We could take advantage of forensic tools to examine and analyze the evidence, but heavily reliance on forensic tools is risky. It's us that determine what clue is important or not, not forensic tools.  There is a scenario about malware and hacker. Agent 007 finds Carrie's computer infected by CyrptoLocker, and he try to fingure out what's going on. 007 use lots of forensic tools to analye for a very long time, and he recover the malware in partition D. Unfortunately he could not find where the malware is from.

Agent 008 take over this case and start to review 007's report. 008 go back to the evidence and take a look at all e-mails in .pst files. Fortunately he found what's going on between Carrie and her colleague Rick, and the malware pretending a normal anti-virus update file. Look at the pic as below, you could see that the caption of sender is "Sysadmin@mnd.gov.tw", but when you look into the mail header, you will know the authenicatied sender is "rick@mnd.gov.tw".

What forensic tools do is reduce the scope and you could analyze the evidence efficiently. Forensic tools could not "tell" you that it is very suspicious the actual sender is Rick, not Sysadmin, you have to figure it out on your own.

By the way, an experienced forensic guy knows that the caption of sender could be faked, so he/she will take a look at authenicated sender to see if anything strange. The more experience about computer hardware/software, the fewer mistakes you will make.

Heavily reliance on forensic tools is risky的更多相关文章

  1. iTunes - Forensic guys' best friend

    What chances do you think to acquire suspect's data from his/her iDevice? If suspects also use iTune ...

  2. The Best Hacking Tools

    The Best Hacking Tools Hacking Tools : List of security tools specifically aimed toward security pro ...

  3. 八大最安全的Linux发行版,具备匿名功能,做服务器的首选,web,企业服务器等

    10 best Linux distros for privacy fiends and security buffs in 2017 Introduction The awesome operati ...

  4. Linux VM acquisition

    The evidence is a VM as below. The flat vmdk is the real disk, and the vmdk only 1kb is just a descr ...

  5. Device Path in WinPrefetchView

    As we know that the Prefetch file is used for optimizing the loading time of the application in the ...

  6. metasploit-post模块信息

    Name                                             Disclosure Date  Rank    Description ----           ...

  7. Use BEC to do mobile phone forensics

    Belkasoft Evidence Center makes me very impressed that it supports lots of evidence type. I have to ...

  8. Save a bricked Samsung Note 3 and do extraction

    The case scenario was about bank robery and the suspect threw his Samsung Note 3 into the river. For ...

  9. WeChat 6.3 wipe deleted chat messages as well as LINE 5.3 and above

    Let me show you the WeChat version first. It is 6.3. What will happen to WeChat deleted chat message ...

随机推荐

  1. Python 结巴分词(1)分词

    利用结巴分词来进行词频的统计,并输出到文件中. 结巴分词github地址:结巴分词 结巴分词的特点: 支持三种分词模式: 精确模式,试图将句子最精确地切开,适合文本分析: 全模式,把句子中所有的可以成 ...

  2. 3.函数Function

    所谓函数,本质上是一种代码的分组形式.我们可以通过这种形式赋予某组代码一个名字,便于日后重用是调用. function sum(a,b){ var c = a+b; return c; } 1.一个函 ...

  3. js跳转页面方法整理

    1.window.location.href方式 window.location.href="http://www.zgw8.com"; 2.window.navigate方式跳转 ...

  4. 在win7电脑中如何查看运行进程的PID标识符

    在介绍技巧方法之前,咱们还是先来介绍一下什么是PID标识符,这个PID标识符就是系统对运行中的程序自动分配的一个编号,是用来识别对应进程的,而且这个编号也是一一对应,不会有重复的,只有当系统结束运行的 ...

  5. jQuery实现的美观的倒计时实例代码

    <!DOCTYPE html><html><head><meta charset=" utf-8"><meta name=&q ...

  6. Python标准库02 时间与日期 (time, datetime包)

    作者:Vamei 出处:http://www.cnblogs.com/vamei 欢迎转载,也请保留这段声明.谢谢! Python具有良好的时间和日期管理功能.实际上,计算机只会维护一个挂钟时间(wa ...

  7. Ubuntu下tftp服务搭建

    1.安装软件包 sudo apt-get install tftpd tftp xinetd 2.建立配置文件 在/etc/xinetd.d/下建立一个配置文件tftp sudo vi /etc/xi ...

  8. Citrix 服务器虚拟化之二十一 桌面虚拟化之部署Provisioning Services

    Citrix 服务器虚拟化之二十一  桌面虚拟化之部署Provisioning Services Provisioning Services 是Citrix 出品的一系列虚拟化产品中最核心的一个组件, ...

  9. linux下安装nginx、pcre、zlib、openssl

    1.安装nginx之前需要安装PCRE库的安装  最新下载地址   ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/ tar –zxvf p ...

  10. 在备份和导入mysql数据库遇到的几个问题

    一.怎么导出和备份 1.普通方法,运用工具或者命令直接导出sql脚本,以navicat为例,直接选中数据库,转储sql文件 问题:当有视图或者函数执行失败时不好处理 2.视图函数和表数据分开导出 以n ...