Digital forensics (computer forensics) is a very new field. But as a whole forensics is a new field, scarcely 100 years old.

Other forensics rely on scientific results that are often well established and old. Not much of forensics rely on quantum mechanics. Guy who tried to argue he wasn’t speeding due to red shifting not withstanding…

However, digital forensics rely on information theory and science. Which is brand new (Shannon’s faous paper on information theory was written in 1948) and poorly understood, and doesn’t follow many physical laws. It’s more or less pure mathematics as far as we’re concerned.

It’s bloody hard! And note that the traditional forensics specialities have gotten it wrong an embarassing number of times, and they have it “easy”.

Forensics readiness

Wouldn’t it be a good idea to make sure you could do forensics before the problem has happened? Yes, we call that forensics readiness.

J. Tan (2001) has insightfully noted the two objectives of digital forensics readiness:

• Maximizing the usefulness of incident evidence data.
• Minimizing the cost of forensics during an incident response.

Problems

Reliability of evidence. Often unprepared organizations do stuff that destroys the value of the evidence. IT-support fixes the problem” before anyone can gather any evidence.

When it’s collected its handled poorly:

• Chain of custody
• Only the “important” stuff is saved, so there’s (exculpatory) evidence missing
• Evidence integrity is compromised (disks mounted r/w etc…) so that is can’t be relied on.

Factors in industry:

Legal aspects. What are you even allowed to do? How long should you keep data? How long are you allowed to keep data? International complications.