Evidence Searching

Thanks to the explosion of storage capacity it becomes harder to locate evidence within the sea of data stored in a typical computer with each passing year. Data exists at three levels, data, information, and evidence, as shown in Figure 1.1.

FIGURE 1.1

The data hierarchy.

As shown in Figure 1.1, the lowest level of data is just raw data. Raw data consists of bits, normally organized as bytes, in volatile or non-volatile storage. In this category we find things such as raw disk sectors. It can be a challenge to use data at this level and on most modern systems there is plenty of data out there to pick through.

Above raw data we have information. Information consists of raw data with some sort of meaning attached to it. For example, an image has more meaning to a human than the bits that make up a JPEG file used to store the image. Even text files exist at this level in our hierarchy. Bringing many bytes of ASCII or Unicode values together gives them meaning beyond their collection of bytes.

At the highest level in or hierarchy is evidence. While there may be thousands or millions of files (collections of information) it is unlikely that the bulk of them have any relevance to an investigation. This leads us to ponder what it means for information to be relevant to an investigation.

As previously mentioned, forensics is a science. Given that we are trying to do science, we should be developing hypotheses and then searching for information that supports or refutes a hypothesis. It is important to remain objective during an investigation as the same piece of evidence might be interpreted differently based on people’s preconceived notions.

It is extremely important that investigators do not become victims of confirmation bias. Put simply, confirmation bias is only looking at information that supports what you believe to be true while discounting anything that would refute what you believe. Given the amount of data that must be examined in a typical investigation a hypothesis or two concerning what you think you will find is good (the owner of the computer did X, this computer was successfully exploited, etc.) to help guide you through the searching process. Don’t fall into the trap of assuming your hypothesis or hypotheses are correct, however.

results matching ""

    No results matching ""