The Consortium of Digital Forensic Specialists is compiling a list of the many definitions of digital forensics that exist in training slides, books, web postings, and other materials. The debate over the appropriate definition is a next and critical step in the growth of this profession. But it can only be achieved with discussion and consensus. Many different standards means there is no standard at all. Similarly, many different definitions means there is no definition at all.
So let's analyze what is out there. Let's look at what people use in their own training sessions or on the witness stand. And let's begin the discussion.
Please submit your definition of digital forensics (or computer forensics if that is a term you prefer or see in materials). Please be sure to include a citation to the definition. If you prefer to send off-list, you can send direct to chris.kelly@cdfs.org.
Thank you. We very much look forward to the debate.
Regards,
Chris Kelly
President, CDFS
Chris there are many definitions that are mobile phone specific that are unlikely to be used with other fields for digital evidence and of course we do have radio defintions too that are not transposed to other digital fields.
Please submit your definition of digital forensics (or computer forensics if that is a term you prefer or see in materials). Please be sure to include a citation to the definition.
I'm afraid I've never seen a definition of computer forensics that I agree with – just as I never seen a printed definition of computer security (or information security) that I believe comes close to the crux of the matter.
So I won't pass on any definition I don't really find useful. Instead I'll try to list what I think such a definition should contain. Something along these lines
* Computer forensics must be a forensic *science.* That means an obligation to base the study on a scientific basis, both teoretically and practically.
* The subarea of *computer* forensics must in the same way be based on special knowledge of computers and information technology, and computer and IT systems, from the nuts and bolts, to common standards of computer or IT-system management. (Added include communication systems there, as well.)
(This is based on the observation that it takes something like 8-10 years of study to become a forensic pathologist. Even if it only takes 4-5 years of study to become a computer forensic specialist, there is still a body of knowledge that has to be obtained.)
(The term 'computer science' is not a good one to use, as it covers more theoretical areas that are of little relevance here. Many years ago the term 'plexology' was suggested as a term to indicate 'the study of complex computer structures', but it died a fairly quick and well-deserved death.)
* (I'm sure something similar needs to be said about the purely *forensic* part – knowledge of applicable laws, best practice, ethical standards, … etc. But I don't clearly see that this part will be much different from what surely already is said for forensic pathology, etc.)
–
It shouldn't be necessary to say that the field is neutral – no bias towards prosecution or defense – though it might be necessary to explain it somewhere.
And as one of the goals (presumably) is to raise the field to a similar level as the other forensic fields of study – which don't require PI license to practice – a definition should probably not go against the definitions of those fields.
That's an ideal picture, though– it doesn't say where computer forensics is today, though it may say where it could be tomorrow, if everything was perfect. Just what balance to strike between an idealistic definition and practical one is something I'm sure needs to be discussed.
Note that *digital* forensics may need a different approach for definition. 'Digital' is not a known field of scientific study as pathology, osteology, psychology, and other classical forensic sciences – but it is more like a mode of information format (cf. analog vs. digital), and brings along another set of connotations. (I still regard the term 'digital forensics' to be a weak attempt to avoid the use 'computer forensics' which also is a pretty weak term. And I don't see clearly that analog methods are not needed.)
A slightly better term would perhaps be ICT forensics, as it does away with the strong connections with computers. (ICT = Information and Communication Technology). It's probably not practical to use, however.
Okay, I'm a little punchy, but I know you're the president of CDFS and all. If you weren't, then this post would be like any other #1 post person coming in asking for help with their homework.
I just find it strange that you come to a forum asking for definition help; is not the CDFS membership capable of collecting resources?
Note that *digital* forensics may need a different approach for definition. 'Digital' is not a known field of scientific study as pathology, osteology, psychology, and other classical forensic sciences – but it is more like a mode of information format (cf. analog vs. digital), and brings along another set of connotations. (I still regard the term 'digital forensics' to be a weak attempt to avoid the use 'computer forensics' which also is a pretty weak term. And I don't see clearly that analog methods are not needed.)
In RF terms (e.g. GSM etc) the waveform is still analogue in nature anyway, so I agree with you athulin. I suspect in defence of the use of analogue (forensics) its relevance maybe considered to ring true, too, when making a study of keypad vis-a-vis touch screen or ADCs/DACs etc.
A slightly better term would perhaps be ICT forensics, as it does away with the strong connections with computers. (ICT = Information and Communication Technology). It's probably not practical to use, however.
You could also say the same about 'cybercrime' as it attempts to avoid being technology specific and moves towards being technology neutral so it covers everything; which may impact on it being labelled 'specious' down the line.
A slightly better term would perhaps be ICT forensics, as it does away with the strong connections with computers. (ICT = Information and Communication Technology). It's probably not practical to use, however.
You could also say the same about 'cybercrime' as it attempts to avoid being technology specific and moves towards being technology neutral so it covers everything; which may impact on it being labelled 'specious' down the line.
ICT Forensics is a mouthful but is better than the term 'cybercrime' of which I have a personal dislike bordering on the irrational. First, 'cyber' is very much a term of its day which was the mid-late 1990s. It's now pretty much obsolete in general use. Second, 'crime' - hardly any of the cases I and many others work on in this field involve crime so it's far too narrow a definition.
Okay, I'm a little punchy, but I know you're the president of CDFS and all. If you weren't, then this post would be like any other #1 post person coming in asking for help with their homework.
I just find it strange that you come to a forum asking for definition help; is not the CDFS membership capable of collecting resources?
We are doing just that. And have collected many. But we are interested in the views and thoughts of professionals outside our membership as well. Thus the interest in compiling as many resources as possible.
It seems to me that the 'Forensic' part of the terminology in many cases is taken far too lightly.
The OED defines Forensic as
Pertaining to, connected with, or used in courts of law; suitable or analogous to pleadings in court. forensic medicine n. medicine in its relations to law; medical jurisprudence.
If the activity you are doing is not ultimately destined for the courts then it isn't forensics you are involved in, it's probably security. For example if you are doing malware analysis with the intention of finding out how the malware operated etc and the intention is to mitigate further attacks on a system or systems then this isn't forensics. If the intention is to prosecute the person who promulgated the malware or seek damages then this IS forensics.
Too many people are jumping on the 'forensics' bandwagon (probably because it sounds an impressive title) without engaging in forensics at all.
Paul
Ok I agree with you that the term 'Forensic' is often taken far too lightly I cannot agree that the term is owned by those who undertake criminal investigations.
I doun't doubt the OED entry but as we all know the OED is slow to adapt to the changes in use of language and speaking personally I would say that the word has a wider meaning today. Specifically the application of scientific methods and technoques to an investigation.
Surely the adoption of the use of a higher degree of rigor to all investigation is a good thing? Should the subject of an internal investigation within an organisation not expect the same level of skill applied to their case even if is not criminal in nature?
Am I a forensic investigator? Yes. Does my work end up in court? No not for the most part. Do I do things differently for investigations which go court and those that don't? Certainly not.
Ok I agree with you that the term 'Forensic' is often taken far too lightly I cannot agree that the term is owned by those who undertake criminal investigations.
I kinda knew that this might cause controversy. In 7 years of undertaking forensic analysis of computer systems I have given evidence in anger just once. I am due to attend for the second time the week after next.
Notwithstanding this state of affairs, every single case I undertake (around 2,100 to date) is (from the point where I take the case on) destined for the courts; in my case this is the criminal court but I didn't specify this in my post above. I am quite happy for the definition to include civil courts and even tribunals so long as it lies within jurisprudence.
Would you consider the scientist studying the H1N1 Bird flu virus to be a forensic scientist? The medical profession don't - such a person is a scientist, pure and simple. In the computer arena however, people undertaking this kind of work call themselves 'forensic' scientists. I was just questioning this state of affairs.
The OED is not Wikipedia, it is a venerable publication and it's failure to move with the times is an advantage. If you have a proper lexical argument to make to them then please apply to have the definition changed.
Paul