What is essential data in digital forensic analysis?

Felix C. Freiling 1 , Jan C. Schuhr 1 , and Michael Gruhn 1
  • 1 Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU), Erlangen


In his seminal work on file system forensic analysis, Brian Carrier defined the notion of essential data as “those that are needed to save and retrieve files.” He argues that essential data is therefore more trustworthy, than other data in the system since it has to be correct in order for the user to use the file system. In many practical settings, however, it is unclear whether a specific piece of data is essential because either file system specifications are ambiguous or the importance of a specific data field depends on the operating system that processes the file system data. We therefore revisit Carrier's definition and show that there are two types of essential data: While strictly essential corresponds to Carrier's definition, partially essential refers to application specific interpretations. We further provide an opinion regarding the legal usefulness of our definition.

Purchase article
Get instant unlimited access to the article.
Log in
Already have access? Please log in.

Log in with your institution

Journal + Issues