Re: [sleuthkit-users] What information is needed to do a digital ? orensic analysis? (was: RE: Exam
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] What information is needed to do a digital ? orensic analysis? (was: RE: Examining RAID-5 with only 1 drive)
|
From: <an...@n-...> - 2006-11-20 12:28:13
|
In my humble opinion - this is a common misconception about forensic = computing. Much of the time we are acting more like crime scene examiners and either=09= need to determine if anything resembling a crime has been committed OR = find evidence relating to a particular activity. As system complexity and= storage capacity increase, the size of our "crime scene" also increases.= Thus, rather than dealing with a single room, we are more often searching= an area equivalent to a whole city for a small amount of evidence. Without information from the client, our job becomes almost infinitely = complex... -----Original Message----- From: Svein Yngvar Willassen Date: 20/11/06 7:40 To: sle...@li... Subj: [sleuthkit-users] What information is needed to do a digital = forensic analysis? (was: RE: Examining RAID-5 with only 1 drive) > The lawyer does not want to give us too many details. She thinks it > will damage our impartiality. This is interesting. In classic forensics, where the task can be = explicitly defined, this attitude is appropriate. For example: - tell me if fingerprint A and B match - tell me if this hair comes from the same person as this blood sample I think the opposite is the case in digital forensics. In digital = forensics, the task is (usually) to find the evidence, given a large heap of information. Say for example a 50 Gb hard drive. Since it is impossible= for the investigator to know in advance what kind of evidence may be on the drive, he must imagine possible evidence items based on an assumption of what could be on the drive. Valid assumptions can in my opinion only be = made if the investigator has access to all possible information about the case. After all, you only find what you look for. Any thoughts? Regards, Svein Willassen -- Researcher Norwegian University of Science and Technology -------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share = your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=3Djoin.php&p=3Dsourceforge&CID=3DDEV= VDEV _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org |
