Heavily reliance on forensic tools is risky
We could take advantage of forensic tools to examine and analyze the evidence, but heavily reliance on forensic tools is risky. It's us that determine what clue is important or not, not forensic tools. There is a scenario about malware and hacker. Agent 007 finds Carrie's computer infected by CyrptoLocker, and he try to fingure out what's going on. 007 use lots of forensic tools to analye for a very long time, and he recover the malware in partition D. Unfortunately he could not find where the malware is from.
Agent 008 take over this case and start to review 007's report. 008 go back to the evidence and take a look at all e-mails in .pst files. Fortunately he found what's going on between Carrie and her colleague Rick, and the malware pretending a normal anti-virus update file. Look at the pic as below, you could see that the caption of sender is "Sysadmin@mnd.gov.tw", but when you look into the mail header, you will know the authenicatied sender is "rick@mnd.gov.tw".
What forensic tools do is reduce the scope and you could analyze the evidence efficiently. Forensic tools could not "tell" you that it is very suspicious the actual sender is Rick, not Sysadmin, you have to figure it out on your own.
By the way, an experienced forensic guy knows that the caption of sender could be faked, so he/she will take a look at authenicated sender to see if anything strange. The more experience about computer hardware/software, the fewer mistakes you will make.
Heavily reliance on forensic tools is risky的更多相关文章
- iTunes - Forensic guys' best friend
What chances do you think to acquire suspect's data from his/her iDevice? If suspects also use iTune ...
- The Best Hacking Tools
The Best Hacking Tools Hacking Tools : List of security tools specifically aimed toward security pro ...
- 八大最安全的Linux发行版,具备匿名功能,做服务器的首选,web,企业服务器等
10 best Linux distros for privacy fiends and security buffs in 2017 Introduction The awesome operati ...
- Linux VM acquisition
The evidence is a VM as below. The flat vmdk is the real disk, and the vmdk only 1kb is just a descr ...
- Device Path in WinPrefetchView
As we know that the Prefetch file is used for optimizing the loading time of the application in the ...
- metasploit-post模块信息
Name Disclosure Date Rank Description ---- ...
- Use BEC to do mobile phone forensics
Belkasoft Evidence Center makes me very impressed that it supports lots of evidence type. I have to ...
- Save a bricked Samsung Note 3 and do extraction
The case scenario was about bank robery and the suspect threw his Samsung Note 3 into the river. For ...
- WeChat 6.3 wipe deleted chat messages as well as LINE 5.3 and above
Let me show you the WeChat version first. It is 6.3. What will happen to WeChat deleted chat message ...
随机推荐
- 在一个窗口中显示多个视频,并在每个子窗口左上角显示系统时间,函数cvShowManyImages是改写的
#include <cv.h> #include <highgui.h> #include <stdio.h> #include <stdarg.h> ...
- python (9)统计文件夹下的所有文件夹数目、统计文件夹下所有文件数目、遍历文件夹下的文件
命令:os 用到的:os.walk os.listdir 写的爬虫爬的数据,但是又不知道进行到哪了,于是就写了个脚本来统计文件的个数 #统计 /home/dir/ 下的文件夹个数 import o ...
- centos利用cloudflare的bpf-tools实现ddos防护
概念 利用BPF( Berkeley Packet Filter)工具集结合iptables的xt_bpf模块可以实现高性能包过滤,从而应对大规模的ddos攻击.BPF Tools包含一组简单的pyt ...
- android tween动画效果
anim文件夹下 <?xml version="1.0" encoding="utf-8"?> <set xmlns:android=&quo ...
- R如何检验类别变量(nominal variable)与其他变量之间的相关性
1.使用Pearson积差相关系性进行检验的话可以判断两个变量之间的相关性是否显著以及相关性的强度 显著性检验 (significant test) 连续变量 vs 类别变量 (continuous ...
- Java:过去、未来的互联网编程之王
Java对你而言是什么?一门你大学里学过的语言?一个IT行业的通用语言?你相信Java已经为下一次互联网爆炸做好了准备么?Java 一方面为嵌入式计算做了增强,而另一方面为实时应用做了精简,本文将介绍 ...
- 第2章 Posix IPC
2.1 概述 Poxix IPC包含:Posix消息队列.Posix信号量.Posix共享内存 2.2 IPC名字 Posix 消息队列.Posix信号量.Posix共享内存这三种Posix IPC都 ...
- 基于Maven的Springboot+Mybatis+Druid+Swagger2+mybatis-generator框架环境搭建
基于Maven的Springboot+Mybatis+Druid+Swagger2+mybatis-generator框架环境搭建 前言 最近做回后台开发,重新抓起以前学过的SSM(Spring+Sp ...
- 认识与学习BASH(中)
1.在设置变量中:单引号与双引号的最大不同:双引号能保有变量的内容,单引号仅能是一般字符 2.反单引号(`)作用:在一串指令中,在‘之内的指令将会被先执行,其结果将作为外部的输入信息. locate指 ...
- Java中数字操作
public static void main(String[] args) throws Exception { { //Math函数的四舍五入,注意负数的时候小数位<=0.5都会被舍去,&g ...