cally sound copy is examined for saved computer files with probative value. These so-called logical files often are pictures, documents, spreadsheets, and e-mail files that have been saved by the user in various folders or directories. Logical files are patent evidence. Next, the forensic copy is examined for files that have previously been deleted. The computer files are sometimes called physical, because the data are physically present on the hard drive but they are not logically available to the computer operating system. Such files constitute latent evidence.

Finally, system files that are created and saved by the operating system are examined. These files are analogous to a surveillance tape that shows programs that were running on the computer and files that were changed. The goal of most of these examinations is to find files with probative information and to discover information about when and how these files came to be on the computer.140

Digital evidence has undergone a rapid maturation process. This discipline did not start in forensic laboratories. Instead, computers taken as evidence were studied by police officers and detectives who had some interest or expertise in computers. Over the past 10 years, this process has become more routine and subject to the rigors and expectations of other fields of forensic science. Three holdover challenges remain: (1) the digital evidence community does not have an agreed certification program or list of qualifications for digital forensic examiners; (2) some agencies still treat the examination of digital evidence as an investigative rather than a forensic activity; and (3) there is wide variability in and uncertainty about the education, experience, and training of those practicing this discipline.

A publication of the Department of Justice Computer Crime and Intellectual Property Section, Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations,141 describes the challenging legal issues surrounding the examination of digital evidence. For example, sometimes the courts have viewed computers as a piece of evidence that is sent to a laboratory for forensic examination, and as having no special legal constraints, while other times, the courts have viewed computers as a virtual room or filing cabinet.142 For the latter cases, a warrant must be


See E. Casey. 2004. Digital Evidence and Computer Crime. San Diego, CA: Academic Press; E. Casey. 2001. Handbook of Computer Crime Investigation: Forensic Tools & Technology. San Diego, CA: Academic Press; B. Carrier. 2005. File System Forensic Analysis. Boston: Addison-Wesley; S. Anson and S. Bunting. 2007. Mastering Windows Network Forensics and Investigation. Indianapolis: Sybex; and H. Carvey and D. Kleiman. 2007. Windows Forensic Analysis. Burlington: Syngress.


Available at


See, e.g., G.R. McLain, Jr., 2007. United States v. Hill: A new rule, but no clarity for the rules governing computer searches and seizures. George Mason Law Review 14(4):1071-1104; D. Regensburger, B. Bytes, and B. Bonds. 2007. An exploration of the law concerning

The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement