Re: [sleuthkit-users] What information is needed to do a digital forensic analysis? (was: RE: Exami
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] What information is needed to do a digital forensic analysis? (was: RE: Examining RAID-5 with only 1 drive)
|
From: Svein Y. W. <sv...@wi...> - 2006-11-20 20:55:37
|
> In digital forensics, like classical forensics, it's appropriate to > explicitly define the task but not tell the examiner the expected > outcome. > > - Tell me if this child porn document is on this hard drive. > - Tell me if this document has a GUID that is consistent with this > computer. > > Giving an examiner a 50GB drive and saying "find something > incriminating" is akin to putting an investigator in bedroom and > saying "find something." The real issue isn't digital vs. non- > digital, but one of clearly defining the expectations of the > investigation. During my time in the police and when working as a forensic expert, I've had several of those cases where the task has been clearly defined. They have usually been variations of the theme "find this email" or "find this document". These cases are usually fairly straightforward, although they tend to culminate in difficult questions like "why wasn't it found?" or "how did it get there?" More often then not however, I find that the person that asks me to do the investigation lacks the expertise and experience to give me a clear assignment. This may be because they may not have the necessary computer knowledge (typically a prosecutor, attorney or judge), because they do not have the details of the case themselves, or simply because they do not know exactly what to look for. Imagine investigating the computer used by someone suspected to be involved in a tax fraud. In such a case, one could certainly start browsing the documents stored on the computer in the hope of finding something interesting. But how would you know which document has value as evidence in the specific case? The documents of evidentiary value can only be pinpointed if the investigator knows the specifics of the case. I have indeed several times been asked to "find the evidence" without being given any further clues. In these cases I took the responsibility to go back and obtain further information about the case before starting the investigation. Svein |
