![]() ![]() ![]() Further difficulties can arise when dates are expressed numerically, e.g. The first and hopefully obvious question here is was it 4am or 4pm? Fortunately, almost all date interpretation tools will report times either with an am/pm suffix, or preferably in a 24 hour format, so it is rare to see times expressed this imprecisely. “File 1 was created at 4 o’clock on the 3rd of February 2011” So, that concludes the simple example!Īnother example where the detail associated with a value is crucial is dates and times: However, the main point is that to precisely pin down the location in which this search string has been identified, it is necessary to report the unit of measurement (bytes), how that number is being expressed (as a decimal number) and the position that these bytes are measured from (from the start of the disk image). Offsets into files add further complexity, since the file may not be stored contiguously on disk and a linear offset in a file may actually involve jumping forwards and backwards in the disk image. Even assuming a position of 34556 bytes (in decimal), to determine the location of this identified string from the information provided it is necessary to guess about whether this is an offset from the beginning of the disk image, a logical offset from the start of one of the partitions, or perhaps it is an offset in one of the files. These partitions may contain file systems, and these file systems store files. The data in this sector provides information about how the disk is partitioned. At sector 0 (LBA) we usually have an MBR. So in order to precisely identify the position of this string, not only does the unit of measurement need to be expressed, but so too does the number base in which it is expressed.įurthermore, consider the organisation of a disk. So, we should examine position 34556… but 34556 what? Bytes, sectors, blocks? Let us assume just for a second that the position is expressed in bytes, but what about the number base? If the position in which the string was identified was 86FC, it would be reasonable to assume that this is a hexadecimal offset. ![]() Since this important evidential artefact has been located, it seems sensible to check that the artefact is actually there. “the text string ‘this is evidence’ was located at position 34556” However, this article will discuss that reporting someunit of measurement is essential.Perhaps it is best to begin with a simple example: As will be discussed later in the article, this is not always appropriate, since it is useful to describe such positions in different ways depending on the context. The notion of units of measurement in science is extremely important and it therefore seems sensible to consider how this applies to digital forensics.As we will see, this does not necessarily suggest that there should be standard units of measurement in digital forensics, to report, for example, the position of the start of a file. Units of measurement are critical to science, so much so that there is a standard that defines science’s system of units, for example the precise definition of a kilogram - the SI ( Système International d’Unités or International System of Units). One of the earliest lectures in the MIT Openware programme in Physics begins with the lecture “Units and Dimensional Analysis”. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |