摘要:USB存储设备的使用记录
阅读全文
随笔分类 - Digital Forensics
摘要:This morining I decide to upgrade my workstation to Windows 11. Let me remind you that Windows 11 got some system requirments and one of the most impo
阅读全文
摘要:有位同好先前有拜读过数年前我的一篇拙作,提及如何查找Mac上的USB存储设备使用痕迹,而由于操作系统已有所不同,他希望我再为各位谈一下. 没错, macOS的日志机制不再像过去是text-based仅是存放在日志文件之中可直接进行检视,而是基于一个所谓”Unified Logging System”
阅读全文
摘要:A friend of mine Megan told me that she got an error message as below screenshot when trying to open a virtual machine on suspect's laptop. She tried
阅读全文
摘要:Forensic examiners usually acquire images from suspect’s PC or Laptop. What if the target computer is not a physical PC/Laptop/Server? Let’s say the t
阅读全文
摘要:My friend May she found a strange file called "bkp.old" as below in the evidence files. She decided to use forensic tools to take a look at it and fig
阅读全文
摘要:In my previously article "EnCase missed some USB activities in the evidence files", I mentioned about that EnCase could only "see" few USB records. Ac
阅读全文
摘要:My friend is a developer and her colleague May was suspected of stealing the source code of an important project "X". The Police searched her apartmen
阅读全文
摘要:My friend told me that she installed EnCase v8.05 on her workstation which OS version is Win 10. She conducted an index search but no any hits found i
阅读全文
摘要:Someone ask me how to image a CD/DVD ROM and generate hash value in the same time. A small tool called "dcfldd" could achieve this goal. Compared to d
阅读全文
摘要:A friend of mine she asked me how to check all timestamps of a file on an NTFS volume. She did not have EnCase or FTK in hand. So I gave her FTK Image
阅读全文
摘要:We could find some important clue in Restore Point because "System Protection" of volume C is enabled in Windows default settings. Lots of data in "My
阅读全文
摘要:The evidence is a VM as below. The flat vmdk is the real disk, and the vmdk only 1kb is just a descriptor. As you could see that there is no vmx. What
阅读全文
摘要:As we know that the Prefetch file is used for optimizing the loading time of the application in the next time that you run it. So we could know whethe
阅读全文
摘要:My colleague she ask me why Intella could not handle Lotus Notes nsf e-mail archive files. I told her that Intella could index mail and attachments in
阅读全文
摘要:随着网络的蓬勃发展,伴随而来的是愈来愈多的新型态威胁出现.现今随处可见的勒索病毒便是最好的例子.在现实世界中,如果有人偷了你/妳的东西,要求必须付钱才能赎回,你/妳可以报警处理.但网络世界无国界,加上犯罪者引用匿踪技术,使得追查困难,一旦不幸文件遭到加密,即使付了赎金也不见得就能救回资料. 现今有太
阅读全文
摘要:My friend she told me last week that FTK could not "see" keywords in a plain text files when doing index search. That's very interesting. I used to tr
阅读全文
摘要:Last night an explosion on a commuter train carriage in Taipei Songshan railway station wounded at least 21 people. The Criminal Investigation Bureau
阅读全文
摘要:My friend she showed me a screenshot as below yesterday. The name of this document is “EnCase Forensic Features and Functionality”. She asked me that
阅读全文
摘要:最近刚好有个案子的证物主机是MBP, OS X版本为El Capitan,案况与营业秘密外泄有关,当中要找有关USB存储设备的使用痕迹. 要提醒大家的是,不同版本的OS X,各种迹证的存放文件名称及路径,往往有所不同.而E1 Capitan的USB存储设备的使用痕迹在/private/var/log
阅读全文
浙公网安备 33010602011771号