The widespread adoption of personal computers beginning in the early 1980s led to the need for computer forensics. Digital forensics began as computer forensics in the mid 1980s with the creation of the Federal Bureau of Investigation’s Magnetic Media Program. In this chapter, we give a brief overview of the rise of the personal computer and the creation of computer forensics. We also look at how computer forensics became digital forensics and provide an introduction into what digital forensics is.

Digital forensics is the application of forensic science to electronic evidence in a legal matter.

While there are many different subdisciplines and many types of devices, communication, and storage methods around today, the basic tenets of digital forensics apply to all of them.

These tenets encompass four areas:

Each of these areas includes specific forensic processes and procedures.

In the early days of personal computing, there were no networks accessible to the general public, and very limited storage options. The original personal computers to reach an audience outside of the pure hobbyist realm were the IBM Personal Computer, the Apple computer, the Commodore PET, and the Tandy TRS-80.

However, big businesses were still using mainframe computers and dumb terminals for their business applications such as word processing and financial tracking. This would soon change.

The IBM PC, introduced in 1981, would eventually become the de facto standard for all personal computers, resulting in the term “IBM compatible.” With the introduction of Lotus 1-2-3, a financial spreadsheet program, IBM personal computers began to make inroads into the corporate computing world, driven by the desire of financial managers to have the ability to create electronic spreadsheets. Lotus 1-2-3 became the “super app” that drove sales of IBM personal computers and had a huge impact on the growth of the personal computer industry. As the demand for personal computers grew, companies like Compaq began to produce “IBM clones,” making inroads into the market dominated by IBM. To combat this, IBM introduced Micro Channel Architecture (MCA) in an effort to force companies to purchase IBM parts in order to be compatible. However, the effort failed, and IBM soon returned to building personal computers using a common architecture based on industry standards.

Today, all computer hardware is based on well-known industry standards. The computing platform chosen by consumers today is driven more by aesthetics and specific software preferences than any proprietary hardware platform. However, the dominance of the Microsoft operating system on corporate desktops has resulted in the majority of businesses choosing Microsoft Windows for compatibility with the vast number of vertical market software applications built on the Microsoft Windows platform. Vertical market software is software created for a specific group of users, such as a loan management software application, a document management application, or an automotive shop management application.

Today these applications have been extended beyond the personal computer to portable devices. The popularity of smart phones and pad computers like the Apple iPad and Motorola Xoom has revolutionized the way people work with business documents and e-mail in what amounts to a handheld portable office.

In 1984, the FBI created the Magnetic Media Program, which initially only handled three cases in its first year. The Magnetic Media Program later became the FBI Computer Analysis and Response Team (CART) program. At the end of 2009, the FBI had fourteen Regional Computer Forensic Labs (RCFLs) in operation, with two more under construction.

In addition to the FBI CART program, there are other law enforcement programs in operation today that deal with computer forensics. One example is the Internet Crimes Against Children (ICAC) task force, which trains local and federal law enforcement agents to investigate Internet predators and perform computer forensics. Another is Operation Fairplay, a program that provides software and trains law enforcement agents to investigate peer-to-peer file sharing for child pornography cases.

In recent years, there has been an explosion of growth in computer forensics in the private sector as well. This is primarily driven by electronic discovery in civil suits and internal investigations into employee conduct, and the prevention of data loss by internal and external agents. In addition, companies must protect their customers’ private data stored on their servers by maintaining constant vigilance against attacks both from within and outside the organization. A breach by hackers into a corporate network poses a great financial and reputation risk to any company that is a victim of such an attack. A case recently in the news was the attack on Sony’s PlayStation Network and their other major gaming network maintained by Sony Online Entertainment. In this case, the private information of millions of subscribers to these game networks was stolen, putting this information at risk of being used for nefarious purposes by the hackers who breached these networks.

As technology has progressed, the field of computer forensics has been forced to expand to cover other types of electronic data, created by a myriad of devices.

Originally, computer forensics examiners only had to be concerned with what evidence might reside on a single computer or floppy disk. With the advent of networked personal computers, and especially with the connection of those networked computers to the outside world, and to each other over the Internet, the field of network forensics or incident response has grown to be the largest area of digital forensics. Network forensics is the process of figuring out how a network has been attacked, stopping the attack, and attempting to locate the attacker. The incident response team that performs the network forensics will examine routers, firewalls, server logs, and other data to attempt to remediate and prosecute network intrusions. Governments and corporations spend billions of dollars each year attempting to protect networks from outside intruders, and when that fails, remediating the damage done when someone breaches a network and causes damage or steals information. As more devices have come online, new areas of digital forensics have also come online, such as cell phone forensics. It is no longer possible to look at a piece of electronic evidence in isolation, where the assumption is that the sum total of the data resides in one place, on a single computer or floppy disk.

With the war on terror, there has been a tremendous increase in demand for trained computer forensics personnel in the military who are able to properly seize and analyze computer data in the field and in the lab.

The tremendous growth of the Internet has also increased the demand for trained network and computer forensics personnel to assist in responding to attacks on corporate and government networks, cyber-warfare, and cyber-defense activities.

In this chapter, we learned a brief history of the personal computer, computer forensics, and the transformation of computer forensics into digital forensics. We also looked at what digital forensics is and introduced the four areas of digital forensics: acquisition, preservation, analysis, and reporting.