Forensics Digital Evidence/Forensics and the Research Paper

Download this Research Paper in word format (.doc)

Note: Sample below may appear distorted but all corresponding word document files contain proper formatting

Excerpt from Research Paper:

This phase is described by Carrier as the phase where we "...use the evidence that we found and determine what events occurred in the system" (Carrier, 2005).

2.2. The United States Department of Justice's (USDOJ) digital forensic analysis methodology

The second methodology under review in this paper has been put forward by the United States Department of Justice. This consists of four basic phases: collection, examination, analysis and reporting (Shin, 2011). More specifically, stages of this digital forensic methodology are comprised of the following central aspects. Firstly, there is the obtaining of the data, followed by the forensic request; the preparation and extraction phases; identification and finally analysis and forensic reporting leading to case level analysis (DIGITAL FORENSIC ANALYSIS METHODOLOGY).

The preparation and extraction phase is characterized by the examiner's question as to whether there is sufficient information to proceed and to ensure that there is sufficient data available to answer the request or requests that might be made in the investigation (Carroll et al.). The duplication of forensic data is also part of this process, as well as the verification of its integrity. This process assumes that " enforcement has already obtained the data through appropriate legal process and created a forensic image" ( Carroll et al.). After verification and integrity testing, the process of extracting the data is begun.

The identification process refers to the rigorous identification of the forensic evidence in terms in the extracted data list. However, if the forensic examiner encounters incriminating items of evidence which are outside the original search warrant, the recommendation is that activity is halted and the authorities notified. (Carroll et al.). An example given is: "law enforcement might seize a computer for evidence of tax fraud, but the examiner may find an image of child pornography" (Carroll et al.). This is an important aspect as it indicates that this methodology is extremely flexible and takes into account context and content outside the initial prescribed parameters.

The analysis phase is all important to the forensic process. In this phase, "...examiners connect all the dots and paint a complete picture for the requester"(Carroll et al.). Part of this process is the correlating of relevant data with questions such as what was the original and other relevant questions that provide insight into the investigation. This phase has been critiqued in this methodology as being "... improperly defined and ambiguous" ( Shin, 2011).

3. Comparisons and Evaluations

Carrier's model or methodology plays considerable attention to data integrity. This is evident for instance the correlation process where data is correlated with various outside sourced in order to prevent forgery or inaccurate forensic data.

If we compare these two methodologies in terms of heading such as evidence integrity, management of lead information and evidential context, we find that

Carrier's Methodology is useful from a number of perspectives. Carrier places emphasis on the initial investigatory process and the identification and verification of data. As Carrier states in an article entitled Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers (2002), " As with any investigation, to find the truth one must identify data that: Verifies existing data and theories (Inculpatory Evidence), Contradicts existing data and theories (Exculpatory Evidence)" ( Carrier, 2002). This focuses on identification and analyse in this methodological model.

The United States Department of Justice's digital forensic analysis methodology is more broadly designed and seems to be more focused on procedural details and protocols and also tends to be more meticulous in terms of guidelines. This is evident in some degree in the preparation and extraction phase of the methodology. It could be argued that this methodology is therefore more effective and integrated in terms of management of information.

Another important difference that is evident in the literature on this methodology is that it could be argued that the USDOJ digital forensic analysis methodology tends to be more concerned with context. This is clear if we compare the identification process and the attention given to the extracted data list and to any other leads that may surface in the process of identification and in comparison to the extraction list. For example,

Depending on the stage of a case, extracted and identified relevant data may give the requester enough information to move the case forward, and examiners may not need to do further work. For example, in a child pornography case, if an examiner recovers an overwhelming number of child pornography images organized in user created directories...

(Carroll et al.).

A close comparison of the various aspects reveals as well that there are possibly more similarities than dissimilarities between the two methodologies.


As s has been noted by Shin (2011) above, it is asserted that many modern digital forensic methodologies are lacking with regard to the classification of cyber crime and in relation to psychological profiling investigation methods. This also refers to aspects of both methodologies that have been discussed. In summation however it should also be pointed out that both these methodologies adequately cover the field of computer and digital forensics and that both provide useful frameworks for collection data, data integrity, analysis and legal considerations.

We could suggest that Carrier's methodology and model tends to lean more towards the investigative and computer orientated aspects of digital forensics, while the forensic model provided by the United States Department of Justice is more inclusive and also seems more deeply concerned with procedural process and patterns and the important aspect of context. Another suggestion is that the United States Department of Justice would be more expensive and time consuming to implement because of its extensive protocols and detailed procedures.

While both these methodologies may have shortcomings, they can be seen as part of the natural evolution towards as more comprehensive set of methods and parameters for contemporary digital forensic investigation and analysis. One should also take into account that there are a number of newer models and methodologies that have emerged which attempt to provide a more inclusive and comprehensive coverage of the different variables. Shin ( 2011) for example discusses a more comprehensive methodology . This proposed model contains the following phases.

a readiness phase consulting with profiler cyber crime classification

Investigation priority decision damaged cyber crime scene investigation analysis by crime profiler suspects tracking, cyber crime logical reconstruction report writing.

( Shin, 2011) .

In the final analysis, while there may be more comprehensive emerging methodologies, those put forward Carrier and the United States Department of Justice should be seen as valuable contribution to the advancement and evolution of forensic methods of investigation and legal procedure.


. Brian Carrier ( 2002) Defining Digital Forensic Examination and Analysis Tools Using

Abstraction Layers. Retrieved from

This study discusses the link between digital forensic analysis tools and their use in a legal setting. The article provides insight into the necessary methodologies used to meet evidentiary and legal demands.


This is a very useful chart of the digital analysis methodology employed by the United States Department of Justice's (USDOJ. The graphic explanation is fairly comprehensive and detailed.

Carrier B. ( 2002) Open Source Digital Forensics Tools: The Legal Argument.

Retrieved from

This is a useful article for a number of reasons. The first is that it sheds light on the thinking behind Carrier's methodological process. Secondly, it discusses the issue of effectiveness and reliability in digital forensic investigations and the possibility of legal challenges to this aspect of reliability.

Carrier B. ( 2005) File System Forensic Analysis. Retrieved from

This is a comprehensive and detailed study on the subject. This work also has a comprehensive introduction and overview section, which sheds light on the topic under discussion. The first section on Digital Investigation Foundations was especially useful as background to the understanding of the methodological procedures involved. This section also outlines the digital crime investigation process.

Carrier B. ( 2006). Basic Digital Forensic Investigation Concepts. Retrieved from

This study is a short but insightful insight into the forensic investigative process by Carrier. This article refers to certain fundamental views and concepts that underlie his digital forensic methodology.

Cohen F. Fundamentals of Digital Forensic Evidence. Retrieved from

This study provides an excellent introduction to the subject and is useful as a general resource in terms of the legal aspects of digital forensics. The Introduction and overview are especially extensive and useful as a fundamental resource. The section entitled The Legal Context provides a concise but thorough overview of the various processes as well as legal limitations.

Carroll O. et al. ( 2008). Computer Forensics: Digital Forensic Analysis Methodology.


This is a succinct but through comparison of digital forensic methodologies. The section entitled Overview of the digital forensics analysis methodology provides some useful insights which contributed to the subject of this paper.

Forensic Examination of Digital Evidence: A Guide for Law Enforcement (2004).

Retrieved from

This article provides an extensive guide to the responsible use…[continue]


  • Computer Forensics Digital Evidence

    Forensics and Digital Evidence Forensics is a discipline which uses standardized techniques to pull apart an event, analyze what happened, and find a more accurate conclusion to the data analysis than just witness testimony. For centuries, lacking even rudimentary techniques like fingerprinting or blood type analysis, the legal system relied on confessions and witness testimony. We may turn to Ancient Greece for one of the first recorded examples of a type

  • Benchmarking Key Loggers for Gathering Digital Evidence on Personal...

    Benchmarking Keyloggers for Gathering Digital Evidence on Personal Computers Keyloggers refers to the hardware or software programs, which examine keyboard and mouse activity on a computer in a secretive manner so that the owner of the computer is not aware that their actions are monitored. The keyloggers accumulate the recorded keystrokes for later recovery or remotely convey it to the person employing them. Keyloggers aimed to serve as spyware and currently

  • Digital Forensics Technology Why Open

    The rapid development of predictive routing algorithms that seek to anticipate security breaches are also becoming more commonplace (Erickson, 2009). Evidence acquisition through digital forensics seeks to also define preservation of all patterns of potential crime, regardless of the origination point (Irons, 2006). The collaboration that occurs in the open source forensic software industry acts as a catalyst of creativity specifically on this point. There are online communities that

  • Forensics Evidence Elimination Tools the

    DIBS Forensic Workstation - Complete solution for problems faced by investigator of computer crimes; FREDDIE - Forensic recovery of evidence deice diminutive interrogation equipment; EnCASE - Fully integrated forensic application for Windows; and ProDiscover DFT - completely integrated Windows ™ application for the collection, analysis, management and reporting of computer disk evidence. Designed specifically to meet NIST (National Institute of Standards and Technology) standards. (Timberline Technologies, 2005) Harris (2005) states that if anti-forensic

  • Forensic Unit Justification

    Justification of a Forensic Unit Our Agency has just received $3 million grant from the federal government because of the efficient method that the unit employs in running the department. Additionally, the City Council has agreed to continue assisting the unit with additional funding at the end of the three years provided the department is productive and serve the citizens well. However, the department requires presenting a different budget from the

  • Forensic Lab Forensic Crime Labs Are Important

    Forensic Lab Forensic crime labs are important institutions within the criminal justice system and each lab must be up to standard in order for this system to operate at a high and fair level. A good crime lab begins with a good design based on solid fundamentals and thorough planning. The purpose of this essay is to design a digital forensic crime lab that can be used in a university setting.

  • Computer Forensics Case Study

    Computer Forensics The issue at hand involves the examination of a scene from an office space within Widget Corporation. We find that this is the assigned office for a Mr. Didit. The information we have at hand is digital -- a photograph taken from an approximate distance of 3 feet from the occupant's desk. Using the photograph, we find that there are a number of electronic and non-electronic devices and our

Cite This Paper:

"Forensics Digital Evidence Forensics And The" (2011, October 02) Retrieved October 21, 2016, from

"Forensics Digital Evidence Forensics And The" 02 October 2011. Web.21 October. 2016. <>

"Forensics Digital Evidence Forensics And The", 02 October 2011, Accessed.21 October. 2016,

Leave a Comment

Register now or post as guest, members login to their existing accounts to post comment.

Read Full Research Paper
Copyright 2016 . All Rights Reserved