This means that either direct interpretation of unallocated space forensic recovery or file carving is necessary to access that space. While the majority of useful evidence comes from active user files, the majority of disk space is unallocated. Even though the fundamentals of chip architecture and low-level file structure may also seem useless to the day-to-day business of an investigator or forensic analyst, the structure of data is critical to understanding digital evidence. Almost all meaningful information is gathered into bytes or “words.” With Intel processors, the standard word is 2 bytes or 16 bits. This understanding is part of popular culture, but is essentially useless. Each single piece of information: one or zero is called a bit. The whole is brought together in a discussion of how these techniques can improve testimony and the investigative effectiveness of a forensic analyst.ĭigital information in its raw form is expressed as ones and zeros, or more correctly as on’s and off’s. Along with the examples is a discussion of how these operations are handled by automated forensic tools.
With this information, an analyst’s ability to present data exceeds the ability of commonly used forensic packages. Using publicly available resources, the structures of embedded data are explained. The second example examines data embedded in a JPEG photograph byte by byte. The commands demonstrate the same steps used by automated forensic packages. In the first example, a step-by-step set of commands is used to find and recover a deleted picture. Common structures and methods of discovering and explaining other structures are explained and then shown in two examples: carving a lost or deleted file and finding hidden data in a common JPEG photograph. Once expressed, the organization of the data becomes easier to understand. Hexadecimal is commonly seen as the most fundamental representation of the data. This research paper explains how the binary data (1s and 0s) are exactly equal to a slightly easier way of showing the data: hexadecimal. Forensic analysts must make sense this data and present it to persuade others. Even though we have heard about them many times, we often have no idea how the 1s and 0s turn into useful data. The 1s and 0s that make up digital data are incomprehensible to most people.
0 kommentar(er)
