One of the byproducts of the growth of information technology has been the proliferation of the ‘computer criminal.’ Forensic evidence at a crime scene that once was limited to physical items and attributes (carpet fibers, tool marks), and biological matter (hair, blood, fingerprints) now often includes information stored or processed by computer technology, the latter of which is now commonly referred to as digital evidence. From a legal perspective the term evidence is tightly intertwined with the term “forensics.” Forensics is defined the application of science to answer questions of interest in the legal system.
In 1999, the Scientific Working Group on Digital Evidence (www.swgde.org) defined digital evidence as: “Information of probative value stored or transmitted in binary form.” The term probative refers to the fact that the information in question is logically related to a court case or a legal question. This further implies that a crime, criminal or civil, has been (ostensibly) committed. Thus, if a crime has not been committed, there is no digital evidence.
What are examples of digital evidence? Typical examples of digital evidence that come to mind include common application files (word processing, spreadsheets, etc.), graphical files, audio and video recordings, server logs, and application executables. These are the ‘obvious examples.’ Computer technology has morphed into a variety of form factors, resulting in less obvious examples of computerized devices with the capability of storing and processing digital information, including event data records (EDRs, also called ‘black boxes’) in automobiles and airplanes, GPS devices, game consoles (Burke & Craiger, 2006; Conrad, Marberry, Rodriquez, & Craiger, 2009), media players, and numerous other devices. There are new devices created everyday, and by the time this chapter is published, there will be dozens of new ones on the market. Chances are, from the time you get up in the morning to the time you go to bed, you are surrounded by technology capable of processing and storing digital information (and if a crime is committed, digital evidence).