Horsman, Graeme2024-08-062024-08-062024-07-25Horsman G. (2024) Understanding and comparing digital traces. Australian Journal of Forensic Sciences, Available online 25 July 20240045-0618https://doi.org/10.1080/00450618.2024.2381535https://dspace.lib.cranfield.ac.uk/handle/1826/22727Digital forensic practitioners will encounter digital traces during their examinations which they must take steps to understand. This may involve trying to attribute an ‘activity’ to a trace (what created it) or determine where it came from (its ‘source’) – Trace-to-Activity/Source interpretation. Alternatively, they may need to determine if an activity has taken place on a system by identifying traces denoting it – Activity-to-Trace interpretation. In both instances, practitioners may need to conduct tests and/or identify research which will help them understand a trace, and compare any results of their testing/research to the traces in their casework. This work describes both the Trace-to-Activity/Source and Activity-to-Trace interpretive journeys, as well as the steps contained in both. In addition, six ‘trace comparison criteria’ are proposed and discussed to help those carrying out a trace comparison, notably: ‘trace location’, ‘trace structure’, ‘trace examination method’, ‘trace metadata’, ‘trace content’, and ‘trace context’.enAttribution 4.0 Internationalhttp://creativecommons.org/licenses/by/4.0/Digital forensicsdigital tracedigital evidencetestinginterpretationArticle1834-562X