Each person has a standalone and unique life (hopefully!). Many of us got a huge fantasy. Is that a sin ? No, it is not! Let people think what they want, it will change nothing if you don't let them )
Overestimating forensic capabilities is not a problem, move on and please close this useless topic!
Really interesting point regarding OS artifacts. Do you think there are any windows (for example) artifacts that we (DF) currently does not understand?
That question is (or should be) best answered, not by an appeal to practitioners but to researchers what areas in this 'scientific field' (misnomer, but I can't find a better one immediately) of digital forensics are not sufficiently well researched? Where are the black-outs?
If there are such under-researched areas, those are the windows you're asking about.
A related area may be that forensic experts just aren't good enough. The FBI hair evidence mess seems to point very strongly in that direction, but just could be limited to that institution, and the respect it generally commands. Garrett's identification of 61% rate of incorrect forensic evidence in the exoneration cases he researched also suggests that overestimation is not restricted to the public in general.
Does any of that apply to digital forensics?
One possibly problematic area identified by the 2009 report on the state of forensics in the US pointed out that it often was unclear just where the line was drawn between investigative work and forensic work in digital forensics. I still have question mark in the margin of my copy what are they referring to? Haven't seen – or can remember – that kind of division in any of the sources I've read. Is there some kind of reality check or separation of duties missing? But if investigators also are their own forensic experts, … overestimation may be a result.
Really interesting point regarding OS artifacts. Do you think there are any windows (for example) artifacts that we (DF) currently does not understand?
That question is (or should be) best answered, not by an appeal to practitioners but to researchers what areas in this 'scientific field' (misnomer, but I can't find a better one immediately) of digital forensics are not sufficiently well researched? Where are the black-outs?
If there are such under-researched areas, those are the windows you're asking about.
This is the hard part, and to be honest, it links a little bit to my other post in academia links. I think at the moment, understanding what isnt well researched is difficult due to a bit of a disconnect and Im not sure it filters through to academia to pursue the challenge.
Say for example, if I said here= "name the 3 most troublesome areas which were not well understood and needed further research"
I would suspect that my 3 would be very different to everyone else's and then everyone else's to everyone else. I also think context of the issue can help, but also a lack of poses an issue.
For example, Keydet89's post, I would never have assumed that DF has any significant issues with the interpretation of data on Windows systems, so would never think to pursue significant investigation of these platforms. However this assumption seems incorrect in light of Keydet89's comments.
I think at the moment, understanding what isnt well researched is difficult … .
Perhaps I'm too simple-minded. It seems it would be a question of doing an inventory of peer-reviewed forensic research reports and mapping their coverage. Not blogs, not forum postings.
Or perhaps do the reverse take some big-selling text book on digital forensics, take each of the conclusions it says can be made from some set of observations, and trace that back to the research it is based on, and evaluate it and its reliability.
Say for example, if I said here= "name the 3 most troublesome areas which were not well understood and needed further research"
Most troublesome, I don't know. But take Word document time stamps (i.e. Word metadata). Under normal circumstances, they follow file time stamps well, so no problems.
But then once in a while you come across a situation when they don't. Yes, it could be an indication of time stamp forgery. But could it be an indication of something more innocent?
New software releases, involving document conversion that just might go bad, and get wrong timestamp in 'created time' field? (EnCase did something like that once…) How about a move from another word processor (say, something like Microsoft Works, or Electric Pencil) for which format conversion isn't 100% correct? Error recovery behavior – happens now and then when a document has been damaged, and most Word users have encountered them, but who has researched how it affects basic DF data?
I do know when a particular version of Word converts a document from some other WP formats into Word if those documents doesn't have own metadata time stamp, Word takes today's date, making it look as if the document was created today. I don't know if it's true for any other combination of factors.
And that's Word for Windows. What about Word for Mac? Or any of the other platforms Word runs or have run on?
That's missing research right there we have something close to a dozen Word platforms, and perhaps equally many Word releases. And that's just Word then we have all the conversions, by Word itself, or by some other tool Works, WordPerfect, etc.
Not to mention the applications that excrete Word-format files OpenOffice, LibreOffice, AbiWord, AEdit, … . Can we distinguish those from 'real' Word documents? Or might we look at a Windows system, see a .docx file, and interpret its metadata as if it was latest Word that created the file?