Digital forensics

the usual aim is to provide answers to a series of simpler questions) often involving complex time-lines or
hypotheses.[4]

1 History
Prior to the 1980s crimes involving computers were dealt
with using existing laws. The rst computer crimes were
recognized in the 1978 Florida Computer Crimes Act,
which included legislation against the unauthorized modication or deletion of data on a computer system.[5][6]
Over the next few years the range of computer crimes
being committed increased, and laws were passed to
deal with issues of copyright, privacy/harassment (e.g.,
cyber bullying, cyber stalking, and online predators) and
child pornography.[7][8] It was not until the 1980s that
federal laws began to incorporate computer oences.
Canada was the rst country to pass legislation in 1983.[6]
This was followed by the US Federal Computer Fraud
and Abuse Act in 1986, Australian amendments to their
crimes acts in 1989 and the British Computer Abuse Act
in 1990.[6][8]

Aerial photo of FLETC, where US digital forensics standards

were developed in the 1980s and '90s

Digital forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing
the recovery and investigation of material found in digital devices, often in relation to computer crime.[1][2] The
term digital forensics was originally used as a synonym
for computer forensics but has expanded to cover investigation of all devices capable of storing digital data.[1]
With roots in the personal computing revolution of the
late 1970s and early '80s, the discipline evolved in a hap- 1.1 1980s1990s: Growth of the eld
hazard manner during the 1990s, and it was not until the
early 21st century that national policies emerged.
The growth in computer crime during the 1980s and
Digital forensics investigations have a variety of applica- 1990s caused law enforcement agencies to begin estabtions. The most common is to support or refute a hy- lishing specialized groups, usually at the national level, to
pothesis before criminal or civil (as part of the electronic handle the technical aspects of investigations. For examdiscovery process) courts. Forensics may also feature in ple, in 1984 the FBI launched a Computer Analysis and
the private sector; such as during internal corporate in- Response Team and the following year a computer crime
vestigations or intrusion investigation (a specialist probe department was set up within the British Metropolitan Pointo the nature and extent of an unauthorized network in- lice fraud squad. As well as being law enforcement protrusion).
fessionals, many of the early members of these groups
responsible for
The technical aspect of an investigation is divided into were also computer hobbyists and became
[9][10]
the
elds
initial
research
and
direction.
several sub-branches, relating to the type of digital devices involved; computer forensics, network forensics,
forensic data analysis and mobile device forensics. The
typical forensic process encompasses the seizure, forensic imaging (acquisition) and analysis of digital media and
the production of a report into collected evidence.

One of the rst practical (or at least publicized) examples of digital forensics was Cli Stolls pursuit of hacker
Markus Hess in 1986. Stoll, whose investigation made
use of computer and network forensic techniques, was not
a specialized examiner.[11] Many of the earliest forensic
[12]
As well as identifying direct evidence of a crime, digi- examinations followed the same prole.
tal forensics can be used to attribute evidence to specic Throughout the 1990s there was high demand for these
suspects, conrm alibis or statements, determine intent, new, and basic, investigative resources. The strain on
identify sources (for example, in copyright cases), or au- central units lead to the creation of regional, and even
thenticate documents.[3] Investigations are much broader local, level groups to help handle the load. For examin scope than other areas of forensic analysis (where ple, the British National Hi-Tech Crime Unit was set up
1

in 2001 to provide a national infrastructure for computer

crime; with personnel located both centrally in London
and with the various regional police forces (the unit was
folded into the Serious Organised Crime Agency (SOCA)
in 2006).[10]

HISTORY

devices.[20]
Focus has also shifted onto internet crime, particularly
the risk of cyber warfare and cyberterrorism. A February
2010 report by the United States Joint Forces Command
concluded:

During this period the science of digital forensics grew

from the ad-hoc tools and techniques developed by these
Through cyberspace, enemies will target
hobbyist practitioners. This is in contrast to other forenindustry, academia, government, as well as the
sics disciplines which developed from work by the scienmilitary in the air, land, maritime, and space
tic community.[1][13] It was not until 1992 that the term
domains. In much the same way that airpower
computer forensics was used in academic literature (altransformed the battleeld of World War II,
though prior to this it had been in informal use); a paper
cyberspace has fractured the physical barriers
by Collier and Spaul attempted to justify this new discithat shield a nation from attacks on its compline to the forensic science world.[14][15] This swift demerce and communication.[21]
velopment resulted in a lack of standardization and training. In his 1995 book, "High-Technology Crime: InvestiThe eld of digital forensics still faces unresolved issues.
gating Cases Involving Computers", K Rosenblatt wrote:
A 2009 paper, Digital Forensic Research: The Good,
the Bad and the Unaddressed, by Peterson and Shenoi
Seizing, preserving, and analyzing eviidentied a bias towards Windows operating systems in
dence stored on a computer is the greatest
digital forensics research.[22] In 2010 Simson Garnkel
forensic challenge facing law enforcement in
identied issues facing digital investigations in the future,
the 1990s. Although most forensic tests,
including the increasing size of digital media, the wide
such as ngerprinting and DNA testing, are
availability of encryption to consumers, a growing variperformed by specially trained experts the
ety of operating systems and le formats, an increasing
task of collecting and analyzing computer evnumber of individuals owning multiple devices, and leidence is often assigned to patrol ocers and
gal limitations on investigators. The paper also identied
detectives.[16]
continued training issues, as well as the prohibitively high
cost of entering the eld.[11]

1.2

2000s: Developing standards

1.3 Development of forensic tools

Since 2000, in response to the need for standardization,

various bodies and agencies have published guidelines for
digital forensics. The Scientic Working Group on Digital Evidence (SWGDE) produced a 2002 paper, "Best
practices for Computer Forensics", this was followed, in
2005, by the publication of an ISO standard (ISO 17025,
General requirements for the competence of testing and
calibration laboratories).[6][17][18] A European lead international treaty, the Convention on Cybercrime, came into
force in 2004 with the aim of reconciling national computer crime laws, investigative techniques and international co-operation. The treaty has been signed by 43
nations (including the US, Canada, Japan, South Africa,
UK and other European nations) and ratied by 16.
The issue of training also received attention. Commercial
companies (often forensic software developers) began to
oer certication programs and digital forensic analysis
was included as a topic at the UK specialist investigator
training facility, Centrex.[6][10]
Since the late 1990s mobile devices have become more
widely available, advancing beyond simple communication devices, and have been found to be rich forms of
information, even for crime not traditionally associated
with digital forensics.[19] Despite this, digital analysis of
phones has lagged behind traditional computer media,
largely due to problems over the proprietary nature of

Main article: List of digital forensics tools

During the 1980s very few specialized digital forensic
tools existed, and consequently investigators often performed live analysis on media, examining computers
from within the operating system using existing sysadmin
tools to extract evidence. This practice carried the risk of
modifying data on the disk, either inadvertently or otherwise, which led to claims of evidence tampering. A
number of tools were created during the early 1990s to
address the problem.
The need for such software was rst recognized in 1989
at the Federal Law Enforcement Training Center, resulting in the creation of IMDUMP (by Michael White) and
in 1990, SafeBack (developed by Sydex). Similar software was developed in other countries; DIBS (a hardware
and software solution) was released commercially in the
UK in 1991, and Rob McKemmish released Fixed Disk
Image free to Australian law enforcement.[9] These tools
allowed examiners to create an exact copy of a piece of
digital media to work on, leaving the original disk intact
for verication. By the end of the '90s, as demand for
digital evidence grew more advanced commercial tools
such as EnCase and FTK were developed, allowing analysts to examine copies of media without using any live

3
forensics.[6] More recently, a trend towards live memory well as unallocated and slack space), recovering deleted
forensics has grown resulting in the availability of tools les and extraction of registry information (for example
such as WindowsSCOPE.
to list user accounts, or attached USB devices).
More recently the same progression of tool development
has occurred for mobile devices; initially investigators
accessed data directly on the device, but soon specialist
tools such as XRY or Radio Tactics Aceso appeared.[6]

Forensic process

The evidence recovered is analysed to reconstruct events

or actions and to reach conclusions, work that can often
be performed by less specialised sta.[1] When an investigation is complete the data is presented, usually in the
form of a written report, in lay persons' terms.[1]

3 Application

A portable Tableau write-blocker attached to a hard drive

Main article: Digital forensic process

A digital forensic investigation commonly consists of 3
stages: acquisition or imaging of exhibits,[23] analysis,
and reporting.[6][24] Ideally acquisition involves capturing
an image of the computers volatile memory (RAM)[25]
and creating an exact sector level duplicate (or forensic duplicate) of the media, often using a write blocking device to prevent modication of the original. However, the growth in size of storage media and developments such as cloud computing [26] have led to more use
of 'live' acquisitions whereby a 'logical' copy of the data
is acquired rather than a complete image of the physical
storage device.[23] Both acquired image (or logical copy)
and original media/data are hashed (using an algorithm
such as SHA-1 or MD5) and the values compared to verify the copy is accurate.[27]

An example of an images Exif metadata that might be used to

prove its origin

Digital forensics is commonly used in both criminal law

and private investigation. Traditionally it has been associated with criminal law, where evidence is collected
to support or oppose a hypothesis before the courts. As
with other areas of forensics this is often as part of a
wider investigation spanning a number of disciplines. In
some cases the collected evidence is used as a form of
intelligence gathering, used for other purposes than court
proceedings (for example to locate, identify or halt other
crimes). As a result intelligence gathering is sometimes
held to a less strict forensic standard.

In civil litigation or corporate matters digital forensics

forms part of the electronic discovery (or eDiscovery)
process. Forensic procedures are similar to those used
in criminal investigations, often with dierent legal reDuring the analysis phase an investigator recovers evi- quirements and limitations. Outside of the courts digital
dence material using a number of dierent methodolo- forensics can form a part of internal corporate investigagies and tools. In 2002, an article in the International tions.
Journal of Digital Evidence referred to this step as an A common example might be following unauthorized
in-depth systematic search of evidence related to the sus- network intrusion. A specialist forensic examination into
pected crime.[1] In 2006, forensics researcher Brian Car- the nature and extent of the attack is performed as a damrie described an intuitive procedure in which obvious age limitation exercise. Both to establish the extent of any
evidence is rst identied and then exhaustive searches intrusion and in an attempt to identify the attacker.[3][4]
Such attacks were commonly conducted over phone lines
are conducted to start lling in the holes.[4]
the modern era are usually propThe actual process of analysis can vary between investi- during the 1980s, but in [28]
agated
over
the
Internet.
gations, but common methodologies include conducting
keyword searches across the digital media (within les as The main focus of digital forensics investigations is to re-

LEGAL CONSIDERATIONS

restrict how much information can be seized.[29] For example, in the United Kingdom seizure of evidence by law
enforcement is governed by the PACE act.[6] The International Organization on Computer Evidence (IOCE) is
one agency that works to establish compatible internaAttribution Meta data and other logs can be used to at- tional standards for the seizure of evidence.[30]
tribute actions to an individual. For example, per- In the UK the same laws covering computer crime can
sonal documents on a computer drive might identify also aect forensic investigators. The 1990 computer
its owner.
misuse act legislates against unauthorised access to comcover objective evidence of a criminal activity (termed
actus reus in legal parlance). However, the diverse range
of data held in digital devices can help with other areas
of inquiry.[3]

Alibis and statements Information provided by those

involved can be cross checked with digital evidence. For example, during the investigation into
the Soham murders the oenders alibi was disproved when mobile phone records of the person he
claimed to be with showed she was out of town at
the time.
Intent As well as nding objective evidence of a crime
being committed, investigations can also be used
to prove the intent (known by the legal term mens
rea). For example, the Internet history of convicted
killer Neil Entwistle included references to a site
discussing How to kill people.
Evaluation of source File artifacts and meta-data can
be used to identify the origin of a particular piece
of data; for example, older versions of Microsoft
Word embedded a Global Unique Identifer into les
which identied the computer it had been created
on. Proving whether a le was produced on the digital device being examined or obtained from elsewhere (e.g., the Internet) can be very important.[3]

puter material; this is a particular concern for civil investigators who have more limitations than law enforcement.
An individuals right to privacy is one area of digital
forensics which is still largely undecided by courts. The
US Electronic Communications Privacy Act places limitations on the ability of law enforcement or civil investigators to intercept and access evidence. The act
makes a distinction between stored communication (e.g.
email archives) and transmitted communication (such as
VOIP). The latter, being considered more of a privacy invasion, is harder to obtain a warrant for.[6][16] The ECPA
also aects the ability of companies to investigate the
computers and communications of their employees, an
aspect that is still under debate as to the extent to which
a company can perform such monitoring.[6]
Article 5 of the European Convention on Human Rights
asserts similar privacy limitations to the ECPA and limits
the processing and sharing of personal data both within
the EU and with external countries. The ability of UK
law enforcement to conduct digital forensics investigations is legislated by the Regulation of Investigatory Powers Act.[6]

Document authentication Related to Evaluation of

source, meta data associated with digital documents can be easily modied (for example, by 4.1
changing the computer clock you can aect the creation date of a le). Document authentication relates to detecting and identifying falsication of such
details.

3.1

Digital evidence

Limitations

One major limitation to a forensic investigation is the use

of encryption; this disrupts initial examination where pertinent evidence might be located using keywords. Laws
to compel individuals to disclose encryption keys are still
relatively new and controversial.[11]

Legal considerations
Digital evidence can come in a number of forms

The examination of digital media is covered by national

and international legislation. For civil investigations, in
particular, laws may restrict the abilities of analysts to
undertake examinations. Restrictions against network
monitoring, or reading of personal communications often exist.[29] During criminal investigation, national laws

Main article: Digital evidence

When used in a court of law digital evidence falls under the same legal guidelines as other forms of evidence; courts do not usually require more stringent

4.2

Investigative tools

guidelines.[6][31] In the United States the Federal Rules

of Evidence are used to evaluate the admissibility of digital evidence, the United Kingdom PACE and Civil Evidence acts have similar guidelines and many other countries have their own laws. US federal laws restrict seizures
to items with only obvious evidential value. This is acknowledged as not always being possible to establish with
digital media prior to an examination.[29]

4.2 Investigative tools

The admissibility of digital evidence relies on the tools

used to extract it. In the US, forensic tools are subjected
to the Daubert standard, where the judge is responsible
for ensuring that the processes and software used were
acceptable. In a 2003 paper Brian Carrier argued that
the Daubert guidelines required the code of forensic tools
to be published and peer reviewed. He concluded that
Laws dealing with digital evidence are concerned with
open source tools may more clearly and comprehensively
two issues: integrity and authenticity. Integrity is enmeet the guideline requirements than would closed source
suring that the act of seizing and acquiring digital media
tools.[35]
does not modify the evidence (either the original or the
copy). Authenticity refers to the ability to conrm the integrity of information; for example that the imaged media
matches the original evidence.[29] The ease with which 5 Branches
digital media can be modied means that documenting
the chain of custody from the crime scene, through anal- Digital forensics includes several sub-branches relating to
ysis and, ultimately, to the court, (a form of audit trail) is the investigation of various types of devices, media or arimportant to establish the authenticity of evidence.[6]
tifacts.
Attorneys have argued that because digital evidence can
theoretically be altered it undermines the reliability of the
evidence. US judges are beginning to reject this theory,
in the case US v. Bonallo the court ruled that the fact
that it is possible to alter data contained in a computer is
plainly insucient to establish untrustworthiness.[6][32]
In the United Kingdom guidelines such as those issued
by ACPO are followed to help document the authenticity
and integrity of evidence.

5.1 Computer forensics

Main article: Computer forensics

The goal of computer forensics is to explain the current

state of a digital artifact; such as a computer system, storage medium or electronic document.[36] The discipline
usually covers computers, embedded systems (digital deDigital investigators, particularly in criminal investiga- vices with rudimentary computing power and onboard
tions, have to ensure that conclusions are based upon fac- memory) and static memory (such as USB pen drives).
tual evidence and their own expert knowledge.[6] In the
US, for example, Federal Rules of Evidence state that a Computer forensics can deal with a broad range of inqualied expert may testify in the form of an opinion or formation; from logs (such as internet history) through to
the actual les on the drive. In 2007 prosecutors used
otherwise so long as:
a spreadsheet recovered from the computer of Joseph E.
Duncan III to show premeditation and secure the death
penalty.[3] Sharon Lopatka's killer was identied in 2006
(1) the testimony is based upon sucient
after email messages from him detailing torture and death
facts or data, (2) the testimony is the product
fantasies were found on her computer.[6]
of reliable principles and methods, and (3) the
witness has applied the principles and methods
reliably to the facts of the case.[33]
5.2 Mobile device forensics
The sub-branches of digital forensics may each have
their own specic guidelines for the conduct of investigations and the handling of evidence. For example, mobile phones may be required to be placed in a Faraday
shield during seizure or acquisition to prevent further radio trac to the device. In the UK forensic examination of computers in criminal matters is subject to ACPO
guidelines.[6] There are also international approaches to
providing guidance on how to handle electronic evidence.
The Electronic Evidence Guide by the Council of Europe oers a framework for law enforcement and judicial authorities in countries who seek to set up or enhance
their own guidelines for the identication and handling of
electronic evidence.[34]

Main article: Mobile device forensics

Mobile device forensics is a sub-branch of digital forensics relating to recovery of digital evidence or data from a
mobile device. It diers from Computer forensics in that
a mobile device will have an inbuilt communication system (e.g. GSM) and, usually, proprietary storage mechanisms. Investigations usually focus on simple data such
as call data and communications (SMS/Email) rather than
in-depth recovery of deleted data.[6][37] SMS data from a
mobile device investigation helped to exonerate Patrick
Lumumba in the murder of Meredith Kercher.[3]
Mobile devices are also useful for providing location information; either from inbuilt gps/location tracking or via

8 RELATED JOURNALS
and Gorshkov to the United States for a fake job
interview. By monitoring network trac from the
pairs computers, the FBI identied passwords allowing them to collect evidence directly from Russian-based
computers.[6][39]

5.4 Forensic data analysis

Main article: Forensic data analysis
Forensic Data Analysis is a branch of digital forensics.
It examines structured data with the aim to discover and
analyse patterns of fraudulent activities resulting from nancial crime.
Mobile phones in a UK Evidence bag

5.5 Database forensics

Main article: Database forensics
Database forensics is a branch of digital forensics relating
to the forensic study of databases and their metadata.[40]
Investigations use database contents, log les and inRAM data to build a timeline or recover relevant information.

6 Education and Research

Academic centre of education and research in forensic
sciences:

Private Investigator & Certied Digital Forensics Examiner

Imaging a hard drive in the eld for forensic examination.

cell site logs, which track the devices within their range.
Such information was used to track down the kidnappers
of Thomas Onofri in 2006.[3]

North America: Penn State University oers Security and

Risk Analysis Major, Master of Professional Studies in
Information Sciences, Master of Professional Studies in
Homeland Security, and Ph.D. in Information Sciences
and Technology in the digital forensics area.

7 See also
Cyberspace

5.3

Network forensics

Main article: Network forensics

Network forensics is concerned with the monitoring and
analysis of computer network trac, both local and
WAN/internet, for the purposes of information gathering, evidence collection, or intrusion detection.[38] Trac
is usually intercepted at the packet level, and either stored
for later analysis or ltered in real-time. Unlike other areas of digital forensics network data is often volatile and
rarely logged, making the discipline often reactionary.
In 2000 the FBI lured computer hackers Aleksey Ivanov

Glossary of digital forensics terms

BackTrack

8 Related journals
Journal of Digital Forensics, Security and Law
International Journal of Digital Crime and Forensics
Journal of Digital Investigation
International Journal of Digital Evidence

7
International Journal of Forensic Computer Science
Journal of Digital Forensic Practice
Small Scale Digital Device Forensic Journal

References

[1] M Reith, C Carr, G Gunsch (2002). An examination of

digital forensic models. International Journal of Digital
Evidence. Retrieved 2 August 2010.
[2] Carrier, B (2001). Dening digital forensic examination
and analysis tools. Digital Research Workshop II. Retrieved 2 August 2010.
[3] Various (2009). Eoghan Casey, ed. Handbook of Digital Forensics and Investigation. Academic Press. p. 567.
ISBN 0-12-374267-6. Retrieved 27 August 2010.
[4] Carrier, Brian D (7 June 2006). Basic Digital Forensic
Investigation Concepts.
[5] Florida Computer Crimes Act. Retrieved 31 August
2010.
[6] Casey, Eoghan (2004). Digital Evidence and Computer
Crime, Second Edition. Elsevier. ISBN 0-12-163104-4.
[7] Aaron Phillip; David Cowen; Chris Davis (2009).
Hacking Exposed: Computer Forensics. McGraw Hill Professional. p. 544. ISBN 0-07-162677-8. Retrieved 27
August 2010.

[16] K S Rosenblatt (1995). High-Technology Crime: Investigating Cases Involving Computers. KSK Publications.
ISBN 0-9648171-0-1. Retrieved 4 August 2010.
[17] Best practices for Computer Forensics (PDF). SWGDE.
Archived from the original (PDF) on 3 October 2010. Retrieved 4 August 2010.
[18] ISO/IEC 17025:2005. ISO. Retrieved 20 August 2010.
[19] SG Punja (2008). Mobile device analysis (PDF). Small
Scale Digital Device Forensics Journal.
[20] Rizwan Ahmed (2008). Mobile forensics: an overview,
tools, future trends and challenges from law enforcement
perspective (PDF). 6th International Conference on EGovernance.
[21] The Joint Operating Environment, Report released,
Feb. 18, 2010, pp. 3436
[22] Peterson, Gilbert & Shenoi, Sujeet (2009). Digital
Forensic Research: The Good, the Bad and the Unaddressed. Advances in Digital Forensics V. IFIP Advances
in Information and Communication Technology (Springer
Boston) 306: 1736. Bibcode:2009adf5.conf...17B.
doi:10.1007/978-3-642-04155-6_2. ISBN 978-3-64204154-9.
[23] Adams, Richard (2013). "'The Advanced Data Acquisition Model (ADAM): A process model for digital forensic
practice (PDF). Murdoch University.
[24] "'Electronic Crime Scene Investigation Guide: A Guide
for First Responders (PDF). National Institute of Justice.
2001.

[8] M, M. E. A Brief History of Computer Crime: A

(PDF). Norwich University. Retrieved 30 August 2010.

[25] Catching the ghost: how to discover ephemeral evidence

with Live RAM analysis. Belkasoft Research. 2013.

[9] Mohay, George M. (2003). Computer and intrusion forensics. Artechhouse. p. 395. ISBN 1-58053-369-8.

[26] Adams, Richard (2013). "'The emergence of cloud storage and the need for a new digital forensic process model
(PDF). Murdoch University.

[10] Peter Sommer (January 2004). The future for the policing of cybercrime. Computer Fraud & Security 2004
(1): 812. doi:10.1016/S1361-3723(04)00017-X. ISSN
1361-3723.

[27] Maarten Van Horenbeeck (24 May 2006). Technology

Crime Investigation. Archived from the original on 17
May 2008. Retrieved 17 August 2010.

[11] Simson L. Garnkel (August 2010). Digital forensics research: The next 10 years. Digital Investigation 7: S64
S73. doi:10.1016/j.diin.2010.05.009. ISSN 1742-2876.

[28] Warren G. Kruse, Jay G. Heiser (2002). Computer forensics: incident response essentials. Addison-Wesley. p.
392. ISBN 0-201-70719-5.

[12] Linda Volonino, Reynaldo Anzaldua (2008). Computer

forensics for dummies. For Dummies. p. 384. ISBN 0470-37191-9.

[29] Sarah Mocas (February 2004). Building theoretical underpinnings for digital forensics research. Digital Investigation 1 (1): 6168. doi:10.1016/j.diin.2003.12.004.
ISSN 1742-2876.

[13] GL Palmer, I Scientist, H View (2002). Forensic analysis in the digital world. International Journal of Digital
Evidence. Retrieved 2 August 2010.
[14] Wilding, E. (1997). Computer Evidence: a Forensic Investigations Handbook. London: Sweet & Maxwell. p. 236.
ISBN 0-421-57990-0.
[15] Collier, P.A. and Spaul, B.J. (1992). A forensic methodology for countering computer crime. Computers and
Law (Intellect Books).

[30] Kanellis, Panagiotis (2006). Digital crime and forensic

science in cyberspace. Idea Group Inc (IGI). p. 357. ISBN
1-59140-873-3.
[31] Daniel J. Ryan; Gal Shpantzer. Legal Aspects of Digital
Forensics (PDF). Retrieved 31 August 2010.
[32] US v. Bonallo, 858 F. 2d 1427 (9th Cir. 1988).
[33] Federal Rules of Evidence #702. Retrieved 23 August
2010.

10 FURTHER READING

[34] Electronic Evidence Guide. Council of Europe. April

2013.
[35] Brian Carrier (October 2002). Open Source Digital
Forensic Tools: The Legal Argument (PDF). @stake Research Report.
[36] A Yasinsac; RF Erbacher; DG Marks; MM Pollitt (2003).
Computer forensics education (PDF). IEEE Security &
Privacy. Retrieved 26 July 2010.
[37] Technology Crime Investigation :: Mobile forensics.
Archived from the original on 17 May 2008. Retrieved
18 August 2010.
[38] Gary Palmer, A Road Map for Digital Forensic Research,
Report from DFRWS 2001, First Digital Forensic Research Workshop, Utica, New York, August 7 8, 2001,
Page(s) 2730
[39] 2 Russians Face Hacking Charges. Moscow Times. 24
April 2001. Retrieved 3 September 2010.
[40] Olivier, Martin S. (March 2009).
On metadata
Science Direct.
context in Database Forensics.
doi:10.1016/j.diin.2008.10.001. Retrieved 2 August
2010.

10

Further reading

Carrier, Brian D. (February 2006).

Risks
of live digital forensic analysis.
Communications of the ACM 49 (2):
5661.
doi:10.1145/1113034.1113069.
ISSN 00010782. Retrieved 31 August 2010.
Kanellis, Panagiotis (2006-01-01). Digital crime
and forensic science in cyberspace. IGI Publishing.
p. 357. ISBN 1-59140-873-3.
Jones, Andrew (2008). Building a Digital Forensic Laboratory. Butterworth-Heinemann. p. 312.
ISBN 1-85617-510-3.
Marshell, Angus M. (2008). Digital forensics:
digital evidence in criminal investigation. WileyBlackwell. p. 148. ISBN 0-470-51775-1.
Sammons, John (2012). The basics of digital forensics: the primer for getting started in digital forensics.
Syngress. ISBN 1597496618.
Crowley, Paul. CD and DVD Forensics. Rockland,
MA: Syngress. ISBN 1597491284.
Easttom, Chuck. Certied Cyber Forensics Professional All in One Guide. McGraw-Hill. ISBN
9780071839761.

11
11.1

Text and image sources, contributors, and licenses

Text

Digital forensics Source: http://en.wikipedia.org/wiki/Digital_forensics?oldid=662264831 Contributors: Zundark, The Anome, Raeky,

Chowbok, Mindmatrix, Tabletop, Jrtayloriv, Macskeeball, SmackBot, Christian75, ErrantX, Malleus Fatuorum, TonyTheTiger, Qwerty
Binary, Ling.Nut, ToddWC, SuperMarioMan, Wlodzimierz, Jappalang, Drmies, MystBot, Jim Sweeney, Addbot, Download, Citation
bot, ArthurBot, Jonesey95, RedBot, Onel5969, RjwilmsiBot, John of Reading, Daskalak, Dcirovic, H3llBot, ProloSozz, Autoerrant,
Will Beback Auto, ClueBot NG, Antrim Kate, Flipzxforever, Helpful Pixie Bot, BG19bot, The1337gamer, BattyBot, ChrisGualtieri, Cadava14, Jather, Tmaster1420, Joerg357, Lm0101, Chevy99, Digitalanalyst, P1127, TuxLibNit, Monkbot, Privateinvestigatorgreensboro
and Anonymous: 23

11.2

Images

File:Digital_Forensics_-_Imaging_a_hard_drive_in_the_field.jpg Source: http://upload.wikimedia.org/wikipedia/commons/c/c9/

Digital_Forensics_-_Imaging_a_hard_drive_in_the_field.jpg License: CC BY-SA 4.0 Contributors: Own work Original artist:
Privateinvestigatorgreensboro
File:En_exif_data.png Source: http://upload.wikimedia.org/wikipedia/commons/b/b7/En_exif_data.png License: ? Contributors: Transferred from en.wikipedia by SreeBot Original artist: ErrantX at en.wikipedia
File:FLETC_Glynco-aerial.gif Source: http://upload.wikimedia.org/wikipedia/commons/8/86/FLETC_Glynco-aerial.gif License: Public domain Contributors: http://www.deamuseum.org/dea_history_book/virtual_tehome.htm (59-2.gif= Original artist: Drug Enforcement
Administration (DEA), a United States Department of Justice law enforcement agency
File:Hard_disk.jpg Source: http://upload.wikimedia.org/wikipedia/commons/7/7a/Hard_disk.jpg License: CC BY-SA 3.0 Contributors:
Own work Original artist: Inklein
File:Mobiles.JPG Source: http://upload.wikimedia.org/wikipedia/commons/6/6a/Mobiles.JPG License: Public domain Contributors:
Transferred from en.wikipedia; transfer was stated to be made by User:ErrantX.
Original artist: Errant
File:PersonalStorageDevices.agr.jpg Source: http://upload.wikimedia.org/wikipedia/commons/8/87/PersonalStorageDevices.agr.jpg
License: CC-BY-SA-3.0 Contributors: I took this photograph of artifacts in my possession Original artist: --agr 15:53, 1 Apr 2005 (UTC)
File:Portable_forensic_tableau.JPG Source: http://upload.wikimedia.org/wikipedia/commons/8/8e/Portable_forensic_tableau.JPG License: Public domain Contributors: Own work Original artist: ErrantX
File:Wikibooks-logo-en-noslogan.svg Source: http://upload.wikimedia.org/wikipedia/commons/d/df/Wikibooks-logo-en-noslogan.
svg License: CC BY-SA 3.0 Contributors: Own work Original artist: User:Bastique, User:Ramac et al.
File:Wiktionary-logo-en.svg Source: http://upload.wikimedia.org/wikipedia/commons/f/f8/Wiktionary-logo-en.svg License: Public domain Contributors: Vector version of Image:Wiktionary-logo-en.png. Original artist: Vectorized by Fvasconcellos (talk contribs), based
on original logo tossed together by Brion Vibber

11.3

Content license

Creative Commons Attribution-Share Alike 3.0