Definitions[edit | edit source]

Digital forensics is

an applied field originating in law enforcement, computer security, and national defense. It is concerned with discovering, authenticating, and analyzing data in digital formats to the standard of admissibility in a legal setting.[1]
[t]he processes and specialized techniques for gathering, retaining, and analyzing system-related data (digital evidence) for investigative purposes.[2]
cybersecurity work where a person: Collects, processes, preserves, analyzes, and presents computer-related evidence in support of network vulnerability, mitigation, and/or criminal, fraud, counterintelligence or law enforcement investigations.[3]

Overview[edit | edit source]

"While its purview was once narrow and specialized (catching black-hat hackers or white-collar cybercriminals), the increasing ubiquity of computers and electronic devices means that digital forensics is now employed in a wide variety of cases and circumstances. . . . Digital forensics is also now routinely used in counterterrorism and military intelligence.

"Digital forensics breaks down into several subfields. Incident response is the branch of computer security and forensics that deals with the first responder on the scene of an actual crime or incident. . . . Intrusion detection, meanwhile, is primarily the domain of systems administrators and security experts who work to counter active threats and collect evidence from compromised systems. Investigators working in intrusion detection are used to operating on "live" computers, meaning machines that are still turned on or connected to a network at the time of the expert's intervention."

Preservation[edit | edit source]

"[T]he methods and tools developed by forensics experts represent a novel approach to key issues and challenges in the archives and curatorial community. . . .

"The same forensics software that indexes a criminal suspect's hard drive allows the archivist to prepare a comprehensive manifest of the electronic files a donor has turned over for accession; the same hardware that allows the forensics investigator to create an algorithmically authenticated "image" of a file system allows the archivist to ensure the integrity of digital content once captured from its source media; the same data-recovery procedures that allow the specialist to discover, recover, and present as trial evidence an "erased" file may allow a scholar to reconstruct a lost or inadvertently deleted version of an electronic manuscript — and do so with enough confidence to stake reputation and career.

"Digital forensics therefore offers archivists, as well as an archive's patrons, new tools, new methodologies, and new capabilities. Yet as even this brief description must suggest, digital forensics does not affect archivists' practices solely at the level of procedures and tools. Its methods and outcomes raise important legal, ethical, and hermeneutical questions about the nature of the cultural record, the boundaries between public and private knowledge, and the roles and responsibilities of donor, archivist, and the public in a new technological era."

References[edit | edit source]

  1. Digital Forensics and Born-Digital Content in Cultural Heritage Collections, at 1.
  2. NICCS, Explore Terms: A Glossary of Common Cybersecurity Terminology (full-text).
  3. Id.

Source[edit | edit source]

See also[edit | edit source]

Community content is available under CC-BY-SA unless otherwise noted.