We could take advantage of forensic tools to examine and analyze the evidence, but heavily reliance on forensic tools is risky. It's us that determine what clue is important or not, not forensic tools.  There is a scenario about malware and hacker. Agent 007 finds Carrie's computer infected by CyrptoLocker, and he try to fingure out what's going on. 007 use lots of forensic tools to analye for a very long time, and he recover the malware in partition D. Unfortunately he could not find where the malware is from.

Agent 008 take over this case and start to review 007's report. 008 go back to the evidence and take a look at all e-mails in .pst files. Fortunately he found what's going on between Carrie and her colleague Rick, and the malware pretending a normal anti-virus update file. Look at the pic as below, you could see that the caption of sender is "Sysadmin@mnd.gov.tw", but when you look into the mail header, you will know the authenicatied sender is "rick@mnd.gov.tw".

What forensic tools do is reduce the scope and you could analyze the evidence efficiently. Forensic tools could not "tell" you that it is very suspicious the actual sender is Rick, not Sysadmin, you have to figure it out on your own.

By the way, an experienced forensic guy knows that the caption of sender could be faked, so he/she will take a look at authenicated sender to see if anything strange. The more experience about computer hardware/software, the fewer mistakes you will make.

Heavily reliance on forensic tools is risky的更多相关文章

  1. iTunes - Forensic guys' best friend

    What chances do you think to acquire suspect's data from his/her iDevice? If suspects also use iTune ...

  2. The Best Hacking Tools

    The Best Hacking Tools Hacking Tools : List of security tools specifically aimed toward security pro ...

  3. 八大最安全的Linux发行版,具备匿名功能,做服务器的首选,web,企业服务器等

    10 best Linux distros for privacy fiends and security buffs in 2017 Introduction The awesome operati ...

  4. Linux VM acquisition

    The evidence is a VM as below. The flat vmdk is the real disk, and the vmdk only 1kb is just a descr ...

  5. Device Path in WinPrefetchView

    As we know that the Prefetch file is used for optimizing the loading time of the application in the ...

  6. metasploit-post模块信息

    Name                                             Disclosure Date  Rank    Description ----           ...

  7. Use BEC to do mobile phone forensics

    Belkasoft Evidence Center makes me very impressed that it supports lots of evidence type. I have to ...

  8. Save a bricked Samsung Note 3 and do extraction

    The case scenario was about bank robery and the suspect threw his Samsung Note 3 into the river. For ...

  9. WeChat 6.3 wipe deleted chat messages as well as LINE 5.3 and above

    Let me show you the WeChat version first. It is 6.3. What will happen to WeChat deleted chat message ...

随机推荐

  1. Tesseract训练笔记

    [参考] http://www.cnblogs.com/samlin/p/Tesseract-OCR.html https://code.google.com/p/tesseract-ocr/wiki ...

  2. 打印1到最大的n位数

    打印1到最大的n位数----java实现 题目:输入数字n,按顺序打印出从1到最大的n位十进制数.比如,输入3,则打印出1,2,3,.....,一直到最大的3位数即999. 分析: 1.这是一个典型的 ...

  3. linux下安装easy_install的方法

    python中的easy_install工具,类似于Php中的pear,或者Ruby中的gem,或者Perl中的cpan,那是相当的爽歪歪了如果想使用 如果想使用easy_install工具,可能需要 ...

  4. Cocoa编程中视图控制器与视图类详解

    iPhone编程规则是:一个窗口,多个视图.UIView是iPhone屏幕上很多控件的基础类.每个iPhone用户界面都是由显示在UIWindow(这其实也是个特殊的UIView)内的众多UIView ...

  5. Failed to create the java virtual machine完全解决办法

    一直用EcliPSe开发java,突然有这么一天,无法启动了,splash窗口显示“Failed to create the Java Virtual Machine”,结果发现eclipse和mye ...

  6. cshell学习

    一. 文件的读写执行: 1)读:可以显示该文件的内容 2)写:可以编辑或者删除它 3)执行:如果该文件是一个shell脚本或者程序. 如果希望一次设置目录下所有文件的权限,可使用:chmod 644 ...

  7. .NET连接池的配置 【转】

    ADO.Net 在数据库操作过程中默认打开了连接池,不需要再进行手工配置.这个特性可以使数据库操作时效率提高,但也要有相应的代码配合,才能真正提高程序效率. 1.连接字符串 ADO.Net 中的连接池 ...

  8. AndroidManifest.xml 屏幕上下反转

    通常我们的应用只会设计成横屏或者竖屏,锁定横屏或竖屏的方法是在AndroidManifest.xml 文件中设定属性android:screenOrientation为"landscape& ...

  9. MySQL的循环语句使用总结

    REPEAT-UNTIL循环 [loopname]:REPEAT commands; UNTIL condition END REPEAT [loopname]; 在这种循环里,关键字repeat和u ...

  10. Hive基础之Hive开启查询列名及行转列显示

    Hive默认情况下查询结果里面是只显示值: hive> select * from click_log; OK ad_101 :: ad_102 :: ad_103 :: ad_104 :: a ...