Understanding and comparing digital traces

Digital forensic practitioners will encounter digital traces during their examinations which they must take steps to understand. This may involve trying to attribute an ‘activity’ to a trace (what created it) or determine where it came from (its ‘source’) – Trace-to-Activity/Source interpretation. Alternatively, they may need to determine if an activity has taken place on a system by identifying traces denoting it – Activity-to-Trace interpretation. In both instances, practitioners may need to conduct tests and/or identify research which will help them understand a trace, and compare any results of their testing/research to the traces in their casework. This work describes both the Trace-to-Activity/Source and Activity-to-Trace interpretive journeys, as well as the steps contained in both. In addition, six ‘trace comparison criteria’ are proposed and discussed to help those carrying out a trace comparison, notably: ‘trace location’, ‘trace structure’, ‘trace examination method’, ‘trace metadata’, ‘trace content’, and ‘trace context’.