Finding the theory behind a practical science
Digital forensics has become a practical skill used by Law Enforcement Officers and IT professionals. It has evolved into a science involving experts and education at many levels. What is the theory behind this practical science and does it exist already?
Most forensic sciences started out as the practical application of elements of a science. For example, DNA evidence made use of the study of genetics, determining whether a substance found is illegal is a matter of chemistry, and determining time of death is a matter of biology. Digital forensics is no different from other forensic sciences in this respect. Computer science lies at the root of digital forensics, however practitioners from law enforcement (not scientists) use to aid in capturing criminals. This practical application of computer science is mostly void of theoretical foundation. This will develop over the course of the years, as it has with criminalistics. However, according to Peisert, Bishop and Marzullo (2008), the lack of theoretical foundation has an impact on the assumptions made about digital evidence and the accuracy of this kind of evidence.
Theoretical process model
The theoretical foundation that does exist is mostly derived from the theory behind criminalistics. Carrier and Spafford (2003) for instance have tried to establish a process model for digital forensics using the existing theory and techniques of physical investigations. Rather than devising a whole new process model, the connection with the physical models has to be made because nowadays computer or other digital evidence is likely to be part of almost every crime investigation. In fact, the FBI states that digital evidence is a part of almost all criminal investigations. Carrier and Spafford propose a process model that is analogous to the process model for the physical crime scene. In their view, computer evidence is a whole new crime scene and not just another piece of evidence. This is logical considering that computer evidence can contain multiple pieces of evidence on one physical computer.
Cyber Exchange Principle
Another element of theory taken from criminalistics is the Locard Exchange principle. This principle is attributed to Edmond Locard (1877-1966) and states ‘every contact leaves a trace’ (Broeders, 2003). Although this is probably not exactly what Locard (1923) said, this principle is most likely derived from one of his papers. This principle has been discussed and adapted in order to also apply it to digital forensics. Zatyko (2012) discussed the Locard principle by breaking the principle into its parts: Are there two items?; Is there contact?; Is there an exchange of material? He concluded that the principle is in fact adaptable to the world of cybercrime with the warning that these traces are not physical but most likely digital and investigation of the contents of computers or networks is required.
It is efforts like that of Zatyko, Carrier and Spafford that will help further the much-needed theoretical foundations in digital forensics and will eventually give it real scientific value. What do you think would be an important next step in the theory behind digital forensics? Please leave your answer in the comments!