Skip to content
Licensed Unlicensed Requires Authentication Published by De Gruyter Oldenbourg December 1, 2015

What is essential data in digital forensic analysis?

Felix C. Freiling, Jan C. Schuhr and Michael Gruhn

Abstract

In his seminal work on file system forensic analysis, Brian Carrier defined the notion of essential data as “those that are needed to save and retrieve files.” He argues that essential data is therefore more trustworthy, than other data in the system since it has to be correct in order for the user to use the file system. In many practical settings, however, it is unclear whether a specific piece of data is essential because either file system specifications are ambiguous or the importance of a specific data field depends on the operating system that processes the file system data. We therefore revisit Carrier's definition and show that there are two types of essential data: While strictly essential corresponds to Carrier's definition, partially essential refers to application specific interpretations. We further provide an opinion regarding the legal usefulness of our definition.

Acknowledgement

We would like to thank Andreas Dewald for helpful input to the formalization of the problem and additional input to this work.

Received: 2015-4-7
Revised: 2015-9-25
Accepted: 2015-9-30
Published Online: 2015-12-1
Published in Print: 2015-12-28

©2015 Walter de Gruyter Berlin/Boston

Scroll Up Arrow