I think if we dont have some form of scale then we end up saying something is 'true' or 'uncertain'. Surely there are lots more shades in between which if we could define in some way, this would be helpful to those relying on our interpretation of digital data?
Maybe you could apply to your scale of confidence the term 'concomitant'?
@tootypeg, apologies, I forgot to include the research starting point reference for the use of 'concomitant'.
Concomitant vs. Comparative Advantages Sufficient Vs. Necessary Conditions
Carl D. Flaningam
To cite this article Carl D. Flaningam (1981) Concomitant vs. Comparative Advantages
Sufficient Vs. Necessary Conditions, Argumentation and Advocacy, 181, 1-8, DOI
10.1080/00028533.1981.11951201
I think the correct answer is to say that you did not find evidence to support the contention that X opened folder A. That doesn't mean it didn't happen, but you don't have evidence of it. Absence of evidence is not necessarily evidence of absence.
There are times when there are multiple possible explanations or where connections are circumstantial. The best approach is to be honest and acknowledge competing possibilities without trying to lock into a 100% yes or no answer if you don't feel comfortable doing so.
Agreed. I had a case recently where I decoded data from infotainment system log files. Upon review of the log data, there was a gap within the entries on a solid 1 month period (which covered the incident timeframe), albeit other data from that period was on the system still.
Because the log data was missing, it was indicated to me that the owner of the vehicle must have done this. In reality, there could be a whole host of reasons… from retention periods of logs, size of log files max out, to user actions, to faults within the system. I simple suggested various reasons from my experience of what I have encountered on other systems, however not possible to narrow down 100% despite testing.
There is only one answer for this EVIDENCE IS MISSING!
When in the world will the digital forensic experts and analysts learn not to play with other people's life based on their (not so sure) assumptions ?!
This whole "confidence scale" around digital evidence is bullsh!t, it should be deleted forever from FF, it has only negative effects.
I'm quiet on this topic from now on.
There is only one answer for this EVIDENCE IS MISSING!
When in the world will the digital forensic experts and analysts learn not to play with other people's life based on their (not so sure) assumptions ?!
This whole "confidence scale" around digital evidence is bullsh!t, it should be deleted forever from FF, it has only negative effects.
I'm quiet on this topic from now on.
I am unable to see where you came to such a conclusion as to the OP's intent and then using it as a means to smear everyone else in general. He is clearly trying to discern how to do things better, which is the exact opposite of your unhelpful rant. How about explaining what these "negative effects" are so the OP and the others engaging in discussion here actually have a real critique to process?
If I may, when it comes to things for which there is not a definite proof, the duck test
If it looks like a duck, swims like a duck, and quacks like a duck, then it probably is a duck.
remains valid, BUT ONLY in the slightly amended version by Douglas Adams
If it looks like a duck, and quacks like a duck, we have at least to consider the possibility that we have a small aquatic bird of the family Anatidae on our hands.
More specifically, if it is undeniable that a given behaviour (let's say writing a MS Word document containing the word "palimpsestuous", saving it, copying it on a USB stick and then deleting it from the internal hard disk) leaves a specific, known, set of traces *like*
1) some metadata in the actual file (found on a USB stick)
2) a temp file of some kind (on the internal disk)
3) a deleted record in the $MFT (or similar) for that file (filename) (on the internal disk)
4) fragments of text corresponding to the contents of that file in unallocated space (on the internal hard disk)
5) some entry in some system log recording activity in Word in the exact date/time of the creation of the file
6) some entry in some system log about the connection at the exact date/time of the saving of the file of a USB device with the same serial/UUID/whatever as the USB stick at hand
IF ALL 6 the above are found and match, we have undeniably 100% proof.
IF we ONLY have 1, 2 and 3 or ONLY 1,3 and 4 maybe we have as well if not 100%, at least 99% proof.
IF we have ONLY 1, 5 and 6 then we definitely don't have 100% nor 99% proof but we do have enough data to highlight the coincidences (particularly if the MS Word program is actually very rarely used on the machine) and consider the possibility that the document was written on that machine.
AND IF we find that internet history is showing web searches for palimpsest and palimpsestuous around the time the document was created/saved THEN we may have enough to state that it is highly probable that the document was written on that PC.
jaclaz
Some interesting points.
Jaclaz, your point above is a scenario where a scale of confidence surely would be of benefit. How we quantify value - i dont know yet. But as you say, there are clear degrees of being able to say something is there/not there.
Passcode - your only answer of 'evidence is missing'. Surely the very phrase is miss leading and suggests that there has been some form of malicious/intentional removal of evidential content. Do you mean data to support the hypothesis is missing?
Trewmte - thanks for your input, this is something that I had not considered.
I think the problem we have is not using a scale of confidence but defining one properly so we can use it suitably in DF…or at least just my thoughts anyway. If you are asked to give your opinion on something (which does happen), then surely the strength of your opinion should in some way be quantified.
Hi all,
Sorry to bring this back to life, but I have still been picking away at this and have come up with the following 'scale'
I tried to upload the image on FF but it wouldn't let me so the image is just hosted on my Google Drive. I know people including me arnt keen on clicking links but I've been a member here for over 10 years, the link is legit D
I guess its maybe less of a scale and more of clarification of language? Not sure anyway, but wnated to throw it out there for you guys to comment if you wish
I guess its maybe less of a scale and more of clarification of language? Not sure anyway, but wnated to throw it out there for you guys to comment if you wish
I still believe that the order is "wrong".
The two extremes are (should be logically)
1 Conclusive Fact (i.e. proof that something happened and could ONLY happen in a given way/sequence/method or with a given cause)
and
5 Impossible (i.e. proof that something did NOT happen or that could not possibly happen in any known way/sequence/method or with a known cause).
#6 Insufficient information should be be between #3 Conceivable and #4 Implausible, as I see it "Insufficient information" is "neutral" between the two above mentioned extremes.
jaclaz
Good point, I agree with you. Thanks for your input.
I guess my question is is such a scale big enough to accurately describe the potential outcomes or does it need a greater number of steps? My gut instinct is that it would be detrimental to be more fine grained than I already have…
Curiously, does anyone actually think it would support the delivery of expert evidence regarding opinion?