My friend is a developer and her colleague May was suspected of stealing the source code of an important project "X". The Police searched her apartment and seized her brand new laptop which OS is Win10 Pro.  Forensic guy Terry used EnCase to do evidence processing . To his surprise, only one usb thumb drive "SanDisk" found in "USB Records".

Terry checked LNK files artifacts and found a very interesting thing. According to the volume serial number, we could distinguish which volume belongs to local drive. Local drive only has one volume and its drive letter is "C". Terry found two volume serial number "d63e3c12" and "beebc8cb" related to external drive as below.

Fortunately LNK file artifacts gave Terry very important clue. Terry believed that more than one usb thumb drive's been plugged into May's laptop. Why EnCase missed some usb activities in the evidence files?

We can not be too careful to analyze the evidence when something strange occurs.Let's use another forensic tool to examine usb artifacts again. Besides sandisk another usb thumb drive found and its name is "Seagate ". The same name found in LNK files artifacts.

According the volume serial number and usb deive serial number as above, the Police found those two usb storage devices in May's company. Finally  May admited that she copied the source code of project "X" into a SanDisk usb thumb drive and a 2.5" Seagate Backup Plus usb drive. And she brought those two usb device home.  She'd like to sell those stuff to earn more money.

Guidance should take a look at its "USB Records" to see what's wrong with incomplete usb activities after evidence processing.

EnCase missed some usb activities in the evidence files的更多相关文章

  1. LiveView 0.8 RC1 could boot evidence files acquired from Win10 64bit

    The latest Windows 10 will be more and more popular in the very near future. Now let's take a look i ...

  2. Another option to bootup evidence files

    When it comes to booting up evidence files acquired from target disk, you got two options. One is VF ...

  3. How to find missing USB Records?

    In my previously article "EnCase missed some USB activities in the evidence files", I ment ...

  4. [DFNews] EnCase v7.08发布

    EnCase v7.08 近日正式发布,7.08增加了Evidence Processor Manager以及Evidence Processor,不仅可以在本地实现证据处理队列,也支持了通过网络进行 ...

  5. EnCase v7 could not recognize Chinese character folder names / file names on Linux Platform

    Last week my friend brought me an evidence file duplicated from a Linux server, which distribution i ...

  6. Android USB Connections Explained: MTP, PTP, and USB Mass Storage

    Android USB Connections Explained: MTP, PTP, and USB Mass Storage Older Android devices support USB ...

  7. macOS & USB stick

    macOS & USB stick why macOS can only read USB stick, can not write files to USB stick macos 无法写文 ...

  8. File signature analysis failed to recognize .old file

    My friend May she found a strange file called "bkp.old" as below in the evidence files. Sh ...

  9. Use LiveCD to acquire images from a VM

    Forensic examiners usually acquire images from suspect's PC or Laptop. What if the target computer i ...

随机推荐

  1. css 禁止长按保存功能

    *{-webkit-user-select: none;-moz-user-select: none;-ms-user-select: none;user-select: none;} 或者指定某个元 ...

  2. C# 三层架构之系统的登录验证与添加数据的实现

    利用三层架构体系,实现学生管理系统中用户的登录与添加班级信息的功能,一下代码为具体实现步骤的拆分过程: 一.用户登录界面功能的实现 1.在数据访问层(LoginDAL)进行对数据库中数据的访问操作 u ...

  3. TC358775XBG:MIPI DSI转双路LVDS芯片简介

    TC358775XBG是一颗MIPI DSI转双路LVDS芯片,通信方式:IIC/MIPI command mode,分辨率1920*1200,封装形式:BGA64.

  4. Net分布式系统之七:日志采集系统(1)

    日志对大型应用系统或者平台尤其重要,系统日志采集.分析是系统运维.维护及用户分析的基础. 一.系统日志分类 一般系统日志可分为三大类: 1.用户行为日志:通过采集系统用户使用系统过程中,一系列的操作日 ...

  5. jquery_mobile事件

    1 <!doctype html> 2 <html> 3 <head> 4 <meta charset="utf-8"> 5 < ...

  6. chrome开发工具指南(四)

    Sources 面板中 代码段是您可以从任何页面运行的小脚本(类似于小书签). 使用"Evaluate in Console"功能可以在控制台中运行部分代码段. 请注意,Sourc ...

  7. 日期时间范围选择插件:daterangepicker使用总结

    分享说明: 项目中要使用日期时间范围选择对数据进行筛选;精确到年月日 时分秒;起初,使用了layui的时间日期选择插件;但是在IIE8第一次点击会报设置格式错误;研究了很久没解决,但能确定不是layu ...

  8. 10 Logistic Regression

    线性分类中的是非题 --->概率题 (设置概率阈值后,大于等于该值的为O,小于改值的为X) --->逻辑回归 O为1,X为0 逻辑回归假设 逻辑函数/S型函数:光滑,单调 自变量趋于负无穷 ...

  9. ps中如何让图层在画布内水平居中

    下图每个小logo图案距离它们的上参考线的距离均为10px,而我们如何让图层在画布内水平居中??? 如上图中三个图层的图案是用来给Html/Css中的background属性使用的,虽然可以通过鼠标拖 ...

  10. java四则运算生成器

    题目描述: 从<构建之法>第一章的 "程序" 例子出发,像阿超那样,花二十分钟写一个能自动生成小学四则运算题目的命令行 "软件",满足以下需求: 除 ...