About the Author Dr Chris Hargreaves is a lecturer at the Centre for Forensic Computing at Cranfield University in Shrivenham, UK. |
As we will see, this does not necessarily suggest that there should be standard units of measurement in digital forensics, to report, for example, the position of the start of a file. As will be discussed later in the article, this is not always appropriate, since it is useful to describe such positions in different ways depending on the context. However, this article will discuss that reporting some unit of measurement is essential.
Perhaps it is best to begin with a simple example:
“the text string ‘this is evidence’ was located at position 34556”
Since this important evidential artefact has been located, it seems sensible to check that the artefact is actually there. So, we should examine position 34556... but 34556 what? Bytes, sectors, blocks? Let us assume just for a second that the position is expressed in bytes, but what about the number base? If the position in which the string was identified was 86FC, it would be reasonable to assume that this is a hexadecimal offset. However, in this example we have 34556. This could be decimal or hexadecimal. So in order to precisely identify the position of this string, not only does the unit of measurement need to be expressed, but so too does the number base in which it is expressed.
Furthermore, consider the organisation of a disk...Read more at http://www.forensicfocus.com/chris-hargreaves
No comments:
Post a Comment