| Throughout this book you will find that we have consistently referred to the term “Forensic Computing” for what is often elsewhere called “Computer Forensics”. In the UK, however,when we first started up, the name “Computer Forensics” had been registered to a commercial company that was operating in this field and we felt that it was not appropriate for us to use a name that carried with it commercial connotations. Hence our use of the term “Forensic Computing”. Having said that, however, we will need on occasion to refer to “Computer Forensics”, particularly when quoting from overseas journals and papers which use the term, and our use in such circumstances should then be taken to be synonymous with that of “Forensic Computing” and not as a reference to the commercial company.
In point of fact,we will start with a definition of Computer Forensics that has been given by Special Agent Mark Pollitt of the Federal Bureau of Investigation as: “Computer forensics is the application of science and engineering to the legal problem of digital evidence. It is a synthesis of science and law” (Pollitt, undated). In his paper he contrasts the problems of presenting a digital document in evidence with those of a paper document, and states: “Rarely is determining that the [paper] document physically exists orwhere it came from, a problem.With digital evidence, this is often a problem.What does this binary string represent?Where did it come from?While these questions, to the computer literate, may seem obvious at first glance, they are neither obvious nor understandable to the layman. These problems then require a substantial foundation being laid prior to their admission into evidence at trial.” These are questions for which we try to provide the requisite technical knowledge in Chapters 2, 3, 4, 5 and 6.
In a second paper (Pollitt, 1995), Special Agent Mark Pollitt suggests that in the field of computer forensics: “Virtually all professional examiners will agree on some overriding principles” and then gives as examples the following three: “... that evidence should not be altered, examination results should be accurate, and that examination results are verifiable and repeatable”. He then goes on to say: “These principles are universal and are not subject to change with every new operating system, hardware or software. While it may be necessary to occasionally modify a principle, it should be a rare event.” In Chapters 7 and 8 we will see that these overriding principles are in complete accord with the practices that we recommend and with those that have been put forward in the Good Practice Guide for Computer based Electronic Evidence (ACPO, 2003) of the UK Association of Chief Police Officers (ACPO). |