±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 35989
New Yesterday: 3 Visitors: 173

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

UK - Exhibit Reference Convention

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

kiashi
Senior Member
 

UK - Exhibit Reference Convention

Post Posted: Feb 28, 11 17:40

Hi All, I have been on a training course this week in which we have been discussing exhibit referencing conventions and a question has come out of it from the trainer who is a retired Police Officer.

I understand that the current convention in the UK is to use the initials of the person producing (seizing) the exhibit followed by a / and then a sequential number, e.g. AP/1, or AEP/001 (depending on whether you use a middle initial and how many exhibits are expected in the case). Sub-exhibits e.g. a Hard drive from a PC would become AP/1/1.

So my question is as follows, due to the fact that the lovely Microsoft does not allow us forensicators to name folders or files with a forward slash in their name, what convention do most people use for naming folders and evidence files for a particular exhibit?

Where I work we would name them AP_1 and then AP_1-1 for a sub-exhibit. Has anyone been questioned in court about this and about tying this exhibit back to the original named on an evidence bag with /'s. In other words, has the adoption of a different notation caused any potential continuity issues for forensic investigations in the past once they get to court?
_________________
_________________________________________
The only people who find what they are looking for
in life are the fault finders. 
 
  

Jonathan
Senior Member
 

Re: UK - Exhibit Reference Convention

Post Posted: Feb 28, 11 17:55

I use initials, dash, date, dash, number. So for example, the first exhibit I dealt with today would become JCK-280211-1. If that exhibit was a pc and I found a CD disc inside the CD tray, that CD would become JCK-280211-1-CD1. It's long, granted, but it's unique. If I used your convention and went with JCK-1 and someone asked me about JCK-1 sometime next year I'd have no idea where to start looking.

I wouldn't use the '/' sign as separator for the reasons you've given. It's the way police are taught to write things down in notebooks but 95% of digital forensic notations for me are input electronically.

I would also not use the underscore '_' sign for if you use it in file path (which as a link would get underlined) then the '_' disappears and all you can see is a space.

Am not aware of any court challenges on exhibit naming conventions. I guess it's the same as everything else when it comes to notation; be consistent.
_________________
Forensic Control
twitter.com/ForensicControl
St Bride Foundation, 14 Bride Lane, London, EC4Y 8EQ 
 
  

kiashi
Senior Member
 

Re: UK - Exhibit Reference Convention

Post Posted: Feb 28, 11 18:09

Thanks for your reply Jonathan. Just to clarify these file and folder names are in very specific folder structure which includes the case reference at the level above. Of course we are also restricted by such things as the 8.3 naming convention used by certain hardware imagers etc.

I take your point about the underscores but as this is our convention we're unlikely to change it at this point. Consistency is certainly the key!
_________________
_________________________________________
The only people who find what they are looking for
in life are the fault finders. 
 
  

jaclaz
Senior Member
 

Re: UK - Exhibit Reference Convention

Post Posted: Feb 28, 11 19:00

Stupid idea, maybe, but why don't you try cheating?

Check the Unicode 0x2044 character Wink

en.wikipedia.org/wiki/...characters
("Fraction Slash")

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

DFICSI
Senior Member
 

Re: UK - Exhibit Reference Convention

Post Posted: Feb 28, 11 19:18

This depends on the force too. The Metropolitan Police use distinguishing letters so that someone can look at the exhibit reference and know what it is. For example:

AA/01/H1 - Would be the first hard drive from the first exhibit.
AA/02/H3 - Third hard drive from the second exhibit.
AA/03/C1 - First optical media from third exhibit.

etc.

We've always used dashes to replace the slashes on storage.
_________________
The views expressed by me do not reflect on my employer or the quality of work I produce Wink
www.forensic4cast.com 
 

Page 1 of 1