zoukankan      html  css  js  c++  java
  • Heavily reliance on forensic tools is risky

    We could take advantage of forensic tools to examine and analyze the evidence, but heavily reliance on forensic tools is risky. It's us that determine what clue is important or not, not forensic tools.  There is a scenario about malware and hacker. Agent 007 finds Carrie's computer infected by CyrptoLocker, and he try to fingure out what's going on. 007 use lots of forensic tools to analye for a very long time, and he recover the malware in partition D. Unfortunately he could not find where the malware is from.

    Agent 008 take over this case and start to review 007's report. 008 go back to the evidence and take a look at all e-mails in .pst files. Fortunately he found what's going on between Carrie and her colleague Rick, and the malware pretending a normal anti-virus update file. Look at the pic as below, you could see that the caption of sender is "Sysadmin@mnd.gov.tw", but when you look into the mail header, you will know the authenicatied sender is "rick@mnd.gov.tw".

    What forensic tools do is reduce the scope and you could analyze the evidence efficiently. Forensic tools could not "tell" you that it is very suspicious the actual sender is Rick, not Sysadmin, you have to figure it out on your own.

    By the way, an experienced forensic guy knows that the caption of sender could be faked, so he/she will take a look at authenicated sender to see if anything strange. The more experience about computer hardware/software, the fewer mistakes you will make.

  • 相关阅读:
    函数式编程理解
    Java8 lambda表达式10个示例
    MD5进行文件完整性校验的操作方法
    加密算法和MD5等散列算法的区别(转)
    随笔
    瑕疵(bug)严重性定义
    无需Cygwin,如果没有在命令行,Eclipse编NDK
    BZOJ 1878 SDOI 2009 HH项链 树状数组 + 脱机处理
    Teamcity+SVN+VisualStudio在持续集成简明教程
    UVALive3713-Astronauts(2-SAT)
  • 原文地址:https://www.cnblogs.com/pieces0310/p/4727788.html
Copyright © 2011-2022 走看看