When you watch someone who is new to investigations work a case, one thing that often needs to be explained is the idea that the “smoking gun”, by itself, often isn’t enough. What do I mean by this? Well, Not only am I interested in what you found (which is important in it’s own right) but also by how you found it.
Take for example, a case where relevant evidence is found in unallocated space. Perhaps the suspect deleted a file that contained relevant evidence. Assume that file system metadata information, that kept track of which clusters (or blocks for EXT2/3) were assigned to the file, and in which order, was over written. This means that you’ll have to use a data searching technique (e.g. signature finding, guess and check, etc.) to locate the relevant information. There are a number of different techniques that could be used to arrive at your conclusions. The path you took, may very well come under scrutiny, to verify the soundness of your logic. In this scenario, not only is the “smoking gun” evidence important, but how you found the evidence (and knew how to “properly” interpret it) is also important.
There are times however, when simply “finding the answer” is good enough. One example that came up today was about passwords for encrypted files. Assume you’re conducting an examination of a system, and come across an encrypted file. For whatever reason, the suspect is unavailable. Now assume that you have an image of physical memory, (i.e. RAM) and are able to use a tool such as the Volatility Framework or Memparser to analyze the image. During your analysis you find what you believe to be the password to the encrypted file. You can test your hypothesis by simply attempting to decrypt the file. If you are correct, the file will decrypt properly. In this case, the fact that the password worked, would likely be good enough. You would still need to properly document your actions, however they would likely be less important than the outcome.