24.4 Summary

The filtering process described in this chapter is superior to a less formalized analysis because all potentially useful data are extracted for examination. Less methodical approaches such as searching for specific keywords or extracting only limited file types may miss other important clues. Additionally, comparing the list of filtered files produced using different tools often highlights discrepancies such as incorrect MD5 calculations for some files and deleted files recovered by one tool and not the other. This type of tool validation is recommended for all cases to ensure that the maximum amount of useful data is extracted and that the examiner can explain any discrepancies between tools if the issue arises (e.g. in court).

Although the filtering process will enable investigators to gain a more complete understanding of the body of digital evidence, this is only the first stage in a thorough forensic analysis. Questions should arise in the investigator's mind while reviewing the evidence and, to answer these questions, it is usually necessary to examine specific aspects of the suspect systems. As discussed throughout the Handbook, there are many other system artifacts that can be useful in an investigation.

Each approach to filtering data has advantages and most people will find that it is desirable to combine command line and GUI approaches.

As a final stage in the filtering process, it is advisable to Bates number files in the working directory, for instance, using the Mareware bates_no utility as follows:

    bates_no -p [path to source] -b [beginning bates number] -o [path\name of    output log] -R -i -v