Necessary to access original data?


olga

New Member
Jul 8, 2019
2
1
#1
Hi,
In which circumstances a person would find it necessary to access original data, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.

I'm a student of Digital Forensics, and research didn't help so far. Which would be good examples of access original data as no other alternative?

Thank you
Olga
 

twicesafe

Administrator
Staff member
Sep 4, 2018
92
Ratings
22
8
Vancouver, Canada
www.computerforensicsworld.com
Twitter
Forensic_Notes
#2
The goal of Digital Forensics is to always access the original data.

Example: You could take screen captures of chats or images from a suspects phone, but this may not provide you with the true story of what occurred.

By looking at the original data within the SQLite databases, you may find that messages were deleted or videos altered.

NOTE: If this does not answer your question, then please provide further clarification on what you mean by "original data'.
 

olga

New Member
Jul 8, 2019
2
1
#3
Thank you twicesafe.

What I am trying to figure out is that when recording a digital evidence, the bit-by-bit image should be made and the investigator should analyse the data from the image (keeping the original evidence untouched).

In which circumstances this principle wouldn't apply as not possible to image the evidence? In other words when the evidence will be tempered by the investigator because there is no other better option for investigation?

am I making any sense?

Thank you very much
 

Lids

Member
Experienced Member
Oct 23, 2018
30
Ratings
31
18
#4
Hi Olga,

If by original data, you are referring to “live data” - this should only be done as a last resort. The better approach is to take triage images of key data (I.e. registry hives) and perform offline analysis whilst physical / logical imaging is being performed.

Due to time pressures on engagements, you may need to perform live analysis, however contemporaneous notes need to be taken and you are correct that knowledge of implications needs to be understood - i.e. updates to Shellbags by navigating folders, updates to MRU’s by opening files, updates to setupapi log by plugging in a USB device.

Best regards,
-Lids
 
Last edited:

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu