Pieces0310

取证须让证物说话,莫妄以自我心证来给案情下定论.切忌画靶射箭,为找而找. 取证的根基仰赖经验与判断,在IT各领域的经验愈丰富,愈能看出端倪. 取证须善用工具,但不过度依赖工具.工具只能帮你缩小可能范围,但无法告诉你答案,仍需靠人进行分析判断.
首页 新随笔 联系 订阅 管理
上一页 1 ··· 10 11 12 13 14 15 16 下一页

2015年8月15日 #

Known plaintext attack
摘要: When you find a ZIP/RAR file with password protected in the evidence, you may try dictionary attack or bruteforce attack or Rainbow talbes... Usually ... 阅读全文
posted @ 2015-08-15 16:55 Pieces0310 阅读(1587) 评论(0) 推荐(0)

2015年8月13日 #

Heavily reliance on forensic tools is risky
摘要: We could take advantage of forensic tools to examine and analyze the evidence, but heavily reliance on forensic tools is risky. It's us that determine... 阅读全文
posted @ 2015-08-13 16:52 Pieces0310 阅读(339) 评论(0) 推荐(0)

2015年8月11日 #

Belkasoft Evidence Center could handle Chinese characters well
摘要: I've been using Belkasoft Evidence Center for a very long time. It could handle Chinese characters well, so I don't have to waste time decoding... 阅读全文
posted @ 2015-08-11 11:15 Pieces0310 阅读(318) 评论(0) 推荐(0)

2015年8月10日 #

IEF could not decode Chinese character in IE history well
摘要: My friend is working on some case, and she looks not in the mood. I ask her what's going on. She wants me to look at the screenshot as below. That's w... 阅读全文
posted @ 2015-08-10 23:04 Pieces0310 阅读(349) 评论(0) 推荐(0)

2015年8月9日 #

Recover damage pictures to see the crime scene
摘要: Few people know that when you take photos there is also a thumbnail embeded inside the file, even some forensic guys may have no idea about this impor... 阅读全文
posted @ 2015-08-09 10:07 Pieces0310 阅读(439) 评论(0) 推荐(0)

2015年8月5日 #

Volume serial number could associate file existence on certain volume
摘要: When it comes to lnk file analysis, we should put more emphasis on the volume serial number. It could help forensic guys to identify whether files exi... 阅读全文
posted @ 2015-08-05 16:24 Pieces0310 阅读(359) 评论(0) 推荐(0)

2015年7月26日 #

Can Live View boot up images acquired from 64bit OS evidence?
摘要: Some said Live View could only boot up images acquired from 32bit OS evidence. I have to say that it's not true. Ok, the best way to prove it is let t... 阅读全文
posted @ 2015-07-26 16:12 Pieces0310 阅读(459) 评论(0) 推荐(0)

2015年7月9日 #

What is the behavior of lnk files?
摘要: I access a files which name is "abc.doc", no doubt a lnk file "abc.doc.lnk" shows up. Few minutes or hours later I access "abc.doc" again, what will h... 阅读全文
posted @ 2015-07-09 22:27 Pieces0310 阅读(264) 评论(0) 推荐(0)

2015年7月7日 #

EnCase v7 search hits in compound files?
摘要: I used to conduct raw search in EnCase v6, and I'd like to see if EnCase v7 raw search could hit keywords inside compound files or not. You won't beli... 阅读全文
posted @ 2015-07-07 21:36 Pieces0310 阅读(606) 评论(0) 推荐(0)

2015年7月4日 #

How to search compound files
摘要: Last week my friend told me that she made a terrible mistake. She conducted raw serch and found no search hits within M$ docx files. She did not know ... 阅读全文
posted @ 2015-07-04 11:35 Pieces0310 阅读(671) 评论(0) 推荐(0)

上一页 1 ··· 10 11 12 13 14 15 16 下一页