2 BACKGROUND

The term "Computer Forensics" was coined back in 1991 in the first training session held by the International Association of Computer Investigation Specialists (IACIS) in Portland, Oregon [5]. This science deals with the preservation, identification, extraction and documentation of computer evidence, and like any other forensic science, relates law and science.

In this day and age, the majority of correspondence is not paper based. Even when hardcopies of information are distributed, the probability that a soft copy still exists on the author's computer is very high. As previously suggested in the introduction, if the author is found or suspected of distributing sensitive information, then forensic tools will be used to examine the author's machine. As described by Sommer [14], acquiring a copy (image) of a disk would be the first essential step in evidence preservatio n. However, with standard hard disk capacities of 80GB and increasing storage media sizes, the imaging and examination processes will inevitably take longer. This is the basis for CFSs worries concerning increasing storage capacities.

With some crimes occurring between countries, dates and times become relevant to an investigation. As a result, the ability to associate a suspect to a crime through date and time evidence is a current field of study. Boyd and Forster [16], tell of an investigation that began when an e-mail trace identified an individual suspected of involvement in the communication of child abuse images. The investigation proceeds where the police obtain a warrant to seize the suspect's computer equipment. The police and prosecution service then planned their case study while the defence made use of a CFS to comment on the digital evidence. When the defence presented their report to the prosecution, it had a number of allegations of malpractice by the police. Apparently, the seized computer was used while in police custody. This would inevitably tamper with the digital evidence by compromising the integrity of the data. This example illustrates how important an investigation methodology is, and how a CFS should be involved whenever evidence is digital. It also shows how the improper handling of evidence could affect time and date stamps [16] and hence, cause forensic tools to report inaccurate details of evidence.

Conversations with seasoned practitioners suggest that digital forensic practice is in a period of redefinition [15]. It no longer has to be associated with the examination of "conventional" storage media. Forensic examination can now be conducted on devices such as routers, personal digital assistants (PDAs) and digital cameras [4, 15]. With these developments, current forensic tools need to adapt to the changing environment or new tools need to be developed. Ultimately, forensic techniques and tools need to be found to keep CFSs ahead of the criminals who are seeking to hide from the digital forensic community pursuing them [15].

In order to have a better understanding of computer forensic tools, some CF terms and concepts are discussed below.