Defining "computer forensics" is a more difficult task than it might first appear, partly due to some difficulty in defining what range of devices are referred to by the word "computer" but mostly due to issues raised by use of the term "forensics".

At one stage the "computer" in computer forensics was easily identified as a somewhat boxy device located in a dedicated computer room or under a desk (typically it would be a personal computer of the type first introduced in the late 1970s and early 1980s and now prevalent in almost every workplace and home).

In time, though, the range of devices which became subject to "computer forensic" investigation broadened to include other digital devices such as laptops, PDAs, mobile phones, printers, fax machines, tablet PCs and so on. As a result, some practitioners now prefer either to use more specialised terms such as "PDA forensics" or "mobile phone forensics" or to use a term such as "digital forensics" to include all digital devices.

Nevertheless, the phrase "computer forensics" is still commonly used and is usually taken to refer to the investigation of any kind of computing or digital device.

The word "forensic" is derived from the Latin "forensis", the literal meaning of which is "of the forum", the place where debates and legal disputes took place in ancient Rome. As such, "computer forensics" can properly be defined as the use of specialized techniques for the collection, preservation and analysis of electronic data with a view to presenting evidence in a court of law.

However, in recent years there has been a huge surge of interest in the forensic sciences both as a career choice and as a source of entertainment (in popular TV shows, for example), an unfortunate result of which has been that as the term "forensics" has passed into more popular parlance its original meaning has been lost. Forensics is now commonly accepted to refer only to the process of investigation, i.e. the act of finding something out, rather than being related to the workings of a court of law. As a result, the phrase "computer forensics" is often (incorrectly) used to refer to the processes and techniques employed to investigate the use of a computer regardless of whether or not there is any intention to present the findings in court.

The distinction is critical, however, because any investigation which aims to present digital evidence in court must be carried out in accordance with certain principles for the evidence to remain admissible (i.e. deemed reliable by the rules of evidence).

In the next section we will talk more about these underlying principles and what they mean for the computer forensic examiner.

--