My friend is a developer and her colleague May was suspected of stealing the source code of an important project "X". The Police searched her apartment and seized her brand new laptop which OS is Win10 Pro.  Forensic guy Terry used EnCase to do…

The latest Windows 10 will be more and more popular in the very near future. Now let's take a look if we could conduct a live forensic on Win10 by using LiveView 0.8 RC1. 1.The OS version of suspect's laptop is Windows 10. After acquiring we got the…

When it comes to booting up evidence files acquired from target disk, you got two options. One is VFC and the other is Live View. Both of them could create snapshots out of images such as EWF(E01). So forensic examiners could conduct a live forensic…

In my previously article "EnCase missed some USB activities in the evidence files", I mentioned about that EnCase could  only "see" few USB records. Actually not only EnCase may not see all USB records, some other forensic tools got th…

EnCase v7.08 近日正式发布,7.08增加了Evidence Processor Manager以及Evidence Processor,不仅可以在本地实现证据处理队列,也支持了通过网络进行分布式证据处理的方式. 以下是Release Note,更新软件下载地址集中于置顶帖中. What’s New in Version 7.08 Evidence Processor Manager Evidence Processor Enhancements Augmented File Carv…

Last week my friend brought me an evidence file duplicated from a Linux server, which distribution is CentOS 5.0 and the i18n is zh-tw. She wanna know whether there is any malware on this Linux server or not. OK. Let's get to work. I add this evidenc…

Android USB Connections Explained: MTP, PTP, and USB Mass Storage Older Android devices support USB mass storage for transferring files back and forth with a computer. Modern Android devices use the MTP or PTP protocols — you can choose which one you…

macOS & USB stick why macOS can only read USB stick, can not write files to USB stick macos 无法写文件 到 U盘 NTFS 分区格式 把移动硬盘或 U 盘接入到 Mac 电脑上,当把文件拷贝到移动硬盘时,会发现不能复制文件到移动硬盘. 这里因为移动硬盘或 U 盘是使用 Windows 系统下的 NTFS 分区格式,而 Mac 系统原生是不支持这种格式的,也就是为什么不能向硬盘里拷贝资料的原因. https…

My friend May she found a strange file called "bkp.old" as below in the evidence files. She decided to use forensic tools to take a look at it and figure it out what's going on. FTK said that it's an unknown file. But May was not satistify with…

Forensic examiners usually acquire images from suspect's PC or Laptop. What if the target computer is not a physical PC/Laptop/Server? Let's say the target computer is one of the VMs on a server, what will you to acquire this VM? Forensic guy 008 say…

My friend May she found a strange file called "bkp.old" as below in the evidence files. She decided to use forensic tools to take a look at it and figure it out what's going on. FTK said that it's an unknown file. But May was not satistify with…

[Android]Android 移动应用数据到SD 在应用的menifest文件中指定就可以了,在 <manifest> 元素中包含android:installLocation 属性,设置其值为"internalOnly"即可,如下: <manifest xmlns:android="http://schemas.android.com/apk/res/android"  android:installLocation="intern…

可以查看Android开发文档中的:/docs/guide/topics/data/data-storage.html Android provides several options for you to save persistent application data. The solution you choose depends on your specific needs, such as whether the data should be private to your appli…

原文网址:http://www.xuebuyuan.com/1023185.html 1. repo init -u git://review.sonyericsson.net/platform/manifest -b volatile-jb-mr1-yangtze2. https://wiki.sonyericsson.net/androiki/CN3-II/Bringup_Trail_FC34  如何编译3. https://wiki.sonyericsson.net/androiki/PL…

Usually we will use LiveView or VFC to "boot up" the evidence files acquired from suspect's computer or laptop. What if his/her OS is Win10? Win10 has two account types. One is Local User Account, and the other is Live ID Account.  For VFC to by…

点击打开链接 1. repo init -u git://review.sonyericsson.net/platform/manifest -b volatile-jb-mr1-yangtze 2. https://wiki.sonyericsson.net/androiki/CN3-II/Bringup_Trail_FC34  如何编译3. https://wiki.sonyericsson.net/androiki/PLD_CM/Yangtze  如何编译和flash4. https://…

Overview Oracle E-Business Suite Integrated SOA Gateway allows you to use PL/SQL application programming interfaces (APIs) to insert or update data in Oracle E-Business Suite. APIs are stored procedures that let you update or retrieve data from Oracl…

我们在使用Android手机时发现,有的程序允许被移动到SD卡,而有的不行?这是为什么呢? 因为在Android 2.2版之后, Android应用才被允许移动到SD卡中.而在此之前开发的应用,全部没有这个功能. 那么究竟如何允许你的应用移动到SD卡呢?答案其实很简单,只要给Manifest设置一个installLocation属性即可. 这个属性设置的是默认安装位置, 共有三个有效值,auto.internalOnly.preferExternal. auto 表示自动,由系统决定安装位置 i…

论版本变化速度,AD绝对首屈一指,从FTK 4到现在的FTK 5也不过两年多时间,EnCase近期(初步预计8月初)将推出V7的新版本7.08,下面是一些新功能: Evidence Processor ManagerEvidence Processor Manager allows for distribution and control of evidence processing for one or more EnCase Examiners or EnCase Processors. E…

Yesterday someone asked me a question can EnCase acquire data from a smartphone, and my reply was "yes". Let me show you how to use Use EnCase to acquire data from a smartphone. Of course we have to install driver on the workstation first so tha…

I used to conduct raw search in EnCase v6, and I'd like to see if EnCase v7 raw search could hit keywords inside compound files or not. You won't believe it~search results is 0 but those keywords do exist inside compound files...Let my show you my te…

hi, My EnCase version is v7 and I found a terrible issue about index search in Unallocated area. Without Internet Evidence Finder I could not the truth of EnCase index search...Thanks God I use IEF to carve the evidence file and some webmail found..s…

前面安装增强pack之后 usb设备是可以识别了,但是无法正常使用,应该是无线网卡驱动没有的原因. 查看usb设备 os:centos6.6 内核:2.6.32-504.el6.x86_64 [root@orangleliu ~]# lsusb Bus 001 Device 002: ID 0bda:8178 Realtek Semiconductor Corp. RTL8192CU 802.11n WLAN Adapter 这里显示的是网卡的id和芯片类型,后面驱动编译的时候需要有些修改,能用…

树莓派配置 USB 无线网卡来上网的过程. 本人使用的USB无线网卡型号:EP-N8508GS(树莓派专用型号) 一.检查 USB 无线网卡是否已经正确识别 将无线 USB 网卡插入树莓派后启动树莓派,比较不建议热插拔,因为插入的一瞬间会有比较高的电流,如果电源输出不够可能导致树莓派重启. 进入 shell 界面后输入命令 lsusb 如果树莓派已经正常识别,在显示类似于如下的信息中可以看到你的USB无线网卡设备 ID 和芯片型号: Bus 001 Device 004: ID 0bda:817…

Security arrangements for a universal serial bus (USB) protocol stack of a USB host system are provided. The security arrangements prevent an unauthorized or suspicious USB device from communicating with the host system, detect suspicious activity or…

一.概述 公司最近要我实现USB设备插入Ubuntu后,自动共享到网络上,能像Windows共享一样(如\\192.168.1.10)访问里面的内容,不需要写入权限.当时听完这需求,我这新人表示惊呆了,立刻上网搜相关文档,并跑去问主管,这功能有人实现了不?主管很肯定地说,必须的.网上搜到的技术文档只有插入USB设备自动挂载,自动共享没搜到,这下只好靠自己了. 经过一番折腾总算在Ubuntu14.04桌面版实现了该功能,但还不完美,例如:默认只共享出来5个USB设备,USB1~5,拔出后设备还存在…

在从官网安装的WNDR3800 15.05.1版本OpenWrt中, 不带usb存储支持以及samba, 需要另外安装 1. 启用usb支持 USB Basic Support https://wiki.openwrt.org/doc/howto/usb.essentials # 每次重启后, 软件包都要重新update opkg update 安装 kmod-usb-uhci 或者 kmod-usb-ohci, 如果前者不能安装, 系统会有提示 opkg install kmod-usb-uh…

症状: 当你发现"移动硬盘图标"经常无故消失,又自己出现时. 你可以把这个现象称之为"掉电" or "掉驱动". 遇到这种情况,相当不爽. 比如"拷贝大文件"快完成的时候,掉之,那就真的是"我去...". 这种现象在笔记本上尤为常见,台式机相对比较少. 怎么解决呢? 解决方案: 1.取消勾选"允许计算机关闭此设备以节约电源(A)". 从"我的电脑" or "…

1.开发环境 windows 7  32位 MDK 4.54 .Net Micro Framework Porting Kit 4.2(RTM QFE2) .Net Micro Framework  SDK 4.2(RTM QFE2) Microsoft Visual Studio 2010 开发板 野火IOS V2 2.移植前的准备 2.1.运行C:\PK\Solutions\STM32Stamp\Debug_Flash.bat将MF编译成DEBUG模式,由于DEBUG模式下编译的文件包含了调…

  关于USB的上下拉电阻,不是随便接个任意阻值的电阻就ok了. 当你的USB为主设备的时候,D+.D-上分别接一个15K的下拉电阻,这样可以使得在没有设备插入的时候,D+.D-上始终保持低电平:当为从设备接口时,可以通过在上拉电阻来设置不同的传输速率,当D+接一个1.5K上拉电阻,可以工作在高速率模式如12MBPs,当D-接1.5K上拉电阻,工作在低速率模式,如1.5MPBs. 主USB自动识别从设备为高速还是低速就靠上拉电阻在D+还是D-上区别,电阻阻值的不规范会影响usb自动识别分配资源,…