Exploring Myths in Digital Forensics: Separating Science From Ritual

2. The Process Of Digital Forensics

Due to the manner in which the field of digital forensics evolved, many practices that were developed in the early stages during the 1990s remain in common use today without question. The authors contend that some of these practices have risen to the level of ritual and dogma, and while they might have made sense more than twenty years ago, they have not been studied from a scientific perspective to understand their relevance in today's environment.

One of the foundations of forensic science is Locard's Exchange Principle, which says, in essence, “Every contact leaves a trace” (Petherick, Turvey, Ferguson, 2010). Put another way: if two objects come into contact with one another, some part of each object is left on the other. All of the forensic sciences assume that such contacts and exchanges take place during the commission of a crime.

One common model of the forensics process, which applies equally to digital forensics or “physical” forensics, includes the following six phases (Casey and Schatz, 2011; Palmer, 2001):

• 1.

  Identification: Surveying a crime scene to determine potential sources of evidence that might have a nexus to the crime;

• 2.

  Preservation: Maintaining the state of potentially probative items to prevent changes, ensuring evidentiary integrity;

• 3.

  Collection: Assembling potential evidence in a manner so that the items can be forensically examined on-site (as necessary) or transported to a laboratory facility;

• 4.

  Examination: Testing each evidentiary item to extract probative information, making it available for analysis. This phase is guided by the legal context of the seizure and scope of the search of the items;

• 5.

  Analysis: Application of the scientific method, systematic processes, and critical thinking to look at the totality of the evidentiary information to answer the fundamental investigative questions: who, what, where, when, why, and how. This phase includes the analysis of both incriminating and exculpatory evidence;

• 6.

  Reporting: Document the entire forensics process, particularly explaining how the analysis leads to the conclusions about the crime. The type of investigation – i.e., corporate, civil, or criminal – provides the context for this phase.