Re: [sleuthkit-users] What information is needed to do a digital forensic analysis? (was: RE: Exami
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] What information is needed to do a digital forensic analysis? (was: RE: Examining RAID-5 with only 1 drive)
|
From: Simson G. <si...@ac...> - 2006-11-20 17:18:20
|
Hi, Svein. I agree with your reasoning but not with your conclusion. In digital forensics, like classical forensics, it's appropriate to explicitly define the task but not tell the examiner the expected outcome. - Tell me if this child porn document is on this hard drive. - Tell me if this document has a GUID that is consistent with this computer. Giving an examiner a 50GB drive and saying "find something incriminating" is akin to putting an investigator in bedroom and saying "find something." The real issue isn't digital vs. non- digital, but one of clearly defining the expectations of the investigation. On Nov 20, 2006, at 2:40 AM, Svein Yngvar Willassen wrote: > >> The lawyer does not want to give us too many details. She thinks it >> will damage our impartiality. > > This is interesting. In classic forensics, where the task can be > explicitly > defined, this attitude is appropriate. For example: > > - tell me if fingerprint A and B match > - tell me if this hair comes from the same person as this blood sample > > I think the opposite is the case in digital forensics. In digital > forensics, > the task is (usually) to find the evidence, given a large heap of > information. Say for example a 50 Gb hard drive. Since it is > impossible for > the investigator to know in advance what kind of evidence may be on > the > drive, he must imagine possible evidence items based on an > assumption of > what could be on the drive. Valid assumptions can in my opinion > only be made > if the investigator has access to all possible information about > the case. > > After all, you only find what you look for. > > Any thoughts? > > Regards, > > Svein Willassen > -- > Researcher > Norwegian University of Science and Technology > > > > ---------------------------------------------------------------------- > --- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to > share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php? > page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > |
