My friend is a developer and her colleague May was suspected of stealing the source code of an important project "X". The Police searched her apartment and seized her brand new laptop which OS is Win10 Pro. Forensic guy Terry used EnCase to do evidence processing . To his surprise, only one usb thumb drive "SanDisk" found in "USB Records".
Terry checked LNK files artifacts and found a very interesting thing. According to the volume serial number, we could distinguish which volume belongs to local drive. Local drive only has one volume and its drive letter is "C". Terry found two volume serial number "d63e3c12" and "beebc8cb" related to external drive as below.
Fortunately LNK file artifacts gave Terry very important clue. Terry believed that more than one usb thumb drive‘s been plugged into May‘s laptop. Why EnCase missed some usb activities in the evidence files?
We can not be too careful to analyze the evidence when something strange occurs.Let‘s use another forensic tool to examine usb artifacts again. Besides sandisk another usb thumb drive found and its name is "Seagate ". The same name found in LNK files artifacts.
According the volume serial number and usb deive serial number as above, the Police found those two usb storage devices in May‘s company. Finally May admited that she copied the source code of project "X" into a SanDisk usb thumb drive and a 2.5" Seagate Backup Plus usb drive. And she brought those two usb device home. She‘d like to sell those stuff to earn more money.
Guidance should take a look at its "USB Records" to see what‘s wrong with incomplete usb activities after evidence processing.
EnCase missed some usb activities in the evidence files
原文:http://www.cnblogs.com/pieces0310/p/7631696.html