Standard Units in Digital Forensics

by Chris Hargreaves

One of the earliest lectures in the MIT Openware programme in Physics begins with the lecture “Units and Dimensional Analysis”. The notion of units of measurement in science is extremely important and it therefore seems sensible to consider how this applies to digital forensics. As we will see, this does not necessarily suggest that there should be standard units of measurement in digital forensics, to report, for example, the position of the start of a file. As will be discussed later in the article, this is not always appropriate, since it is useful to describe such positions in different ways depending on the context. However, this article will discuss that reporting some unit of measurement is essential...

Read more

Please use this thread for discussion of Chris's latest column.
_________________
Jamie Morris
Forensic Focus
Web: www.forensicfocus.com
Blog: www.forensicfocus.com/blog
Twitter: twitter.com/ForensicFocus
LinkedIn: www.linkedin.com/in/jamiemorris 

The importance of standardisation :

www.theregister.co.uk/...standards/



( Good Article by the way Chris ... )
_________________
--
Azrael
-- 

Some good points made, although for me this article really strikes at the need for an appropriate level of precision in technical writing generally rather than the use of appropriate units of measure in particular.

The term 'appropriate' is very important here and will depend on the context in which you are writing; most notably the intended purpose and audience. As a great man once said

- Albert Einstein

Everything should be kept as simple as possible, but no simpler.

It can be a difficult balance to strike, and I find that report authors tend to include irrelevant information more commonly than they exclude relevant information.  

Another question is who is your intended audience? Are you writing the report for other analysts to read and review your work, or are you writing it for a jury, who have zero training, or interest in standards?
In the first example the location of the file on the disk is unlikely to be of concern to the jury, but may be needed for peer review, although a path will also serve (the reviewer can still check the MFT entry for location on disk). For the jury a path (including drive letter) is the easiest and most relevant for them. They have used computers (you hope) and can relate to a file path. Things get harder if you are referencing a file located in unallocated space.

One method of solving this is to effectively write two reports, the body of your report can be written for the jury, easy to understand terms with the information they need to reach a decision. The technical detail can then be included as annexures (this ends up mainly as lists of files & offsets) which can be used by reviewers & presented in court as necessary. This works towards addressing pragmatopian's point about simplicity.

It would be nice to have standards for the technical component of the report.  

The body of the article makes it clear that there already are, in fact, perfectly good units and measurements available. What's important is to use them and for people to be precise when making and writing down measurements. It's good to be in the mindset of seriously thinking, "What is it that I'm really measuring?" before you write down a measurement.  

- indur

The body of the article makes it clear that there already are, in fact, perfectly good units and measurements available. What's important is to use them and for people to be precise when making and writing down measurements. It's good to be in the mindset of seriously thinking, "What is it that I'm really measuring?" before you write down a measurement.

To deliberately mangle an old adage:

- Me

To err in the use of data is human; to really mess things up requires an ill-informed 'media commentator' or politician.