Title :
What is Essential Data in Digital Forensic Analysis?
Author :
Freiling, Felix ; Gruhn, Michael
Author_Institution :
Dept. Comput. Sci., Friedrich-Alexander Univ. Erlangen-Nurnberg (FAU), Erlangen, Germany
Abstract :
In his seminal work on file system forensic analysis, Carrier defined the notion of essential data as "those that areneeded to save and retrieve files." He argues that essential data is therefore more trustworthy since it has to be correctin order for the user to use the file system. In many practical settings, however, it is unclear whether a specific pieceof data is essential because either file system specifications are ambiguous or the importance of a specific data fielddepends on the operating system that processes the file system data. We therefore revisit Carrier\´s definition andshow that there are two types of essential data: strong and weak. While strongly essential corresponds to Carrier\´sdefinition, weakly essential refers to application specific interpretations. We empirically show the amount of stronglyand weakly essential data in DOS/MBR and GPT partition systems, thereby complementing and extending Carrier\´sfindings.
Keywords :
data analysis; digital forensics; information retrieval; operating systems (computers); storage management; Carrier definition; DOS system; GPT partition system; MBR partition system; digital forensic analysis; file retrieval; file saving; file system data processing; file system forensic analysis; file system specifications; operating system; strong essential data; trustworthy; weak essential data; Computers; Data structures; Digital forensics; Metadata; Operating systems; Standards; file system; forensic investigations; operating systems;
Conference_Titel :
IT Security Incident Management & IT Forensics (IMF), 2015 Ninth International Conference on
Conference_Location :
Magdeburg
Print_ISBN :
978-1-4799-9902-6
DOI :
10.1109/IMF.2015.20
