evidence is a VM as below. The flat vmdk is the real disk, and the vmdk only 1kb is just a descr ...

  5. Device Path in WinPrefetchView

    As we know that the Prefetch file is used for optimizing the loading time of the application in the ...

  6. metasploit-post模块信息

    Name                                             Disclosure Date  Rank    Description ----           ...

  7. Use BEC to do mobile phone forensics

    Belkasoft Evidence Center makes me very impressed that it supports lots of evidence type. I have to ...

  8. Save a bricked Samsung Note 3 and do extraction

    The case scenario was about bank robery and the suspect threw his Samsung Note 3 into the river. For ...

  9. WeChat 6.3 wipe deleted chat messages as well as LINE 5.3 and above

    Let me show you the WeChat version first. It is 6.3. What will happen to WeChat deleted chat message ...

随机推荐

  1. 程序进入 EXPORT App_Fault_ISR的原因及措施:

    最近再UCOSIII+LPC1768上移植modbus,在定时器初始化部分竟然跑飞进入 EXPORT  App_Fault_ISR,查资料.逛论坛.问大牛都没有解决,最后发现竟然是犹豫一个低级失误引起 ...

  2. 子iframe 怎么调用 父级的JS函数

    window.parent.父级函数名();

  3. contentProvider 内容提供者

    http://blog.csdn.net/woshixuye/article/details/8280879 实例代码当数据需要在应用程序间共享时,我们就可以利用ContentProvider为数据定 ...

  4. 101、使用ContentProvider在应用间传递数据

    [ContentWriter] package com.jikexueyuan.contentwriter; import android.content.ContentProvider; impor ...

  5. NAND FLASH均衡算法笔记(转)

    转来一篇关于NAND FLASH均衡算法的文章,加上一点思考和笔记,认为这种思考有助于更深刻的理解,更好的记忆,所以也算半原创了吧,最起码笔记是原创的.有意思的是,帖子提起这个算法并不是因为嵌入式开发 ...

  6. android 定时执行一个任务

    1. timer = new Timer(true) TimerTask task =  new TimerTask(){ public void run(){ test(); } } timer.s ...

  7. [Java] 将标准字符流写入到文件中(通过控制台写一个html程序,并保存)

    package test.stream; import java.io.BufferedReader; import java.io.BufferedWriter; import java.io.Fi ...

  8. windows 修改hosts

    2222.111.1.1 ip 格式要正确,否则硬解会失败. 220.11.1.1

  9. java异常分类(运行时异常,可检查异常)

    NullPointerException:是运行时异常(RuntimeException),也叫非检查异常 所以我们抛出该类异常实例时,方法声明处无需添加throws来列举该类异常的抛出,编译器在编译 ...

  10. What is the Database Initialization Parameter That is Associated to an ORA-32004 Error ?

    APPLIES TO: Oracle Database - Enterprise Edition - Version 9.2.0.1 to 11.2.0.3 [Release 9.2 to 11.2] ...