M812A: DIGITAL

FORENSICS - A
Session 1: Introduction to
Forensic Sciences
 LEARNING OUTCOMES

After studying this week, you will be able to:

 Explain the origins of forensic science.

 Explain the difference between scientific conclusions and legal decision-

making.
 Explain the role of digital forensics and the relationship of digital forensics to
traditional forensic science, traditional science, and the appropriate use of
scientific methods.
 Outline a range of situations where digital forensics may be applicable.
 1 INTRODUCTION TO FORENSIC SCIENCE

 Digital forensics is an exciting area, often glamorized in films and television

shows like CSI , NCIS and Spooks .
 Topics that might be encompassed by the term ‘digital forensics and
investigations’:
• computer forensics • business continuity
• forensic computing • incident response
• forensic science • computer policing
• network forensics • high-tech crime investigation
• ICT forensics • computer security
• forensic investigations • incident management
• digital investigations • cloud security.
2 WHAT IS FORENSIC SCIENCE?

“Forensic science is the application of science to matters of law”.

(Higher Education Academy, 2010)
 ‘Science’ : scientific method and how it might apply both generally and in
terms of a specific investigation.
 ‘Forensic’: how courts make their decisions.
 Scientific fact-finding and decision-making vs. legal fact-finding and decision-
making:
 Very different : a) how forensic investigators generate evidence for use in
court; b)the cultures and expectations of each are different; c)their impact
and how each is likely to affect the lives of others.

Science The scientific method Scientific laws

2.1 SCIENCE, THE SCIENTIFIC METHOD AND SCIENTIFIC LAWS

 The aim of science is to make explanations for what we see around us, rules or
laws. Ex: objects dropped from a high point will always fall at the same rate
(assuming the same air resistance) – and that rate can be described by a
scientific formula
 We can also say that this is part of a more general phenomenon known as
gravity and that we can produce broader explanations which, among other
things, show why the earth orbits the sun in a particular way and that the sun in
turn has positional relationships with other stellar bodies.
 Scientific laws: universality and repeatability –if we have carried out the exercise
properly, we can now predict what will happen for all activities within that range
of the phenomenon – and anyone else will be able to do the same
2.1 SCIENCE, THE SCIENTIFIC METHOD AND SCIENTIFIC LAWS

 Typically we are able to derive a scientific law by:

1. Initial observation H0
2. Provisional hypothesis which explains what is being observed Hp
3. Means of testing the hypothesis
4. Testing the hypothesis : the experiment
5. Examining the results of the testing to see that they conform with
expectations
6. Saying that the hypothesis is now a scientific law that holds good for a given
range of the phenomenon
 This process is known as the scientific method. The end result of the
application of the scientific method is a scientific law.
2.1 SCIENCE, THE SCIENTIFIC METHOD AND SCIENTIFIC
LAWS

Issues that impact on scientific advances:

 It is not unusual for H0to be wrong. For example, H0 is misconceived, in this case
a new, more reliable, hypothesis may be produced.
 Testing: Experimental activities must be carefully designed to test the precise
hypothesis and nothing else. Controls are usually needed to examine and
isolate observations of changes under various conditions.
 Real-life formulation: Once the researcher is satisfied with the test results, they
may be published in an appropriate scientific journal, thereby adding to the
pool of scientific knowledge. Before publication takes place, the work will be
peer-reviewed for flaws (and originality).
 2.1 SCIENCE, THE SCIENTIFIC METHOD AND
SCIENTIFIC LAWS
Forensic science uses the scientific method too, but we need to distinguish between at least
two instances of it:
1. the discoveries of phenomena that we can put rules to and that appear to have a value
within an investigation that might end in legal proceedings (such as particular qualities
of fingerprints and DNA)
2. the development and proper use in the relevant instances of specialist tools and
standard operating procedures based on the above.
3. Arguably there is also a third instance: when a forensic technician examines a specific
item of evidence and reports the findings. This must be ‘scientific’ to the extent that it is
repeatable by others. In criminal law procedure, the repeatability should be accessible
to an expert instructed by the defense.
2.2 FORENSIC SCIENTISTS

1. Forensic Pathology: determine the cause of death by examining a corpse. A

post mortem is performed by a medical examiner, usually during the
investigation of criminal law cases and civil law cases in some jurisdictions.

 Case Study:

Cora Turner - 1910

 CASE STUDY: CORA TURNER

 In 1910, Cora disappeared, and Dr. Crippen claimed that she

had left to America with Bruce Miller, an actor who was one of
Cora's lovers. The police believed the story until Crippen fled
to Belgium, which prompted them to investigate the Doctor's
house for signs of Cora.
• The search of Crippen's house yielded the remains of a
human body. It was found buried under the basement floor,
and contained no bones -- only organs and various pieces of
flesh.
2.2 FORENSIC SCIENTISTS

2. Forensic DNA : the use of biological science to identify individuals by their

DNA profile, using genetic samples such as blood, semen and saliva.

 Case study:

Colin Pitchfork- Rape and Murder-1986

First case solved by DNA testing
2.2 FORENSIC SCIENTISTS

3. Forensic Engineering: the investigation of accidents involving vehicle,

aircraft, fire, electrical or metal fatigue by applying engineering principles to
solve how they were caused.
 Case study: TWA Flight 800
 Mid-air explosion of flight TWA 800 from

New York’s Kennedy Airport to

Paris, France, on July 17, 1996.
 The metallurgical investigation of Flight

TWA 800 explosion concluded that

mechanical failure, not a missile or bomb,
was the cause of the catastrophic event
2.2 FORENSIC SCIENTISTS

4. Digital Forensics: area of forensics in which professionals analyse and gather

data from a computer or other form of digital media.

Case study:
 BTK Killer, serial killer :"Bind, Torture, Kill"

 Michelle Theer
 Matt Baker
 CASE STUDY: BTK KILLER

 First case solved using digital forensics

 Dennis Rader killed 10 people, sending police

touting notes after the incidents

 In 2004, Rader sent police a note in the form of a

document stored on a floppy disk

 Examiners utilized EnCase to analyze the disk found

the meta data belonging to the document Rader
sent
 CASE STUDY: BTK KILLER

 The clue that lead police to Rader was the name

Dennis within the metadata as well as the location
where it was modified

 The FBI and police traced Rader to Christ Lutheran

Church, where the document was modified

 They located Rader and they arrested him

Eight of Dennis Rader's 10 murder victims .The two not
shown were children aged 9 and 11.
 CASE STUDY: MICHELLE THEER

 December 17, 2000 John Diamond killed Marty Theer

 The defense claimed there was no evidence linking Diamond
to the murder
 Digital Evidence confirmed a relationship between Michelle
Theer (Marty’s wife) and Diamond.
 Ton of emails and messages sent between one another
confirming that they were involved in sexual relationship
 Their messages confirming that they conspired to kill Marty Killer couple
 CASE STUDY: MATT BAKER

 Matt Baker, a Baptist preacher, was convicted of murder of

his wife and was sentenced to imprisonment for 65 years.
 In the year 2006, his wife had apparently committed suicide
by overdosing on sleeping pills.
 The suicide was confirmed based on the suicide note left by
his wife.
 Later, while analyzing Baker’s computer, the search history of
Baker’s computer had found that he has searched for
“overdosing on sleeping pills” and had also visited several
pharmaceutical websites prior to the wife’s death.
2.2 FORENSIC SCIENTISTS

5. Forensic Toxicology: the detection, identification and quantification of drugs,

other poisons or toxins in body tissues and fluid, including blood

 Case study: Nicholas Odze ,2010

The death of a 4-year-old boy whose

mother gave him a prescription
sedative to help him sleep has
been ruled a homicide
2.2 FORENSIC SCIENTISTS
7. Forensic Anthropology:
6. Forensic Dentistry:
the study of human beings
use of information through
in relation to their physical character.
examination of teeth and
The specialist answers questions on
dental prostheses to assist in
gender, age, ethnicity, stature,
identifying human remains
nutritional status, existence of
and evaluating bite marks.
disease processes, and the presence
and character of skeletal trauma.
 2.2 FORENSIC SCIENTISTS

 Pioneers of forensic science:

Alphonse Bertillon (1853–1914)

• French police officer and a biometrics researcher
• Identify criminals based on physical measurements
• ‘Les empreintes digitales’ (1912) on the uniqueness of 16 ridge points on fingerprints to
identify people.
 2.2 FORENSIC SCIENTISTS

 Pioneers of forensic science:

August Vollmer (1876–1955)

• Chief of police and the lead figure in the development of the
field of criminal justice in the USA.
• System of fingerprinting and handwriting evidence, the use of polygraph and the
application of forensic science to investigations.
 2.2 FORENSIC SCIENTISTS

 Pioneers of forensic science:

Dr Edmund Locard (1877–1966)

• French criminalist
• Microscopic examination of clothing and other
physical evidence could reveal information about
the history of the wearer
• Locard’s Exchange Principle: ‘every contact leaves a trace’
 LOCARD’S EXCHANGE PRINCIPLE
 Wherever he steps, whatever he touches, whatever he leaves – even unconsciously

– will serve as silent evidence against him. Not only his fingerprints and his
shoeprints, but also his hair, the fibers from his clothes, the glass he breaks, the tool
mark he leaves, the paint he scratches, the blood or semen he deposits or collects –
all these and more bear mute witness against him. This is evidence that does not
forget. It is not confused by the excitement of the moment. It is not absent because
human witnesses are. It is factual evidence. Physical evidence cannot be wrong; it
cannot perjure itself; it cannot be wholly absent. Only in its interpretation can
there be error. Only human failure to find, study, and understand it can diminish its
value.
 LOCARD’S EXCHANGE PRINCIPLE

 Silent Witness (1996–), which takes its name from Locard’s

Exchange Principle, is one of many recent TV series to include
forensics as a major plot element.

 Although professionals usually advise the script writers, the

portrayal of forensics in these series is often adjusted for
dramatic effect and gives the general public a distorted view of
the field (cf. The CSI effect).

 Wherever two surfaces come into contact, a transfer of

minutiae, however slight, occurs.
LOCARD’S EXCHANGE PRINCIPLE
DISCUSSION
 Based on your current understanding of the various types of digital evidence, how
far do you think Locard’s Exchange Principle can be made to apply in Digital Crime
Scene?

 Locard’s Exchange Principle applied to Digital Evidence: most events involving a

computer leave some trace of the behaviour. A log of every action is recorded
somewhere, whether the action is email passing through, the act of logging into a
computer or visiting a web page.
The more difficult thing to verify is who committed a given act, since the use of a
password does not guarantee that the password holder is the person typing it.
2.3 CASE STUDY: THE SHIRLEY MCKIE
STORY
 Crime: on 6 January 1997, the body of Marion Ross was found in her home in
Kilmarnock. David Asbury, a handyman who had once worked on the Ross
house, developed as a suspect.
 Evidence:

1- fingerprint found on a box in Asbury’s home was reported to be that of

Ross by examiners at the Scottish Criminal Records Office (SCRO).
2- fingerprint found on the gift tag on an unopened present inside the Ross
home was reported to be that of Asbury, SCRO.
3- unidentified fingerprints from Ross home, SCRO reported one of those
prints to have be identified as Constable McKie’s.
2.3 CASE STUDY: THE SHIRLEY MCKIE
STORY
 FACTS:

1. Shirley McKie, was charged with perjury after testifying at a David’s murder trial
that she had not been in the victim’s house, where her thumbprint was
supposedly found.
2. SCRO produced four fingerprint experts who certified that the thumbprint
definitely belonged to McKie.
3. two American fingerprinting experts endorsed that the thumbprint did not belong
to her.
4. 171 certifications from 18 different countries that the thumbprint did not belong
to McKie.
 2.3 CASE STUDY: THE SHIRLEY MCKIE
STORY
LATENT PRINT KNOWN PRINT

 The fingerprint evidence in the Asbury case was thrown into doubt when
Detective Constable McKie testified that she had not been inside the Ross home,
in spite of the “fact” that her fingerprint had been identified there. This concerned
the same four SCRO experts.
 2.3 CASE STUDY: THE SHIRLEY MCKIE
STORY
 The main concern with the entire issue was not only about its effect on McKie’s
career, but also about the accuracy of the Scottish Criminal Record Office’s
earlier assertions.
 A civil trial against the Scottish Executive was due to be heard in early 2006. On
the morning of the trial, the Executive offered McKie a settlement of £750,000
without admitting liability. She accepted the offer and the trial did not go ahead.
 Following the end of legal proceedings, the Scottish Parliament held an inquiry
during 2006, which identified fundamental weaknesses in the Scottish
fingerprinting service. Before the inquiry reported, the Scottish Criminal Record
Office offered early retirement to four of its fingerprint officers, three of whom
accepted the offer. The officer who refused early retirement was subsequently
sacked, but later won a case for unfair dismissal.
2.3 CASE STUDY: THE SHIRLEY MCKIE
STORY
Public inquiry in 2009:
1. Blamed human error and inadequate procedures for the misidentification of
McKie’s thumbprint. It found no evidence of a conspiracy by the police
against McKie, nor did it find any weaknesses in the theory of identification
using fingerprints.
2. Warned practitioners and fact-finders alike require to give due consideration
to the limits of the discipline.
3. Said ‘fingerprint evidence should be recognised as opinion evidence, not
fact’.
 Shirley McKie received a full personal apology from Strathclyde Police Chief
Constable Stephen House in April 2012, more than 14 years after the murder
of Marion Ross. Ross’s murder has never been solved.
2.3 CASE STUDY: THE SHIRLEY MCKIE
STORY

Based on your current knowledge of digital forensics, what lessons do you think
the McKie case has for digital forensic investigations?

Digital evidence can only show what a computer did, not what a person did,
and the conclusions of a digital forensics investigators need to distinguish
clearly between facts and opinion. It is also important to know what your
assumptions are based on.
In McKie case, the fingerprint experts assumed that Bertillon’s claim about 16
ridge points making a print unique was true, but it turned out not to be.
 FINGERPRINT DETECTION EXAMPLE
 A fingerprint was found at a crime scene. John Doe is considered a suspect for this crime.
Naturally, the investigators will check if the fingerprint at the crime scene matches his
fingerprint.

 The fingerprint recognition system has a false positive probability of Pfp = 0.15. In other
words, if the fingerprint corresponds to another person than John Doe, there is a 15%
chance (or 0.15 probability), that the system will associate it with John Doe.

 In addition, the fingerprint recognition system has a false negative probability of Pfn = 0.005.
In other words, if the fingerprint corresponds to John Doe, there is a 0.5% chance (or 0.005
probability), that the system will not detect the match.
 FINGERPRINT DETECTION EXAMPLE
 What can you say about the accuracy of this system, concerning the false positive and false
negative probabilities?
 The false positive probability is too high. There is a risk of accusing John Doe whereas the
fingerprint might belong to someone else.
 The false negative probability Pfn is more than an order of magnitude lower than Pfp. If
the fingerprint belongs to John Doe, there is a 0.5% chance (or 0.005 probability) that the
system will not detect him.
 If John Doe committed the crime, what is the chance of considering him innocent based on
the fingerprint detection system?
 If he committed the crime, the chance of considering him innocent is Pfn = 0.005 or 0.5%.

 If John Doe did not commit the crime, what is the chance of considering him guilty based on
the fingerprint detection system?
 If he did not commit the crime, the chance of considering him guilty is Pfp = 0.15 or 15%.
 FINGERPRINT DETECTION EXAMPLE
 If the fingerprinting system associated the fingerprint at the crime scene with John Doe,
there is a 15% chance that this Person is innocent.
 This can be considered reasonable doubt, and the implication of John Doe in the crime
should not be decided based on the fingerprint matching alone.
 Other evidence and information (motive, relation with the victim, witnesses confirming
presence near the crime scene, etc.) are needed in conjunction with the fingerprint
matching result in order to reach a decision.

 If the fingerprinting system did not associate the fingerprint at the crime scene with John
Doe, there is a 99.5% chance that this Person is innocent and 0.5% chance that he is guilty.
 John Doe can be set free, unless there is extremely strong other evidence that contradicts
the finding of the fingerprint detection system.
3 THE ROLE OF THE FORENSIC SCIENTIST IN
LAW
 3.1 Legal decision-making

 The relationship between a ‘finding’ by a forensic scientist, and the decision of

the court. Put bluntly: if a forensic scientist were to state in evidence that
there is a probability of 1 in 1 million that a DNA sample found at a scene of
crime matches the DNA profile of an accused, then would the court be bound
to accept his finding?
 Case study: R v Adams [1996] - What position does the court take regarding
Adams and the statistical value of evidence?
CASE STUDY R V ADAMS [1996] FACTS
A rape victim described her attacker as in his twenties. A suspect, Denis Adams,
was arrested and an identity parade was arranged. The woman failed to pick
him out, and on being asked if he fitted her description replied in the negative.
She had described a man in his twenties and when asked how old Adams
looked, she replied about forty. Adams was 37; he had an alibi for the night in
question, his girlfriend saying he had spent the night with her. The DNA was the
only incriminating evidence heard by the jury, as all the other evidence pointed
towards innocence.

 Crime : Rape

 Suspect: Denis Adams, 37 years old

 Evidence: DNA
 CASE STUDY R V ADAMS [1996] JUDGEMENT
Use of Bayesian analysis in the court
 The DNA profile of the suspect fitted that of evidence left at the scene. The
match probability is 1 in 20 million.

Statistical analysis of DNA

 The only evidence against Adams was the DNA evidence. His age was
substantially different from that reported by the victim, the victim did not
identify him and he had an alibi which was never disproved.
CASE STUDY R V ADAMS [1996] JUDGEMENT
Court of appeal Guidelines:
 Suppose the match probability is 1 in 20 million. That means that in Britain (60
million) there will be on average about 2 or 3 people, and certainly no more
than 6 or 7, whose DNA matches that found at the crime scene, in addition to
the accused.
 Now your job, as a member of the jury, is to decide on the basis of the other
evidence, whether or not you are satisfied that it is the person on trial who is
guilty, rather than one of the few other people with matching DNA. We don’t
know anything about the other matching people. They are likely to be
distributed all across the country and may have been nowhere near the crime
scene at the time of the crime. Others may be ruled out as being the wrong
sex or the wrong age group.
CASE STUDY R V ADAMS [1996] THE ROLE OF
THE COURT

 Scientists and the courts have entirely different functions.

1. Scientists: try to produce a universal explanation using a set of procedures,

which are capable of replication and testing.
2. Court: adjudicate on specific issues between the parties, or in the criminal
courts, determine whether the prosecution has shown on the basis of
evidence presented and accepted to a sufficient standard that a specific,
identified crime has been committed.
 It is fundamental to the operation of the courts that once it reaches its
decision, that decision is final. This is true unless there are profound and
obvious grounds for appeal.
3.3 CONTRASTING SCIENTIFIC
CONCLUSIONS WITH COURT JUDGMENTS

A trial process is not an enquiry into the truth or into hypothetical issues; it is testing
various versions of relevant evidence to see whether ‘on the balance of probabilities’
(in civil cases) or the higher standard of ‘beyond a reasonable doubt’ (in criminal
matters) it is possible to reach a particular decision for that set of circumstances.
3.3 CONTRASTING SCIENTIFIC
CONCLUSIONS WITH COURT JUDGMENTS

Application to digital forensics investigation

In the case of unauthorised access to a computer, the court isn’t asking a
generalised question along the lines of: ‘where a computer disk’s directory says
that a file was first created, does it always mean that this is the date on which
the file first appeared on that hard disk?’
Rather, the court is trying to decide if a party has made unauthorised access to
a computer, contrary to Section 1 of the Computer Misuse Act 1990. To prove
this has indeed happened, there are a set of tests, each of which must be
satisfied, before the court can be satisfied that a person has had unauthorised
access to a computer.
3.3 CONTRASTING SCIENTIFIC
CONCLUSIONS WITH COURT JUDGMENTS

The tests must show that:

1. a computer was involved
2. it was accessed
3. it was accessed by the accused
4. such access was unauthorised
5. at the time of the offence the accused knew that the access was
unauthorised.
You will explore this more fully in Block 2 when you consider how the courts
define and accept experts and expert evidence, the duties of experts and the
role of ‘opinion evidence’.
 4 THE ROLE OF DIGITAL FORENSICS

Digital forensics is a branch of forensic science and is recognised as such by most

courts. One definition from the first Digital Forensic Research Workshop (DFRWS)
is:

The use of scientifically derived and proven methods toward the preservation,
collection, validation, identification, analysis, interpretation, documentation and
presentation of digital evidence derived from digital sources for the purpose of
facilitating or furthering the reconstruction of events found to be criminal, or
helping to anticipate unauthorized actions shown to be disruptive to planned
operations.
(Palmer, 2001, p. 16)
 4.1 THE DIGITAL FORENSIC PROCESS

1. Identification – the first stage identifies potential sources of relevant evidence/information

(devices) as well as key custodians and location of data.

2. Preservation – the process of preserving relevant electronically stored information (ESI) by

protecting the crime or incident scene, capturing visual images of the scene and
documenting all relevant information about the evidence and how is was acquired.

3. Collection – collecting digital information that may be relevant to the investigation.

Collection may involve removing the electronic device(s) from the crime or incident scene
and then imaging, copying or printing out its (their) content.
 4.1 THE DIGITAL FORENSIC PROCESS

4. Analysis – an in-depth systematic search of evidence relating to the incident being

investigated. The outputs of examination are data objects found in the collected information;
they may include system- and user-generated files. Analysis aims to draw conclusions based on
the evidence found.

5. Reporting – firstly, reports are based on proven techniques and methodology and secondly,
other competent forensic examiners should be able to duplicate and reproduce the same results.
 4.2 A BRIEF HISTORY OF DIGITAL FORENSICS

 Digital forensics was commonly termed ‘computer forensics’.

 The first computer forensic technicians were law enforcement officers who were also
computer hobbyists.
 In the USA :FBI Computer Analysis and Response Team (CART).
 In the UK: computer crime unit under John Austen , Fraud Squad.

 A major change took place at the beginning of the 1990s. Investigators and technical
support operatives within the UK law enforcement agencies, along with outside specialists,
realised that digital forensics (as with other fields) required standard techniques, protocols
and procedures.
 A series of conferences, initially convened by the Serious Fraud Office and the Inland
Revenue, took place at the Police Staff College at Bramshill in 1994 and 1995, during which
the modern British digital forensic methodology was established.
 4.2 A BRIEF HISTORY OF DIGITAL FORENSICS

 In the UK in 1998 the Association of Chief Police Officers (ACPO) produced the first version
of its Good Practice Guide for Digital Evidence (Association of Chief Police Officers, 2012).
The ACPO guidelines detail the main principles applicable to all digital forensics for law
enforcement in the UK.
 As the science of digital forensics has matured these guidelines and best practice have
slowly evolved into standards and the field has come under the auspices of the Forensic
Science Regulator in the UK. Example:
 ISO/ IEC 27037: 2012 Guidelines for identification, collection, acquisition and preservation of digital evidence

 ISO/ IEC 27041 Assurance for digital evidence investigation methods

 ISO/ IEC 27042 Guidelines for the analysis and interpretation of digital evidence

 ISO/ IEC 27043 Incident investigation principles and processes.

 4.3 DIFFERENT TYPES OF DIGITAL
FORENSICS

Identification, preservation, collection, analysis and reporting on evidence

Computer
found on computers, laptops and storage media in support of
Forensics
investigations and legal proceedings.

Monitoring, capture, storing and analysis of network activities or events in

order to discover the source of security attacks, intrusions or other
Network
problem incidents, i.e. worms, virus or malware attacks, abnormal network
Forensics
traffic and security breaches.

Mobile Recovery of electronic evidence from mobile phones, smartphones, SIM

Devices cards, PDAs, GPS devices, tablets and game consoles.
Forensics
 4.3 DIFFERENT TYPES OF DIGITAL
FORENSICS

Digital Extraction and analysis of digitally acquired photographic images to

Image validate their authenticity by recovering the metadata of the image file to
Forensics ascertain its history.
Collection, analysis and evaluation of sound and video recordings. The
Digital science is the establishment of authenticity as to whether a recording is
Video/Audio original and whether it has been tampered with, either maliciously or
Forensics
accidentally.

Memory Recovery of evidence from the RAM of a running computer, also called live
Forensics acquisition .
 4.3 DIFFERENT TYPES OF DIGITAL
FORENSICS
In practice, there are exceptions to blur this classification because the grouping by the
provider is dictated by staff skill sets:
 Tablets or smartphones without SIM cards could be considered computers.
 Memory cards are often found in smartphones and tablets, so they could be considered
under mobile forensics or computer forensics.
 Tablets with keyboards could be considered laptops and fit under computer or mobile
forensics.
 The science of digital forensics has a seemingly limitless future and as technology advances,
the field will continue to expand as new types of digital data are created by new devices
logging people’s activity. Although digital forensics began outside the mainstream of forensic
science, it is now fully absorbed and recognised as a branch of forensic science.
 SUMMARY

 Both forensics (in general) and digital forensics (in particular) encompass a
wide range of distinct disciplines.
 You have learned something of the history of forensics from the 19th century
onwards and seen how many of the principles laid down by early investigators
can be applied to modern technologies.
 A clear distinction between scientific investigations for research purposes and
forensic investigations using scientific methods has been made. Scientific
research is always subject to revision whereas forensic investigations should
result in a clear-cut result and any limitations on that result made clear to a
court.