My friend is a developer and her colleague May was suspected of stealing the source code of an important project "X". The Police searched her apartment and seized her brand new laptop which OS is Win10 Pro.  Forensic guy Terry used EnCase to do evidence processing . To his surprise, only one usb thumb drive "SanDisk" found in "USB Records".

Terry checked LNK files artifacts and found a very interesting thing. According to the volume serial number, we could distinguish which volume belongs to local drive. Local drive only has one volume and its drive letter is "C". Terry found two volume serial number "d63e3c12" and "beebc8cb" related to external drive as below.

Fortunately LNK file artifacts gave Terry very important clue. Terry believed that more than one usb thumb drive's been plugged into May's laptop. Why EnCase missed some usb activities in the evidence files?

We can not be too careful to analyze the evidence when something strange occurs.Let's use another forensic tool to examine usb artifacts again. Besides sandisk another usb thumb drive found and its name is "Seagate ". The same name found in LNK files artifacts.

According the volume serial number and usb deive serial number as above, the Police found those two usb storage devices in May's company. Finally  May admited that she copied the source code of project "X" into a SanDisk usb thumb drive and a 2.5" Seagate Backup Plus usb drive. And she brought those two usb device home.  She'd like to sell those stuff to earn more money.

Guidance should take a look at its "USB Records" to see what's wrong with incomplete usb activities after evidence processing.

EnCase missed some usb activities in the evidence files的更多相关文章

  1. LiveView 0.8 RC1 could boot evidence files acquired from Win10 64bit

    The latest Windows 10 will be more and more popular in the very near future. Now let's take a look i ...

  2. Another option to bootup evidence files

    When it comes to booting up evidence files acquired from target disk, you got two options. One is VF ...

  3. How to find missing USB Records?

    In my previously article "EnCase missed some USB activities in the evidence files", I ment ...

  4. [DFNews] EnCase v7.08发布

    EnCase v7.08 近日正式发布,7.08增加了Evidence Processor Manager以及Evidence Processor,不仅可以在本地实现证据处理队列,也支持了通过网络进行 ...

  5. EnCase v7 could not recognize Chinese character folder names / file names on Linux Platform

    Last week my friend brought me an evidence file duplicated from a Linux server, which distribution i ...

  6. Android USB Connections Explained: MTP, PTP, and USB Mass Storage

    Android USB Connections Explained: MTP, PTP, and USB Mass Storage Older Android devices support USB ...

  7. macOS & USB stick

    macOS & USB stick why macOS can only read USB stick, can not write files to USB stick macos 无法写文 ...

  8. File signature analysis failed to recognize .old file

    My friend May she found a strange file called "bkp.old" as below in the evidence files. Sh ...

  9. Use LiveCD to acquire images from a VM

    Forensic examiners usually acquire images from suspect's PC or Laptop. What if the target computer i ...

随机推荐

  1. macaca测试web小例子

    上午刚把macaca的环境在公司的电脑上吧web 端的环境给搭建好,于是乎,看看网上的例子,看看官方的文档 https://macacajs.github.io/wd.py/ 可以在这个链接看到原滋原 ...

  2. About the diffrence of wait timed_wait and block in java

    import java.util.concurrent.locks.Lock; import java.util.concurrent.locks.ReentrantLock; /** * * @au ...

  3. 移动端踩坑之旅-ios下fixed、软键盘相关问题总结

    最近一个项目掉进了移动端的大坑,包括ios下fixed布局,h5唤起键盘等问题,作为一个B端程序员,弱项就是浏览器的兼容性和移动端的适配(毕竟我们可以要求使用chrome),还好这次让我学习了一下相关 ...

  4. Ljava.lang.Object;@ba8a1dc

    因为你从数据库读出数据后,存入到list集合上时,如果你没有指定要存入的数据的类型,系统会自动给你赋一个object类型,他是所以类的鼻祖,你取出数据要进行转型,转化成你自己想要的数据类型才能显示.它 ...

  5. Web in Linux小笔记001

    Linux灾难恢复: Root密码修复 Centos single Filesystem是硬盘文件根目录,无法再cd ..就像macitosh 硬盘图标 Pwd:显示绝对路径 MBR修复 模拟MBR被 ...

  6. 【集美大学1411_助教博客】团队作业8——第二次项目冲刺(Beta阶段)

    写在前面的话 此次团队作业8可以拆分成两部分:1.beta阶段冲刺计划安排,2.7天敏捷冲刺."我们很低调"没有使用leangoo,经过与张老师的商议,张老师同意他们不使用lean ...

  7. Git 指南 -- 什么应该被纳入管理?

    Git 指南 -- 什么应该被纳入管理? 如果还不了解Git是什么,可以先阅读这篇博文:http://www.cnblogs.com/schaepher/p/5561193.html 是作品,而不是产 ...

  8. 关于在git添加远程地址的过程中遇到的问题

    问题产生的过程 我根据菜鸟教程的步骤,做了如下操作: 1.打开安装文件夹中的git-bash程序 2.设置username和email 3.添加远程地址 结果如下: 之后通过百度知道要先git ini ...

  9. 201521123103 《Java学习笔记》 第四周学习总结

    一.本周学习总结 1.1 尝试使用思维导图总结有关继承的知识点. 1.2 使用常规方法总结其他上课内容. (1)多态性:相同形态,不同行为(不同的定义): (2)多态绑定:运行时能够自动地选择调用哪个 ...

  10. 201521123013 《Java程序设计》第2周学习总结

    1. 本章学习总结 1.final声明,一旦赋值不能被改变.移位运算符的应用,负数右移高位补"1",正数右移高位补"1".利用移位运算,按位与运算可以方便得出整 ...