My friend is a developer and her colleague May was suspected of stealing the source code of an important project "X". The Police searched her apartment and seized her brand new laptop which OS is Win10 Pro.  Forensic guy Terry used EnCase to do evidence processing . To his surprise, only one usb thumb drive "SanDisk" found in "USB Records".

Terry checked LNK files artifacts and found a very interesting thing. According to the volume serial number, we could distinguish which volume belongs to local drive. Local drive only has one volume and its drive letter is "C". Terry found two volume serial number "d63e3c12" and "beebc8cb" related to external drive as below.

Fortunately LNK file artifacts gave Terry very important clue. Terry believed that more than one usb thumb drive's been plugged into May's laptop. Why EnCase missed some usb activities in the evidence files?

We can not be too careful to analyze the evidence when something strange occurs.Let's use another forensic tool to examine usb artifacts again. Besides sandisk another usb thumb drive found and its name is "Seagate ". The same name found in LNK files artifacts.

According the volume serial number and usb deive serial number as above, the Police found those two usb storage devices in May's company. Finally  May admited that she copied the source code of project "X" into a SanDisk usb thumb drive and a 2.5" Seagate Backup Plus usb drive. And she brought those two usb device home.  She'd like to sell those stuff to earn more money.

Guidance should take a look at its "USB Records" to see what's wrong with incomplete usb activities after evidence processing.

EnCase missed some usb activities in the evidence files的更多相关文章

  1. LiveView 0.8 RC1 could boot evidence files acquired from Win10 64bit

    The latest Windows 10 will be more and more popular in the very near future. Now let's take a look i ...

  2. Another option to bootup evidence files

    When it comes to booting up evidence files acquired from target disk, you got two options. One is VF ...

  3. How to find missing USB Records?

    In my previously article "EnCase missed some USB activities in the evidence files", I ment ...

  4. [DFNews] EnCase v7.08发布

    EnCase v7.08 近日正式发布,7.08增加了Evidence Processor Manager以及Evidence Processor,不仅可以在本地实现证据处理队列,也支持了通过网络进行 ...

  5. EnCase v7 could not recognize Chinese character folder names / file names on Linux Platform

    Last week my friend brought me an evidence file duplicated from a Linux server, which distribution i ...

  6. Android USB Connections Explained: MTP, PTP, and USB Mass Storage

    Android USB Connections Explained: MTP, PTP, and USB Mass Storage Older Android devices support USB ...

  7. macOS & USB stick

    macOS & USB stick why macOS can only read USB stick, can not write files to USB stick macos 无法写文 ...

  8. File signature analysis failed to recognize .old file

    My friend May she found a strange file called "bkp.old" as below in the evidence files. Sh ...

  9. Use LiveCD to acquire images from a VM

    Forensic examiners usually acquire images from suspect's PC or Laptop. What if the target computer i ...

随机推荐

  1. 简述C/C++调用lua中实现的自定义函数

    1.首先说下目的,为什么要这么做 ? 正式项目中,希望主程序尽量不做修改,于是使用C/C++完成功能的主干(即不需要经常变动的部分)用lua这类轻量级的解释性语言实现一些存在不确定性的功能逻辑:所以, ...

  2. linux命令详解(一)netstat

    今天在使用linux的时候,要查看端口号,但是不知道要使用哪一个命令所以就学习了一下,原来是使用netstat,接下来给大家一起来学习. 一.netstat介绍 1.1.简介 Netstat 命令用于 ...

  3. markdown常用语法教程

    1. 标题 总共六级标题,"#"号后面最好加空格,美观可以在后面加上对应数量的"#" # 一级标题 ## 二级标题 ### 三级标题 #### 四级标题 ### ...

  4. CSS基础用法

    [CSS常用选择器] 标签选择器 写法: HTML标签名{}作用: 可以选中页面中,所有与选择器同名的HTML标签. 类选择器(class选择器)写法: .class名{}调用: 在需要调用选择器样式 ...

  5. LAMP一键安装

    author:JevonWei 版权声明:原创作品 #!/bin/bash 定义变量 export MDB=$(rpm -qa *mariadb*) export HTT=$(rpm -qa *htt ...

  6. Akka(24): Stream:从外部系统控制数据流-control live stream from external system

    在数据流应用的现实场景中常常会遇到与外界系统对接的需求.这些外部系统可能是Actor系统又或者是一些其它类型的系统.与这些外界系统对接的意思是在另一个线程中运行的数据流可以接收外部系统推送的事件及做出 ...

  7. tomcat 和 jboss access log 日志输出详解

    详见:http://blog.yemou.net/article/query/info/tytfjhfascvhzxcyt179 工作中nginx+jboss/tomcat反向代理集成,想打开后端jb ...

  8. [C#] 分布式ID自增算法 Snowflake

    最近在尝试EF的多数据库移植,但是原始项目中主键用的Sqlserver的GUID.MySQL没法移植了. 其实发现GUID也没法保证数据的递增性,又不太想使用int递增主键,就开始探索别的ID形式. ...

  9. [我所理解的REST] 2.REST用来干什么的?

    笔者每当遇到一个新事物的想去了解的时候,总是会问上自己第一个问题,这个新事物是干什么用的?在解释我所理解的REST这个过程中也不例外,这篇博客我们先关注一下REST是干什么用的,然后后续再解释REST ...

  10. BGP基础【第三部】

    静态路由的优点:安全稳定.缺点:配置繁琐不灵活.动态路由的优缺点则反之. BGP边界网关路由协议 路径向量(rip是距离矢量) 到达目的网段所要经过的所有as BGP选路不看度量值而参考13种路径属性 ...