My friend is a developer and her colleague May was suspected of stealing the source code of an important project "X". The Police searched her apartment and seized her brand new laptop which OS is Win10 Pro.  Forensic guy Terry used EnCase to do evidence processing . To his surprise, only one usb thumb drive "SanDisk" found in "USB Records".

Terry checked LNK files artifacts and found a very interesting thing. According to the volume serial number, we could distinguish which volume belongs to local drive. Local drive only has one volume and its drive letter is "C". Terry found two volume serial number "d63e3c12" and "beebc8cb" related to external drive as below.

Fortunately LNK file artifacts gave Terry very important clue. Terry believed that more than one usb thumb drive's been plugged into May's laptop. Why EnCase missed some usb activities in the evidence files?

We can not be too careful to analyze the evidence when something strange occurs.Let's use another forensic tool to examine usb artifacts again. Besides sandisk another usb thumb drive found and its name is "Seagate ". The same name found in LNK files artifacts.

According the volume serial number and usb deive serial number as above, the Police found those two usb storage devices in May's company. Finally  May admited that she copied the source code of project "X" into a SanDisk usb thumb drive and a 2.5" Seagate Backup Plus usb drive. And she brought those two usb device home.  She'd like to sell those stuff to earn more money.

Guidance should take a look at its "USB Records" to see what's wrong with incomplete usb activities after evidence processing.

EnCase missed some usb activities in the evidence files的更多相关文章

  1. LiveView 0.8 RC1 could boot evidence files acquired from Win10 64bit

    The latest Windows 10 will be more and more popular in the very near future. Now let's take a look i ...

  2. Another option to bootup evidence files

    When it comes to booting up evidence files acquired from target disk, you got two options. One is VF ...

  3. How to find missing USB Records?

    In my previously article "EnCase missed some USB activities in the evidence files", I ment ...

  4. [DFNews] EnCase v7.08发布

    EnCase v7.08 近日正式发布,7.08增加了Evidence Processor Manager以及Evidence Processor,不仅可以在本地实现证据处理队列,也支持了通过网络进行 ...

  5. EnCase v7 could not recognize Chinese character folder names / file names on Linux Platform

    Last week my friend brought me an evidence file duplicated from a Linux server, which distribution i ...

  6. Android USB Connections Explained: MTP, PTP, and USB Mass Storage

    Android USB Connections Explained: MTP, PTP, and USB Mass Storage Older Android devices support USB ...

  7. macOS & USB stick

    macOS & USB stick why macOS can only read USB stick, can not write files to USB stick macos 无法写文 ...

  8. File signature analysis failed to recognize .old file

    My friend May she found a strange file called "bkp.old" as below in the evidence files. Sh ...

  9. Use LiveCD to acquire images from a VM

    Forensic examiners usually acquire images from suspect's PC or Laptop. What if the target computer i ...

随机推荐

  1. Hashtable、synchronizedMap、ConcurrentHashMap 比较

    详见:http://blog.yemou.net/article/query/info/tytfjhfascvhzxcytp18 Hashtable.synchronizedMap.Concurren ...

  2. Xamarin介绍

    郑重声明: 本文非Xamarin使用详解,也没什么有用的干货,只是给不知道Xamarin到底是什么的大家提供一点点微不足道的小介绍,看完以后啥收获都没有也不是没可能的(*/ω\*).so......ε ...

  3. Java学习记录 : 画板的实现

    接触java不满一个月,看厚厚的java入门简直要醉,故利用实例来巩固所学知识. 画板的实现其实从原理来说超级简单,可能一会儿就完成了. 但作为一名强迫症患者,要实现和win下面的画板一样的功能还是需 ...

  4. CSS3动画效果之transition

    CSS3中有两种方式实现动画,transition和animation+@keyframe. 两者的作用机制不一样:transition定义在可能要进行动画的元素上,对某些CSS属性进行监听,一旦CS ...

  5. 团队作业7---Alpha冲刺值事后诸葛

    一.设想和目标 1.我们的软件要解决什么问题? 解决教师和助教对实验报告查重的问题,拥有两个用户:1.教师或助教:查看学生实验报告的重复率:4.学生:上传实验报告. 2.是否定义得很清楚?是否对典型用 ...

  6. 【Alpha阶段汇总】成果展示与体验总结

    一.燃尽图 二.软件截图 三.代码与图片.音乐素材仓库 git仓库 四.问题与总结 1.git提交问题 之前创建的仓库地址是http://git.oschina.net/8265559926/grou ...

  7. 201521123087《Java程序设计》 第八周学习总结

    1. 本周学习总结 2. 书面作业 本次作业题集集合 List中指定元素的删除(题目4-1)1.1 实验总结                                               ...

  8. 201521123045 《Java程序设计》第7周学习总结

    Java 第七周总结 1. 本周学习总结 2. 书面作业 1.ArrayList代码分析 1.1 解释ArrayList的contains源代码 public boolean contains(Obj ...

  9. Python笔记2.1

    所有类型如下图: 一 基础数据类型 1)数字类型 复制代码 >>> 2/2+2*2 5.0 >>> (50-5*6)/4 5.0 >>> 8/5 ...

  10. 201521123096《Java程序设计》第十三周学习总结

    1. 本周学习总结 以你喜欢的方式(思维导图.OneNote或其他)归纳总结多网络相关内容. 2. 书面作业 1. 网络基础 1.1 比较ping www.baidu.com与ping cec.jmu ...