The main issue is that the concept of a 'date' exists in multiple places within a single PC:
- File creation / modification / last access
- Visit to a website
- The last time a particular registry key was accessed
- When a particular USB stick was last used on the PC
- When a photograph was taken
In writing a system capable of looking inside the files, and in doing so mapping out the dates associated with any particular object, it should then be possible to create a 'forensic timeline' of the usage of that computer. This timeline will never be complete and, at times, may be inaccurate, but as long as these limitations are known and handled it will still be a useful tool in the investigator's arsenal.
Others have also realised this; Olsson and Boldt have documented the development process behind CyberForensics TimeLab in Digital Investigation. However, their software is still very much a prototype with a basic user interface and a lack of output options; these elements alone are ripe for improvement.
No comments:
Post a Comment