minime2k9 wrote:
The issue here is what is a fact. So yes you have recovered data which is consistent with the data produced by browser X when a user accesses websites.
However, I could fabricate the same data manually. Therefore this data exists but doesn't represent user activity.
The issue with digital is that everything, from the file-system to user data, is an interpretation of a series of 1's and 0's.
In theory, if I created a truly random generation of bits, I could eventually create and Indecent Images in JPEG format for example. Being extremely pedantic, you could state that you located data which can be interpreted as a picture file.
Though - honestly - when it comes to a complex format such as a JPEG it is improbablethat it was "randomly" generated.
I find much more likely (again in edge cases, but still more likely) that reconstruction of text files carved from unallocated may cause a "spontaneous" (and "bogus", but readable) text to be generated.
Still, IMHO adding a reasonable evaluation/description of the possibilities that could have lead to the creation of an artifact is important, as a matter of fact it is vital that the experience of the "expert witness" is *somehow* expressed[1], particularly regarding three main points:
1) how technically (and logically) an artifact may have been generated
2) how likely it is that the artifact may have been generated involuntarily or by automated means without the knowledge of the user
3) how well the artifacts found on an examined device (as a whole) fit a (again technically and logically) possible scenario
All in all we are back to the base concept of a "full timeline" and placing the findings (wherever possible) in their context.
Without the experience and knowledge of a human expert, we would be back to the issue about one button forensics, which again can be a good triage method, but nothing more than that.
And now as a side-side note (and I understand it is not a common-common case, but I suspect it will become more common) there could be an added provision somewhere in the flowchart related to language proficiency <img src="images/smiles/icon_eek.gif" alt="Shocked" title="Shocked" /> of the examiner with the language[2] used on the device and by the user.
There have been more than a few cases lately in Italy (actually AFAICR related to telephone interceptions, but essentially the matter is not so different) where the misinterpretation or mistranslation of something said in either a foreign language or a dialect or a slang of some kind has led to investigating errors.
jaclaz
[1] as long as it is clearly separated from the actual "fact" reporting, and clearly designated as an opinion
[2] as sometimes a same sentence may be read getting a wrong meaning, a re-known example being "Edwardum occidere nolite timere bonum est"
↧