Find the Context
Wed, 07/30/2014 - 3:50pm
Digital forensic science is not a matter of recovering a file that proves somebody’s guilt; it is about wading through hundreds of thousands, possibly millions, of a wide variety of digital artifacts and making very pointed critical judgments about which provide some sort of inculpatory or exculpatory evidence relevant to the case. It is important to remember that it is the digital forensic examiner alone who will make this discrimination, and will normally be the only person to ever see the majority of recovered artifacts. Those items that are excluded by the examiner will not get a second look, will not be re-evaluated or reconsidered by another party for context.
Tool use alone might allow me to recover thousands of images. With even more technical knowledge, I might piece together even more fragments of images and Web page artifacts out of unallocated space that were missed by the tools. Absent any other insight or education, I might quickly discount dozens or hundreds of pieces of relevant information. A liberal arts education might tell me (or give me the research skills and habit to find out) that the bearded man with the green robes whose image keeps showing up on the subject’s hard drive is Ali, suggesting that my subject is Shi’a. I might further recognize that my subject lives in a Sunni neighborhood. If my subject is a murder victim, this may provide an insight as to motive. If I am conducting an intelligence analysis, this may be an anomaly that is worth noting in my report.
From: Training is Not Enough: A Case for Education Over Training by Tim Wedge