Advancing the Science of Digital Forensics

0018-9162/12/$31.00 © 2012 IEEE Published by the IEEE Computer Society DECEMBER 2012 25 rough equivalent of today’s file allocation table (FAT) or $Bitmap. A consultant systems programmer came in to show us how to recover the files by reconstructing the VTOC based upon the prior morning’s routine printout of the hard drive contents (yes, we made such a printout every day or two). Since we couldn’t use the computer without overwriting the files in what was now, essentially, unallocated space and had no PC-class systems at the time, we did the hex conversions by hand—on paper. It took us three days to reconstruct the VTOC and get back online. That was the beginning of the computer forensics process and that was our environment: using a hex editor to get down to the bare metal of the hard drive and file system. And that’s how it was for most of the next 15 years—hackers (when the term was implicitly White Hat and, indeed, noble, before Black Hat hackers hijacked the term) with an interest in investigations, most often in the law enforcement community, building rudimentary tools for use in looking deep into the computer and its file system. By the late 1990s, computer science departments began taking serious notice of computer forensics, and academic programs in digital forensics were introduced in the early 2000s. And yet, it was not until 2009 that the American Academy of Forensic Sciences adopted digital forensics as a science. Forensic sciences are largely based on Locard’s exchange principle: every contact leaves a trace—if one D igital forensics combines methods from science, technology, and engineering to acquire and interpret information stored on digital devices for use in answering questions in court. Of course, these same methods allow for the acquisition of data for use in many contexts outside the courtroom, such as pure and applied research, policy enforcement, information security incident response, and intelligence gathering.