Jump to ContentJump to Main Navigation
Show Summary Details
More options …

it - Information Technology

Methods and Applications of Informatics and Information Technology

Editor-in-Chief: Conrad, Stefan

See all formats and pricing
More options …
Volume 57, Issue 6


What is essential data in digital forensic analysis?

Felix C. Freiling / Jan C. Schuhr / Michael Gruhn
Published Online: 2015-12-01 | DOI: https://doi.org/10.1515/itit-2015-0016


In his seminal work on file system forensic analysis, Brian Carrier defined the notion of essential data as “those that are needed to save and retrieve files.” He argues that essential data is therefore more trustworthy, than other data in the system since it has to be correct in order for the user to use the file system. In many practical settings, however, it is unclear whether a specific piece of data is essential because either file system specifications are ambiguous or the importance of a specific data field depends on the operating system that processes the file system data. We therefore revisit Carrier's definition and show that there are two types of essential data: While strictly essential corresponds to Carrier's definition, partially essential refers to application specific interpretations. We further provide an opinion regarding the legal usefulness of our definition.

Keywords: File system; forensic investigations; operating systems

ACM CCS: Applied computing→Computer forensics; Applied computing→Computer forensics→Evidence collection; storage and analysis; Applied computing→Computer forensics→Investigation techniques; Applied computing→Law; social and behavioral sciences→Law

About the article

Felix C. Freiling

Felix C. Freiling is a professor of computer science at Friedrich-Alexander University Erlangen-Nürnberg (FAU), Germany.

Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU), Lehrstuhl für Informatik 1, Martensstr. 3, D-91058 Erlangen, Germany

Jan C. Schuhr

Jan C. Schuhr is a research associate at the institute for criminal law, criminal procedure and criminology at the Friedrich-Alexander University Erlangen-Nürnberg (FAU) and attorney at law. He currently substitutes for the vacant chair of German, European and International Criminal Law and Law of Criminal Procedure, Medical Law and Biolaw at the University of Augsburg.

Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU), Lehrstuhl für Strafrecht, Strafprozessrecht und Rechtsphilosophie, Schillerstr. 1, D-91054 Erlangen, Germany

Michael Gruhn

Michael Gruhn is a researcher at Friedrich-Alexander University Erlangen-Nürnberg (FAU) with the focus on forensic computing.

Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU), Lehrstuhl für Informatik 1, Martensstr. 3, D-91058 Erlangen, Germany

Revised: 2015-09-25

Accepted: 2015-09-30

Received: 2015-04-07

Published Online: 2015-12-01

Published in Print: 2015-12-28

Citation Information: it - Information Technology, Volume 57, Issue 6, Pages 376–383, ISSN (Online) 2196-7032, ISSN (Print) 1611-2776, DOI: https://doi.org/10.1515/itit-2015-0016.

Export Citation

©2015 Walter de Gruyter Berlin/Boston.Get Permission

Comments (0)

Please log in or register to comment.
Log in