Needle in the Haystack -DF MISCONCEPTIONS PART 1

We are all aware that Digital Forensics, like most other fields, has many misconceptions ingrained in its daily work. The immense separation between the technical knowledge and the general public creates an overwhelming disconnect that I believe should be worked on. With the hopes of closing this separation, here is quick answer to a common misconception.


One of the biggest misconceptions I constantly witness is the belief that examiners are meticulously –and blindly– combing through every bit of data on a device. Given the exponentially increasing rate of data generation and storage, doing so would be like trying to find a needle in a haystack. Still, if a non-technical person were to be given a hard drive’s image they would most likely peruse through all folders/files in hopes they can figure out what happened. The reality is that DF work is much more structured and scientific than this.

Specific digital events often leave traces in different files across the device. These event reactions can be levied to demonstrate the event’s occurrence. This can include instances of application launch, folder access, browser search history, and so on. By focusing directly on the file(s)/data that are created by an event, you can drastically reduce wasted ‘evidence hunting’ time. This concept may seem complex, but is really just applying some technical knowledge and common sense. When a patient visits an emergency care clinic for an arm injury, the Doctor will probably send for an x-ray of the arm. They would not waste time and resources by trying to x-ray the patient’s leg; its unnecessary. If you have a situation where you want to find recent search history, it wouldn’t make initial sense to go searching through the user’s desktop. Instead, it is common sense to begin by looking at internet related items on the device. If an examiner were to go about the investigation in the non-structured way as mentioned in the first paragraph, they would blow through the case’s budget with potentially no findings at all.

Alternative to wanting to save time, an investigation scope might also limit the areas an examiner can look on a device. If you don’t have full access to the device then you can’t aimlessly look around at all the data anyways. If given a limited scope, an examiner can attempt to identify events based on the data allowed.

Overall, it is safe to say that case analysis is often misunderstood by the average person. Just remember that a forensic analysis is normally performed on a strict budget and therefore demands planned approaches. Only in unusual scenarios will free-reign be the best investigative style.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Create a free website or blog at

Up ↑

Create your website with
Get started
%d bloggers like this: