1. Understanding and comparing digital traces.
- Author
-
Horsman, Graeme
- Subjects
- *
DIGITAL forensics , *ELECTRONIC evidence , *METADATA - Abstract
Digital forensic practitioners will encounter digital traces during their examinations which they must take steps to understand. This may involve trying to attribute an ‘
activity ’ to a trace (what created it) or determine where it came from (its ‘source ’) – Trace-to-Activity/Source interpretation. Alternatively, they may need to determine if an activity has taken place on a system by identifying traces denoting it – Activity-to-Trace interpretation. In both instances, practitioners may need to conduct tests and/or identify research which will help them understand a trace, and compare any results of their testing/research to the traces in their casework. This work describes both the Trace-to-Activity/Source and Activity-to-Trace interpretive journeys, as well as the steps contained in both. In addition, six ‘trace comparison criteria’ are proposed and discussed to help those carrying out a trace comparison, notably: ‘trace location’, ‘trace structure’, ‘trace examination method’, ‘trace metadata’, ‘trace content’, and ‘trace context’. [ABSTRACT FROM AUTHOR]- Published
- 2024
- Full Text
- View/download PDF