Understanding and comparing digital traces

Digital forensic practitioners will encounter digital traces during their examinations which they must take steps to understand. This may involve trying to attribute an 'activity' to a trace (what created it) or determine where it came from (its 'source') - Trace-to-Activity/Sour...

Full description

Saved in:
Bibliographic Details
Published inAustralian journal of forensic sciences Vol. 57; no. 4; pp. 481 - 491
Main Author Horsman, Graeme
Format Journal Article
LanguageEnglish
Published Taylor & Francis 04.07.2025
Subjects
digital evidence
Digital forensics
digital trace
interpretation
testing
Online AccessGet full text

Cover

More Information
Summary:Digital forensic practitioners will encounter digital traces during their examinations which they must take steps to understand. This may involve trying to attribute an 'activity' to a trace (what created it) or determine where it came from (its 'source') - Trace-to-Activity/Source interpretation. Alternatively, they may need to determine if an activity has taken place on a system by identifying traces denoting it - Activity-to-Trace interpretation. In both instances, practitioners may need to conduct tests and/or identify research which will help them understand a trace, and compare any results of their testing/research to the traces in their casework. This work describes both the Trace-to-Activity/Source and Activity-to-Trace interpretive journeys, as well as the steps contained in both. In addition, six 'trace comparison criteria' are proposed and discussed to help those carrying out a trace comparison, notably: 'trace location', 'trace structure', 'trace examination method', 'trace metadata', 'trace content', and 'trace context'.
ISSN:0045-0618
1834-562X
DOI:10.1080/00450618.2024.2381535