Abstract
ABSTRACT Digital forensic practitioners will encounter digital traces during their examinations which they must take steps to understand. This may involve trying to attribute an ‘activity’ to a trace (what created it) or determine where it came from (its ‘source’) – Trace-to-Activity/Source interpretation. Alternatively, they may need to determine if an activity has taken place on a system by identifying traces denoting it – Activity-to-Trace interpretation. In both instances, practitioners may need to conduct tests and/or identify research which will help them understand a trace, and compare any results of their testing/research to the traces in their casework. This work describes both the Trace-to-Activity/Source and Activity-to-Trace interpretive journeys, as well as the steps contained in both. In addition, six ‘trace comparison criteria’ are proposed and discussed to help those carrying out a trace comparison, notably: ‘trace location’, ‘trace structure’, ‘trace examination method’, ‘trace metadata’, ‘trace content’, and ‘trace context’.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
