Early Developments
Digital forensics has been around for nearly 40 years. A relatively new discipline, digital forensics originated in the late 1970s when law enforcement saw a need to investigate financial fraud involving computers. These cases were rare, and the evidence was usually also available in non-digital forms. It was not until the 1980s that investigators began to encounter cases where evidence was only located and stored within computers.
These financial fraud cases involving computers resulted in the creation of the Association of Certified Fraud Examiners, which provided training programs for computer investigations. However, it wasn’t until 1991 that the term ‘computer forensics’ was coined by the International Association of Computer Specialists (IACIS). In addition to the Association of Certified Fraud Examiners, other organizations were emerging everywhere to help law enforcement better understand how to identify and fight these new types of crimes.
Increased Government Response — Alphabet Soup
Because criminals utilized rapidly evolving technologies to commit crimes, the government began creating new programs to keep up with criminal activity. In 1984, California enacted legislation to establish the Santa Clara County District Attorney’s High Technology Crime Prevention Program (DATTA). Two years later, the founders of DATTA formed the High Technology Crime Investigation Association (HTCIA) with the intent to provide law enforcement with additional resources and training in computer forensics. Over the next few years, the federal government and Department of Defense also established, or re-tasked, programs to help law enforcement combat computer crimes. Some of these programs included:
- the Computer Analysis and Response Team (CART) – originally the FBI’s Magnetic Media Program;
- the International Association of Computer Investigative Specialist (IASCIS);
- the U.S. Air Force Office of Special Investigation’s Computer Crime Investigator (CCI);
- the U.S. Secret Service’s Electronic Crimes Special Agent Program (ECSAP); and
- the Defense Computer Forensic Laboratory (DCFL).
While similar in purpose, each of these agencies adopted different characteristics, training, and operations based on its organizational needs and philosophy resulting in differences in policies and procedures. The Department of Defense’s central Defense Computer Forensic Laboratory (DCFL) was created to unify the resources of the DoD, making their services available to all branches of the military — supporting the military’s law enforcement, intelligence, and operational needs from one organization. In an effort to support local law enforcement, the FBI started building a constellation of joint federal, state, and local law enforcement laboratories dedicated to digital forensics, which was named Regional Computer Forensic Laboratories (RCFLs).
Recognizing the problem of so much variation in policy and procedure, there was a push to create a standard to go beyond mere principles and make digital forensics more like a laboratory discipline. This ultimately resulted in the creation of the Scientific Working Group on Digital Evidence (SWGDE) and the American Society of Crime Laboratory Directors – Laboratory Accreditation Board (ASCLD-LAB). The intent was that each laboratory providing digital examinations would provide their services to a geographic area and operate according to ASCLD-LAB standards.
In 2004, the FBI’s North Texas Regional Computer Forensic Laboratory became the first ASCLD-LAB-accredited digital forensic laboratory. Over time, a wide variety of non-law enforcement entities began providing digital examinations, including the private sector and traditional forensic laboratories.
Evolution of Forensic Tools
During the formative years of digital forensics, while programs and agencies underwent changes in methodology, so, too, did forensic tools undergo a transformation. The command line tools of the earlier era started increasing in complexity and began including more robust graphical user interfaces (GUIs).
The first of these new tools was Expert Witness for Mackintosh, created by Andy Rosen of ASR Data. Guidance Software licensed the name ‘Expert Witness’ from Andy Rosen which over time evolved into EnCase. EnCase, along with Forensic Toolkit (FTK), became commercial successes and are now recognized as standard forensic tools. Several U.S. Government agencies also took on the task of developing tools. The FBI’s Automated Case Examination System (ACES) and IRS’s iLook tool initially had some success; however, the private sector’s ability to rapidly adapt their products to keep up with technology eventually doomed these agency-developed tools to obsolescence.
Over the last decade, the open source community has recognized some of the problems with commercial software and has stepped in by developing open-source Linux tools such as Helix, Sleuth Kit, and Autopsy Browser. The digital forensic community has also undergone a developmental process, making more information and help available to those with access to these resources. Through hard-earned experience and the ever-changing face of technology, digital forensics has evolved into what it is today.