I would need advice about a practical naming convention for digital evidence (and perhaps for cases as well).
How to name the images to get them well organized (names should be short but meaningful…)
Can you elaborate a little more? Are you about digital photographs?
PS Wo in .at bistn?
If you are talking about forensic imaging naming conventions, choose a convention and be consistent. If you change the naming conventions, at least keep consistency within each case.
Sample naming conventions could be;
Custodian or suspect name (or first 5 letters of last name; SMITH.001)
Client or company name (or first 5 letters, ABC.001)
Case name/number with sequential numbering (ABCcorp001.001)
Serial number of the physical hard drive (or last 5 characters)
Combination of any of these (such as last name and serial number- SMITH45877.001)
Sample case naming convention could be;
Year + sequential numbering (2010-0001)
Client + sequential numbering (ABC 0001)
Client's case name plus your internal number (ABC 2010-0001)
One of the drawbacks of using a client's name in any naming convention is that sometimes the client changes in a case, such as when a law firm is replaced by another firm. If you have named anything using the previous client's name, it'll be confusing to change it mid-case. With using custodian's names, you may not know who the custodian is, or if you use a suspect's name, maybe the suspect will change to another person. Using the physical hard drive serial will never change.
We use the format <DATE>.<MEDIA ID>.001 when naming images. The MediaID is just a unique alpha-numeric code that corresponds with the collection documentation which contains all of the details on what was collected - custodian/serial numbers/etc.
@bshavers
Thank you for your suggestions, that helps to get started. I am wondering if it would make sense to include kind of an abbrevation of the type of media (Harddisk, USB-drive, SD-Card etc.) in the image name ?
@ForensicRanger
I'm talking about digital copies of Harddisks, USB-Drives etc., not photographs
(Ich sitz in Wien …)
@isth
I was thinking about something like that, it would be clean and straightforward - but the drawback is that you can't distinguish to what case an image belongs without doing a lookup in the documentation.
One of the drawbacks of using a client's name in any naming convention is that sometimes the client changes in a case, such as when a law firm is replaced by another firm. If you have named anything using the previous client's name, it'll be confusing to change it mid-case. With using custodian's names, you may not know who the custodian is, or if you use a suspect's name, maybe the suspect will change to another person. Using the physical hard drive serial will never change.
I don't see this as a drawback and should be a system which is used. If you start a case with F. Lee Bailey and all files are named reflecting that, and then are hired by Robert Shapiro, you should copy the original files (not the ones with work done, and rename those to reflect Shapiro. That provides a point of reference for any work forward from that point, you will know that previous to Nov 6 I would look in Bailey, after that I would look in Shapiro, also helps with discovery, many times requests are made wanting all discovery in a case by a specific attorney or portion of the case, there is no work product for Shapiro as it just started, but there is a lot from Bailey.
That has worked well for me in the past.
I have always been a proponent of the KISS method. I use a simple case number (two digit year-sequential number) + a device number & media number.
10-02-PC1HD1.001
I keep a table telling me what PC1 is. HD1 is the first disk out of the system, HD2 would be the second and so on.
Case number (date of commencement of case in reverse order) + Sequence letter + exhibit sequence number + drive indicator (only if more than one drive in the exhibit).
So 2010-11-06-A-1-HD1.
Case commenced today, first case commenced today, first exhibit in the set, first hard drive in the exhibit.
All information identify the exhibit is in the image log file, case notes, and exhibit CoC doc.
I used to use a naming system similar to Mike's when I was in a govt lab.
I use a project name, a sequence number, then the custodian. If the computer had more than 1 drive I append that. I keep the acquisition logs and photos in the same folder as the image, so there is no reason for me to store the date in the file name, also, the last mod time of the image is usually good enough.
Example if I am at ACME Corp imaging Mike Smiths desktop.
ACME001_Mike_Smith_Desktop_Drive_1of2.E01
I don't case how many times the project changes hands, it will always be Mike Smiths computer from ACME.
The problem for me with naming images after dates, case numbers, and serial numbers, is that it is completely meaningless to me when looking at old images. I always need a case file or some other reference notes when a serial number or case ID is used.
For me it is now
<case>.<evidence item #>
If the evidence item is a subset of an other item, I further dot it.
for example an HDD as item 001, then the second file set that I extracted would be 001.002, therefore the name would be ABCD.001.002
I have a collected item list with details, but 001.002 would immediately tell me that set of files come from something else, not a direct source. D