We could take advantage of forensic tools to examine and analyze the evidence, but heavily reliance on forensic tools is risky. It's us that determine what clue is important or not, not forensic tools.  There is a scenario about malware and hacker. Agent 007 finds Carrie's computer infected by CyrptoLocker, and he try to fingure out what's going on. 007 use lots of forensic tools to analye for a very long time, and he recover the malware in partition D. Unfortunately he could not find where the malware is from.

Agent 008 take over this case and start to review 007's report. 008 go back to the evidence and take a look at all e-mails in .pst files. Fortunately he found what's going on between Carrie and her colleague Rick, and the malware pretending a normal anti-virus update file. Look at the pic as below, you could see that the caption of sender is "Sysadmin@mnd.gov.tw", but when you look into the mail header, you will know the authenicatied sender is "rick@mnd.gov.tw".

What forensic tools do is reduce the scope and you could analyze the evidence efficiently. Forensic tools could not "tell" you that it is very suspicious the actual sender is Rick, not Sysadmin, you have to figure it out on your own.

By the way, an experienced forensic guy knows that the caption of sender could be faked, so he/she will take a look at authenicated sender to see if anything strange. The more experience about computer hardware/software, the fewer mistakes you will make.

Heavily reliance on forensic tools is risky的更多相关文章

  1. iTunes - Forensic guys' best friend

    What chances do you think to acquire suspect's data from his/her iDevice? If suspects also use iTune ...

  2. The Best Hacking Tools

    The Best Hacking Tools Hacking Tools : List of security tools specifically aimed toward security pro ...

  3. 八大最安全的Linux发行版,具备匿名功能,做服务器的首选,web,企业服务器等

    10 best Linux distros for privacy fiends and security buffs in 2017 Introduction The awesome operati ...

  4. Linux VM acquisition

    The evidence is a VM as below. The flat vmdk is the real disk, and the vmdk only 1kb is just a descr ...

  5. Device Path in WinPrefetchView

    As we know that the Prefetch file is used for optimizing the loading time of the application in the ...

  6. metasploit-post模块信息

    Name                                             Disclosure Date  Rank    Description ----           ...

  7. Use BEC to do mobile phone forensics

    Belkasoft Evidence Center makes me very impressed that it supports lots of evidence type. I have to ...

  8. Save a bricked Samsung Note 3 and do extraction

    The case scenario was about bank robery and the suspect threw his Samsung Note 3 into the river. For ...

  9. WeChat 6.3 wipe deleted chat messages as well as LINE 5.3 and above

    Let me show you the WeChat version first. It is 6.3. What will happen to WeChat deleted chat message ...

随机推荐

  1. Spring中bean的配置

    先从IOC说起,这个概念其实是从我们平常new一个对象的对立面来说的,我们平常使用对象的时候,一般都是直接使用关键字类new一个对象,那这样有什么坏处呢?其实很显然的,使用new那么就表示当前模块已经 ...

  2. ubuntu 16.04 64bit安装 Julia

    sudo add-apt-repository ppa:staticfloat/juliareleases sudo add-apt-repository ppa:staticfloat/julia- ...

  3. asterisk中eyebeam与移动的IMS帐号对接

    账号和密码: 05128068****       xbfldz6658****IP:120.195.9.148域名:ims.js.chinamobile.com    上图吧:

  4. 第十章 Vim程序编辑器学习(下)

    在试用vim编辑时,vim会在于被编辑的档案的目录下,再建立一个名为****.swp的档案,如果你的系统因为某些原因断线,你编辑的档案还没有存储,这个时候的****.swp就能够挥发救援的功能 1.在 ...

  5. [ActionScript 3.0] Away3D 官网实例

    /* Dynamic tree generation and placement in a night-time scene Demonstrates: How to create a height ...

  6. POJ 1149 PIGS 【网络流】

    题意: m n   //有m个猪圈,n个人卖猪. a1...am    //编号为i的猪圈里有ai头猪. b1 c1...cb1 d1   //第i个人有bi把钥匙,分别是ci猪圈的,其它猪圈里的猪都 ...

  7. poj 1328 Radar Installation(nyoj 287 Radar):贪心

    点击打开链接 Radar Installation Time Limit: 1000MS   Memory Limit: 10000K Total Submissions: 43490   Accep ...

  8. oracle 11g 服务端下载地址及安装说明

        oracle 11g 服务端下载地址及安装说明         分类:             Oracle              2013-11-17 19:40     988人阅读  ...

  9. iOS 中@property() 括号中,可以填写的属性?

    通过@property 和 @synthesize 属性可以简化设置器(set)和访问器(get) 的代码. 在@property 中又有那些属性呢? readwrite 默认 readonly 只读 ...

  10. Machine Schedule(最小覆盖)

    其实也是个最小覆盖问题 关于最小覆盖http://blog.csdn.net/u014665013/article/details/49870029 Description As we all kno ...