Thread: Re: [sleuthkit-users] What information is needed to do a digital ? orensic analysis? (was: RE: Exam

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

In my humble opinion - this is a common misconception about forensic =
computing.

Much of the time we are acting more like crime scene examiners and either=09=
 need to determine if anything resembling a crime has been committed OR =
find evidence relating to a particular activity. As system complexity and=
 storage capacity increase, the size of our "crime scene" also increases.=
 Thus, rather than dealing with a single room, we are more often searching=
 an area equivalent to a whole city for a small amount of evidence.

Without information from the client, our job becomes almost infinitely =
complex...

-----Original Message-----
From:  Svein Yngvar Willassen
Date:  20/11/06 7:40
To:  sle...@li...
Subj:  [sleuthkit-users] What information is needed to do a digital	=
forensic analysis? (was: RE: Examining RAID-5 with only 1 drive)

> The lawyer does not want to give us too many details.  She thinks it
> will damage our impartiality.

This is interesting. In classic forensics, where the task can be =
explicitly
defined, this attitude is appropriate. For example: 

- tell me if fingerprint A and B match
- tell me if this hair comes from the same person as this blood sample

I think the opposite is the case in digital forensics. In digital =
forensics,
the task is (usually) to find the evidence, given a large heap of
information. Say for example a 50 Gb hard drive.  Since it is impossible=
 for
the investigator to know in advance what kind of evidence may be on the
drive, he must imagine possible evidence items based on an assumption of
what could be on the drive. Valid assumptions can in my opinion only be =
made
if the investigator has access to all possible information about the case.

After all, you only find what you look for.

Any thoughts?

Regards,

Svein Willassen
--
Researcher
Norwegian University of Science and Technology

--------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share =
your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=3Djoin.php&p=3Dsourceforge&CID=3DDEV=
VDEV
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org