Pieces0310

取证须让证物说话,莫妄以自我心证来给案情下定论.切忌画靶射箭,为找而找. 取证的根基仰赖经验与判断,在IT各领域的经验愈丰富,愈能看出端倪. 取证须善用工具,但不过度依赖工具.工具只能帮你缩小可能范围,但无法告诉你答案,仍需靠人进行分析判断.
首页 新随笔 联系 订阅 管理

随笔分类 -  Digital Forensics

上一页 1 2 3 下一页

取证分析的迷思
摘要:由于证物特性的不同,在进行digital evidence的取证分析时,第一要务便是确保电子证据在过程中不致遭受污染或破坏.且由于是和计算机科技有关,随着科技的进步也会多所变化,因此取证分析也要能跟的上变化. 大家耳熟能详的就不提了,在此想分享的是取证分析的从业工作者在取证分析上的迷思,给大家参考. 阅读全文
posted @ 2016-05-29 11:53 Pieces0310 阅读(594) 评论(0) 推荐(0)

取证分析标准作业程序???
摘要:最近有人问我ISO 27037是什么?其实它就是有关电子证据处理的标准,但其实别被它的长篇大论给吓着了.若你有仔细看一下,它也只提到了”前段”的作业.也就是说,它提到了电子证据的搜集,保存,撷取,运送,但后面真正至为关键的分析程序,它就不提了.为何呢,因为太复杂之故. 很多单位很喜欢挂在嘴边的就是” 阅读全文
posted @ 2016-05-14 22:04 Pieces0310 阅读(355) 评论(0) 推荐(0)

磁盘碎片整理对证物的”致命”影响
摘要:有趣的是,倘若证物曾有进行碎片整理的痕迹,可不代表使用者就必然是心怀不轨,有做”坏事”哦~ 换言之,取证人员不能见猎心喜,”看到影子就开枪”,徒贻笑大方。取证人员要秉持科学办案,不能只以”入人于罪”为出发点,毕竟取证可是良心事业,以下我们就来探讨一下碎片整理对证物的”致命”影响。 用户常跟IT人员或 阅读全文
posted @ 2016-04-23 09:15 Pieces0310 阅读(470) 评论(0) 推荐(0)

进行中文关键词搜索时要留意编码
摘要:在进行关键词搜索(Keyword Search)时,要留意编码的问题,因为这牵涉到搜索结果,会影响到取证分析,不可不慎。 什么是character set?亦即所谓的"字符集",如Big5及GB,分别是台湾常用的大五码及大陆常用的汉字字符集,其它还有日本的JIS及万国码UTF8等等。而code pa 阅读全文
posted @ 2016-04-21 17:24 Pieces0310 阅读(553) 评论(0) 推荐(0)

Windows 10 LNK File分析
摘要:前情提要:警方接获线报,黑道份子阿强涉及制造与贩卖毒品,警方在其住处扣得笔记本电脑及数个U盘,送往实验室进行取证分析。 取证人员对证物进行证物镜像制作,并进行证物处理(Evidence Processing),开始进行取证分析。得知阿强的笔电的操作系统为Windows 10 专业版 64bit,本机 阅读全文
posted @ 2016-04-14 15:16 Pieces0310 阅读(591) 评论(0) 推荐(0)

Something wrong with FTK OCR
摘要:A case about business secret the suspect took lots of photos and screenshots from BOM, RD papers... We have to conduct a keyword search to find out wh 阅读全文
posted @ 2016-03-20 14:11 Pieces0310 阅读(554) 评论(0) 推荐(0)

查找Safari相关迹证
摘要:日前有取证的同好提及Safari,想了解详细步骤,因而在此再补充说明相关。 除了Winodws外,Mac OS X也有为数不少的使用者,以下便以OS X自带的Safari浏览器为例,来查看有哪些重要迹证。 那Safari浏览器的相关文件会存放在哪个路径下呢?首先检视如下图红色框住部份所示的路径,意即 阅读全文
posted @ 2016-03-05 08:52 Pieces0310 阅读(350) 评论(0) 推荐(0)

Find out who the “mole” is?
摘要:Blueheat Company’s production server was out of order again. The CEO was very upset and want their CIO Leo to figure out what happened. Leo asked thos... 阅读全文
posted @ 2015-11-22 16:51 Pieces0310 阅读(296) 评论(0) 推荐(0)

Windows USN Journal Parsing
摘要:What is "USN Journal"? It is "Update Sequence Number Journal". It records changes in the NTFS volume. The scenario is about Bomb threat. I use X-Ways ... 阅读全文
posted @ 2015-11-16 22:16 Pieces0310 阅读(872) 评论(0) 推荐(0)

Track files and folders manipulation in Windows
摘要:The scenario is about Business Secret and our client do worry about data leakage. They want to know whether Suspect copy those data to external hard d... 阅读全文
posted @ 2015-10-31 16:56 Pieces0310 阅读(424) 评论(0) 推荐(0)

Threatening letter in Naver Line App
摘要:A suspect sent a threatening letter in Naver Line App to Richman, and said that he wanted those money wired to a specified account "3398-239775-07". R... 阅读全文
posted @ 2015-09-25 15:00 Pieces0310 阅读(352) 评论(0) 推荐(0)

EnCase v.s. FTK - find out Chinese characters writing in different direction
摘要:A friend of mine said to me that she could fool those forensic tools easily by changing writing direction in text. I said to her: "Really? Are you sur... 阅读全文
posted @ 2015-09-07 22:51 Pieces0310 阅读(580) 评论(0) 推荐(0)

Does FTK index search support regular expression?
摘要:Some of my friends ask me a question: "Does FTK index search support regular expression?" They just participated in FTK Bootcamp last month, and they'... 阅读全文
posted @ 2015-08-30 19:47 Pieces0310 阅读(944) 评论(0) 推荐(0)

Heavily reliance on forensic tools is risky
摘要:We could take advantage of forensic tools to examine and analyze the evidence, but heavily reliance on forensic tools is risky. It's us that determine... 阅读全文
posted @ 2015-08-13 16:52 Pieces0310 阅读(337) 评论(0) 推荐(0)

Belkasoft Evidence Center could handle Chinese characters well
摘要:I've been using Belkasoft Evidence Center for a very long time. It could handle Chinese characters well, so I don't have to waste time decoding... 阅读全文
posted @ 2015-08-11 11:15 Pieces0310 阅读(318) 评论(0) 推荐(0)

IEF could not decode Chinese character in IE history well
摘要:My friend is working on some case, and she looks not in the mood. I ask her what's going on. She wants me to look at the screenshot as below. That's w... 阅读全文
posted @ 2015-08-10 23:04 Pieces0310 阅读(345) 评论(0) 推荐(0)

Recover damage pictures to see the crime scene
摘要:Few people know that when you take photos there is also a thumbnail embeded inside the file, even some forensic guys may have no idea about this impor... 阅读全文
posted @ 2015-08-09 10:07 Pieces0310 阅读(435) 评论(0) 推荐(0)

Volume serial number could associate file existence on certain volume
摘要:When it comes to lnk file analysis, we should put more emphasis on the volume serial number. It could help forensic guys to identify whether files exi... 阅读全文
posted @ 2015-08-05 16:24 Pieces0310 阅读(358) 评论(0) 推荐(0)

What is the behavior of lnk files?
摘要:I access a files which name is "abc.doc", no doubt a lnk file "abc.doc.lnk" shows up. Few minutes or hours later I access "abc.doc" again, what will h... 阅读全文
posted @ 2015-07-09 22:27 Pieces0310 阅读(260) 评论(0) 推荐(0)

EnCase v7 search hits in compound files?
摘要:I used to conduct raw search in EnCase v6, and I'd like to see if EnCase v7 raw search could hit keywords inside compound files or not. You won't beli... 阅读全文
posted @ 2015-07-07 21:36 Pieces0310 阅读(603) 评论(0) 推荐(0)

上一页 1 2 3 下一页