My friend is a developer and her colleague May was suspected of stealing the source code of an important project "X". The Police searched her apartment and seized her brand new laptop which OS is Win10 Pro.  Forensic guy Terry used EnCase to do evidence processing . To his surprise, only one usb thumb drive "SanDisk" found in "USB Records".

Terry checked LNK files artifacts and found a very interesting thing. According to the volume serial number, we could distinguish which volume belongs to local drive. Local drive only has one volume and its drive letter is "C". Terry found two volume serial number "d63e3c12" and "beebc8cb" related to external drive as below.

Fortunately LNK file artifacts gave Terry very important clue. Terry believed that more than one usb thumb drive's been plugged into May's laptop. Why EnCase missed some usb activities in the evidence files?

We can not be too careful to analyze the evidence when something strange occurs.Let's use another forensic tool to examine usb artifacts again. Besides sandisk another usb thumb drive found and its name is "Seagate ". The same name found in LNK files artifacts.

According the volume serial number and usb deive serial number as above, the Police found those two usb storage devices in May's company. Finally  May admited that she copied the source code of project "X" into a SanDisk usb thumb drive and a 2.5" Seagate Backup Plus usb drive. And she brought those two usb device home.  She'd like to sell those stuff to earn more money.

Guidance should take a look at its "USB Records" to see what's wrong with incomplete usb activities after evidence processing.

EnCase missed some usb activities in the evidence files的更多相关文章

  1. LiveView 0.8 RC1 could boot evidence files acquired from Win10 64bit

    The latest Windows 10 will be more and more popular in the very near future. Now let's take a look i ...

  2. Another option to bootup evidence files

    When it comes to booting up evidence files acquired from target disk, you got two options. One is VF ...

  3. How to find missing USB Records?

    In my previously article "EnCase missed some USB activities in the evidence files", I ment ...

  4. [DFNews] EnCase v7.08发布

    EnCase v7.08 近日正式发布,7.08增加了Evidence Processor Manager以及Evidence Processor,不仅可以在本地实现证据处理队列,也支持了通过网络进行 ...

  5. EnCase v7 could not recognize Chinese character folder names / file names on Linux Platform

    Last week my friend brought me an evidence file duplicated from a Linux server, which distribution i ...

  6. Android USB Connections Explained: MTP, PTP, and USB Mass Storage

    Android USB Connections Explained: MTP, PTP, and USB Mass Storage Older Android devices support USB ...

  7. macOS & USB stick

    macOS & USB stick why macOS can only read USB stick, can not write files to USB stick macos 无法写文 ...

  8. File signature analysis failed to recognize .old file

    My friend May she found a strange file called "bkp.old" as below in the evidence files. Sh ...

  9. Use LiveCD to acquire images from a VM

    Forensic examiners usually acquire images from suspect's PC or Laptop. What if the target computer i ...

随机推荐

  1. postman 第6节录制case

    我们先安装Postman Interceptor 记得一定要安装Postman Interceptor插件,这样在谷歌浏览器上访问的信息都会在postman的app端同步显示.安装好后Postman ...

  2. 详细教程:将本地项目上传到github

    作为 一个工程师,将本地项目上传到github进行备份和分享是一个不错的技能,一来可以方便以后的工作,二来可以分享自己的成果.所以下面本人详细教大家如何将本地项目上传到github,十分简单,一学就会 ...

  3. MySQL的JOIN(三):JOIN优化实践之内循环的次数

    这篇博文讲述如何优化内循环的次数.内循环的次数受驱动表的记录数所影响,驱动表记录数越多,内循环就越多,连接效率就越低下,所以尽量用小表驱动大表.先插入测试数据. CREATE TABLE t1 ( i ...

  4. import和require

    es6 的 import 语法跟 require 不同,而且 import 必须放在文件的最开始,且前面不允许有其他逻辑代码,这和其他所有编程语言风格一致. import不同与require,它是编译 ...

  5. Linux_window与linux之间文件互传,上传下载

    window与linux之间文件互传 运行环境:Centos os7 + win8.1 +putty putty:是一个Telnet,ssh,rlogin,纯tcp以及串行接口连接软件,由于linux ...

  6. 记一次wiki数据爬取过程

    最近有个爬取各国领导人信息的奇怪需求,要求百度和维基两种版本的数据,最要命的还要保持数据的结构不变.正好印象中隐约记得维基有专门的领导人列表页,不考虑爬取下来的格式不变的话应该很好爬的样子. 首先思路 ...

  7. 学习Python Day1

    学习PythonDay1,主要是学习了循环,while循环,for循环:while循环加if.else以及elif,for循环嵌套for循环:break,终止循环,continue跳出循环:for i ...

  8. 201521123036 《Java程序设计》第8周学习总结

    本周学习总结 1.1 以你喜欢的方式(思维导图或其他)归纳总结集合与泛型相关内容. 1.2 选做:收集你认为有用的代码片段 HashMap自定义排序 List<Map.Entry<Stri ...

  9. 201521123086《JAVA程序设计》第五周作业

    本周学习总结 1.1 尝试使用思维导图总结有关多态与接口的知识点. 书面作业 代码阅读:Child压缩包内源代码 Q1.1 com.parent包中Child.java文件能否编译通过?哪句会出现错误 ...

  10. 201521123036 《Java程序设计》第13周学习总结

    本周学习总结 以你喜欢的方式(思维导图.OneNote或其他)归纳总结多网络相关内容. 书面作业 网络基础 1.1 比较ping www.baidu.com与ping cec.jmu.edu.cn,分 ...