My friend is a developer and her colleague May was suspected of stealing the source code of an important project "X". The Police searched her apartment and seized her brand new laptop which OS is Win10 Pro.  Forensic guy Terry used EnCase to do evidence processing . To his surprise, only one usb thumb drive "SanDisk" found in "USB Records".

Terry checked LNK files artifacts and found a very interesting thing. According to the volume serial number, we could distinguish which volume belongs to local drive. Local drive only has one volume and its drive letter is "C". Terry found two volume serial number "d63e3c12" and "beebc8cb" related to external drive as below.

Fortunately LNK file artifacts gave Terry very important clue. Terry believed that more than one usb thumb drive's been plugged into May's laptop. Why EnCase missed some usb activities in the evidence files?

We can not be too careful to analyze the evidence when something strange occurs.Let's use another forensic tool to examine usb artifacts again. Besides sandisk another usb thumb drive found and its name is "Seagate ". The same name found in LNK files artifacts.

According the volume serial number and usb deive serial number as above, the Police found those two usb storage devices in May's company. Finally  May admited that she copied the source code of project "X" into a SanDisk usb thumb drive and a 2.5" Seagate Backup Plus usb drive. And she brought those two usb device home.  She'd like to sell those stuff to earn more money.

Guidance should take a look at its "USB Records" to see what's wrong with incomplete usb activities after evidence processing.

EnCase missed some usb activities in the evidence files的更多相关文章

  1. LiveView 0.8 RC1 could boot evidence files acquired from Win10 64bit

    The latest Windows 10 will be more and more popular in the very near future. Now let's take a look i ...

  2. Another option to bootup evidence files

    When it comes to booting up evidence files acquired from target disk, you got two options. One is VF ...

  3. How to find missing USB Records?

    In my previously article "EnCase missed some USB activities in the evidence files", I ment ...

  4. [DFNews] EnCase v7.08发布

    EnCase v7.08 近日正式发布,7.08增加了Evidence Processor Manager以及Evidence Processor,不仅可以在本地实现证据处理队列,也支持了通过网络进行 ...

  5. EnCase v7 could not recognize Chinese character folder names / file names on Linux Platform

    Last week my friend brought me an evidence file duplicated from a Linux server, which distribution i ...

  6. Android USB Connections Explained: MTP, PTP, and USB Mass Storage

    Android USB Connections Explained: MTP, PTP, and USB Mass Storage Older Android devices support USB ...

  7. macOS & USB stick

    macOS & USB stick why macOS can only read USB stick, can not write files to USB stick macos 无法写文 ...

  8. File signature analysis failed to recognize .old file

    My friend May she found a strange file called "bkp.old" as below in the evidence files. Sh ...

  9. Use LiveCD to acquire images from a VM

    Forensic examiners usually acquire images from suspect's PC or Laptop. What if the target computer i ...

随机推荐

  1. Redis基本数据类型

    -------------------Redis基本数据类型------------------- 1.String 字符串     1.概念         1.String 是redis最基本的类 ...

  2. CSS3学习笔记-1:CSS样式继承

    自己在写css时总会遇上css样式继承的问题,好在一般问题不大,但一直也不明白css样式继承的规则,最近发现了一篇文章讲的不错,因此转载过来: 所谓CSS的继承是指被包在内部的标签将拥有外部标签的样式 ...

  3. OCUpload的简单介绍与使用

     OCUpload (One Click Upload)译成中文就是一键上传的意思.它是JQuery的一个插件.   对于传统的文件上传,只能通过form表单,将enctype设置为multipart ...

  4. ios 初体验< UISegmentedControl 分段控件>

     小知识:  数组快速创建 @[@"",@"",@"",@"".......],字典快速创建方法:@{@"&q ...

  5. Tomcat利用Redis存储Session

    详见:http://blog.yemou.net/article/query/info/tytfjhfascvhzxcyt269 如果英文不错的看,建议直接看官网吧,官网写的挺清楚.下面的内容是转载的 ...

  6. cobbler部署安装CentOS6.8

    Linux运维:cobbler : 矮哥linux运维群:93324526 学习cobbler的话,必须先搞懂kickstart,原理不是,不懂如何排错. kickstart部署请点击这里 1. Co ...

  7. 201521123084 《Java程序设计》第4周学习总结

    第4周作业-面向对象设计与继承 1. 本周学习总结 1.1 尝试使用思维导图总结有关继承的知识点. 1.2 使用常规方法总结其他上课内容. 总结: (1)学会了如何给类和方法进行简单的注释: (2)学 ...

  8. 【Alpha】第七次Daily Scrum Meeting

    GIT 一.今日站立式会议照片        二.会议内容 1.讨论送礼物的方法和对象,使功能更加完善. 2.对于程序还存在的问题提出自己的看法,尽量让功能更加的饱满. 三.燃尽图 四.遇到的困难 能 ...

  9. 201521123080《Java程序设计》第8周学习总结

    1. 本周学习总结 1.1 以你喜欢的方式(思维导图或其他)归纳总结集合与泛型相关内容. 2. 书面作业 本次作业题集集合 List中指定元素的删除(题目4-1) 1.1 实验总结 在covnertS ...

  10. 201521123076 《JAVA程序设计》第5周学习总结

    1. 本周学习总结 1.1 尝试使用思维导图总结有关多态与接口的知识点. 1.2 可选:使用常规方法总结其他上课内容 初步了解了接口的概念,学会使用接口,强化面向对象思想 Comparable,Com ...