[sleuthkit-users] What information is needed to do a digital forensic analysis? (was: RE: Examining
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] What information is needed to do a digital forensic analysis? (was: RE: Examining RAID-5 with only 1 drive)
|
From: Svein Y. W. <sv...@wi...> - 2006-11-20 07:40:10
|
> The lawyer does not want to give us too many details. She thinks it > will damage our impartiality. This is interesting. In classic forensics, where the task can be explicitly defined, this attitude is appropriate. For example: - tell me if fingerprint A and B match - tell me if this hair comes from the same person as this blood sample I think the opposite is the case in digital forensics. In digital forensics, the task is (usually) to find the evidence, given a large heap of information. Say for example a 50 Gb hard drive. Since it is impossible for the investigator to know in advance what kind of evidence may be on the drive, he must imagine possible evidence items based on an assumption of what could be on the drive. Valid assumptions can in my opinion only be made if the investigator has access to all possible information about the case. After all, you only find what you look for. Any thoughts? Regards, Svein Willassen -- Researcher Norwegian University of Science and Technology |
