Digital evidence is progressively being used in legal proceedings and has been subject to scrutiny by the courts. This places an onerous burden on digital forensic practitioners to endeavor to present reliable evidence and sound analyses of their findings, which may also be useful to establish and test precedents for future court rulings. The dramatic increase in desktop computing and proliferation of cyber-based crime that exploits network systems has resulted in the need for enhanced information security management. It also requires practitioners to untangle the mess and try to bring to account the transgressors. Unrelenting attacks against computing devices and network servers are increasing and serve as the medium from which to exploit a wide range of victims, often based in another country. Computers and networks, however, are rich in information of evidentiary value that can assist practitioners in reconstructing transgressions.
Digital forensics emerged in response to the escalation of crimes committed by the use of computer systems as either an object of a crime, an instrument used to commit a crime, or a repository of evidence related to a crime. The requirements of investigating and examining digital evidence while at the same time ensuring that the integrity of original evidence remains unaltered were quickly identified as important functions.
In the 1980s, it became apparent that similar to other developments such as DNA evidence and advances in molecular analysis, a new discipline was emerging: digital forensics. As computers became affordable, relatively easy to use, and were interconnected through local and wide area networks, computer crime emerged in tandem with the wonders offered by cyberspace.
Traditional laws became outdated, even by legal standards. Questions were raised, for example, as to how the theft of a computer device might be compared with the theft of intangible information copied from a computer and used without lawful authority. The information may remain on the computer although it has been copied without the owner's permission, yet the thief assumes permanent, albeit shared, ownership of the information.
Theft traditionally has a key element of transportability facilitating the permanent removal of tangible property. The file is there and then it is not, yet it is an intangible object stored on a computer. The copying process may well leave the original file information on the device, but it has been stolen from the point of view of its owner. Is copying theft or misuse of a computer? It is certainly a breach of privacy in most cases, and while there is a perception by an owner that their privacy has been breached, how does one claim so when the information is simply copied but yet to be disseminated? Does stalking a person in the street equate to stalking them online? The original legislation was intended to cover the former, and this raised serious questions as to whether established laws could be used to encompass new computer-based crimes.
Electronic and digital information is held or stored on devices and can be abused through such unauthorized activities. Computer crimes are a cyber version of well-established physical-world crimes. Extortion and threats are not new, but the use of computers to deliver the payload is. There was a call for new legislation to redefine computer-related crime, and largely, these recently introduced laws appear to serve the community well. However, confusion reigns in many jurisdictions as to the meaning of digital information tendered in court and an imprudent tendency of some practitioners and members of the legal fraternity to accept it at face value.
Digital forensics has yet to come of age according to many observers and practitioners and does require a scientific and impartial approach to analyzing digital information, sometimes in isolation if no other evidence is available. The evidence may be required in criminal or civil proceedings as well as in administrative and disciplinary cases. Courts and legal adjudicators expect that in line with more established forensic disciplines, scientific processes and tools will be used to preserve and assist in evidence analysis.
The stages of a digital forensic examination are geared toward the recovery and protection of evidence and a scientific approach to analyzing and interpreting the evidence, validating the evidence, and providing clear and precise forensic reports. Chapter 4, Recovering and Preserving Digital Evidence, and Chapter 6, Selecting and Analyzing Digital Evidence, describe these stages of digital forensic examination.