During the 1970s, computers were not readily available to all but large organizations, government departments, and, particularly, defense and intelligence communities using mainframe computers. What forensic activities surrounded these computers is not clear and is shrouded in secrecy.

The origins of digital forensics in the public domain emerged later and may be traced back to as early as 1984, when the FBI laboratory and other law enforcement agencies began developing programs to examine computer evidence. Andrew Rosen wrote the first purpose-built digital forensic tool, Desktop Mountie, for the Canadian police, which he followed up with versions of Expert Witness, Encase, and SMART. The rapid and almost worldwide acquisition of relatively cheap and easy-to-use desktop computers for personal and work use quickly attracted the attention of transgressors keen to exploit the new technology.

In response to mounting attacks on computers and networks, private organizations and governments began to develop and implement computer security policies and countermeasures. Digital forensics emerged in response to victims of cyberattacks and exploitation realizing that some structure was needed to deal with an escalating problem. Eventually, some established forensic processes emerged in the late eighties, but much of the research and development of digital forensic tools and software was vendor-driven or produced by enthusiastic law enforcement officers with some basic computer knowledge.

Some of the first government agencies with an overt and publicly visible requirement of carrying out forensics on external systems relating to criminal offences were taxation and revenue-collection agencies. It soon became apparent to those struggling to recover digital evidence that a level of specialist knowledge was needed to investigate this new technology.

Unfortunately for the digital forensic practitioner, no specific forensic tools existed in the eighties, which resulted in developers designing their own suites of forensic utilities based on MS-DOS. Many of these forensic software applications have been refined and updated, and persist in use to this day. Data-protection and recovery utility suites of that time that still exist include:

Initially, the only method of preserving evidence available to the forensic examiner was to take a logical backup of files from the evidence disk on magnetic tape. It was hoped that this process would be able to preserve vital file attributes and metadata and then be capable of restoring these files to another disk. This would then allow the practitioner to examine the recovered data manually using command-line file-management software such as these:

The size of computer datasets at the time was in the megabyte range, but still sufficiently large to make the process of evidence retrieval a tedious and time-consuming task. There was a call for some forensic standards, guidelines, and definitions to assist digital forensics practitioners as well as an urgent call to revise existing legislation to ensure that newly forming cybercrimes were correctly defined. Sound legislation was overdue to recognize and be effective against old crimes now in a new format.

In the mid-eighties, concerns were raised about the lack of understanding among various legal practitioners and lawmakers for failing to address the problems brought about by the increasing reliance of digital evidence in legal proceedings. This was a worldwide phenomenon caused by the dramatic upsurge in computer use and the advent of new devices, including digital mobile phones. Consequently, a coordinated approach to assist forensics and legal practitioners was mooted in the USA to assist them in overcoming difficulties encountered with tendering digital evidence.

By the turn of the century, the US and the European Union established a research corpus that would apply scientific processes to find solutions to forensic challenges driven by practitioner needs. Researchers at the time raised concerns about widespread misunderstanding as to the true nature of digital evidence. More worrying to them was the inefficiency and ineffectiveness of some forensic processes used in its recovery, analysis, and subsequent use in legal proceedings.

It was recognized that digital forensic examinations commenced with seeking answers about the identity of suspected transgressors, notably, establishing some digital link between the binary data and the suspect. Although mere possession of a digital computer was generally considered sufficient to link a transgressor to all the data the device contained, concerns were being raised as to the soundness of such assumptions. Would the assumption be valid in the future because of extensive computer networking? Would the data itself be capable of providing clues to the motive of a transgression?

In 1999, digital forensics designer Andrew Rosen appeared for the defense in Clarkson versus Clarkson (Circuit Court for Roanoke County, Virginia: case 3CH 01.00099), where it was eventually determined that the defendant's wife had placed child pornography on his computer and then tried to incriminate him so she could exit the marriage, maintain custody of the children, and marry her new lover. This case caused Rosen to be considered a "traitor" by law enforcement/prosecution-focused practitioners, who were evidently more interested in winning the case than seeking a just outcome.

This set the scene for a dangerous precedent, encouraging some practitioners to assume that the owner and chief user of a computer was the most likely transgressor. In my experience, in the handling of defense cases in criminal trials, the sound identification of other users, who are also potential suspects, has often been paid lip service to. This suggests suspect-driven and not evidence-led examinations, which is hardly an unbiased and scientific approach. This contradicts the concept that the practitioner is the "servant of the court". The nature and special properties of digital evidence are presented in Chapter 3, The Nature and Special Properties of Digital Evidence.

The years from 1999 to 2007 were considered the golden age for digital forensics, when the practitioner could see into the past through the recovery of deleted files and into the criminal mind through the recovery of e-mails and messages, thus enabling practitioners to freeze time and witness transgressions. Digital forensics was once a niche science that primarily supported criminal investigations. Nowadays, digital forensics is routinely incorporated in popular crime shows and novels. The dramatization of digital forensics and considerable exaggeration as to the technical prowess of practitioners and forensic tools is what is described as the Crime Scene Investigation (CSI) syndrome.

Research groups have since been formed to discuss computer forensic science as a discipline, including the need for a standardized approach to examinations. In the USA, these include the following:

By 2005, digital forensics still lacked standardization and process, and was understandably heavily oriented toward Windows and, to a lesser extent, standard Linux systems. Even in 2010, while the basic phases involved in digital forensics examinations were well documented, a standardized or widely accepted formal digital forensic model was still considered by some researchers as being in its infancy. To those observers, it was clearly not in the same league as other physical forensic standards such as blood analysis.

In 2008, the International Standard Organization's Joint Technical Committee (ISO/IEC JTC 1) investigated the feasibility of an international standard on digital forensic governance, but to date, there are no ISO/IEC JTC1 standards that specifically address the issue. There exists, however, an international awareness of problems associated with the variations in the inter-jurisdictional transfer of information relating to legal proceedings (ISO 2009:4).

The digital forensics discipline developed rapidly but to date has very little international standardization regarding processes, procedures, or management, yet it does require governance similar to Information Systems and Information Technology (IS and IT) governance. Recently, some researchers have expressed concern over the intersection between the highly technical digital forensic discipline and the business approach of governance, making digital forensics a highly specialized discipline. There is a feeling of misgiving that few practitioners have sufficient interdisciplinary knowledge of computer, legal, and business aspects. That is perhaps unfair criticism of the majority of practitioners who do remarkable work with limited resources and support.

A conflicting view is that the emergence of organizations such as the High Technology Criminal Investigators Association (HTCIA) and the International Association of Computer Investigative Specialists (IACIS) did lend weight to the forensic process to ensure legal acceptance of digital evidence by ensuring the data is reliable, accurate, verifiable, and complete.