When is Digital Evidence Forensically Sound?

  • Rodney McKemmish
Part of the IFIP — The International Federation for Information Processing book series (IFIPAICT, volume 285)


“Forensically sound” is a term used extensively in the digital forensics community to qualify and, in some cases, to justify the use of a particular forensic technology or methodology. Indeed, many practitioners use the term when describing the capabilities of a particular piece of software or when describing a particular forensic analysis approach. Such a wide application of the term can only lead to confusion. This paper examines the various definitions of forensic computing (also called digital forensics) and identifies the common role that admissibility and evidentiary weight play. Using this common theme, the paper explores how the term “forensically sound” has been used and examines the drivers for using such a term. Finally, a definition of “forensically sound” is proposed and four criteria are provided for determining whether or not a digital forensic process may be considered to be “forensically sound.”


Digital evidence forensically sound evidence 


  1. [1]
    A. Anderson, G. Mohay, L. Smith, A. Tickle and I. Wilson, Computer Forensics: Past, Present and Future, Technical Report, Information Security Research Centre, Queensland University of Technology, Brisbane, Australia, 1999.Google Scholar
  2. [2]
    Australian Law Reform Commission, Review of the Uniform Evidence Acts, ALRC Discussion Paper 69, Sydney, Australia (www.austlii.edu.au/au/other/alrc/publications/dp/69/index.html),2005.
  3. [3]
    B. Carrier, Defining digital forensic examination and analysis tools using abstraction layers, International Journal of Digital Evidence, vol. 1(4), 2003.Google Scholar
  4. [4]
    E. Casey, Error, uncertainty and loss in digital evidence, International Journal of Digital Evidence, vol. 1(2), 2002.Google Scholar
  5. [5]
    E. Casey, Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet, Academic Press, San Diego, California, 2004.Google Scholar
  6. [6]
    P. Craiger, M. Pollitt and J. Swauger, Law enforcement and digital evidence, in Handbook of Information Security, Volume 2, H. Bidgoli (Ed.), John Wiley, New York, pp. 739-777, 2006.Google Scholar
  7. [7]
    A. Ghosh, Handbook 171-2003: Guidelines for the Management of IT Evidence, Standards Australia, Sydney, Australia, 2003.Google Scholar
  8. [8]
    M. Hannan, To revisit: What is forensic computing? Proceedings of the Second Australian Computer, Network and Information Forensics Conference, pp. 103-111, 2004.Google Scholar
  9. [9]
    M. Hannan, S. Frings, V. Broucek and P. Turner, Forensic computing theory and practice: Towards developing a methodology for a standardized approach to computer misuse, Proceedings of the First Australian Computer, Network and Information Forensics Conference, 2003.Google Scholar
  10. [10]
    International Organization on Computer Evidence, Guidelines for Best Practice in the Forensic Examination of Digital Technology, Digital Evidence Standards Working Group, 2002.Google Scholar
  11. [11]
    S. McCombie and M. Warren, Computer forensic: An issue of defi- nition, Proceedings of the First Australian Computer, Network and Information Forensics Conference, 2003.Google Scholar
  12. [12]
    R. McKemmish, What is forensic computing? Trends and Issues in Crime and Criminal Justice, no. 118 (www.aic.gov.au/publications/tandi/ti118.pdf ), 2002.
  13. [13]
    National High Tech Crime Unit, Good Practice Guide for Computer Based Electronic Evidence, Association of Chief Police Officers, London, United Kingdom (www.acpo.police.uk/asp/policies/Data/gpg computer based evidence v3.pdf ), 2003.
  14. [14]
    National Institute of Forensic Science, Melbourne, Australia (www.nifs.com.au).
  15. [15]
    National Institute of Standards and Technology, Gaithersburg, Maryland (www.nist.gov).
  16. [16]
    National Institute of Standards and Technology, Disk Imaging Tool Specification (Version 3.1.6), Gaithersburg, Maryland (www.cftt.nist.gov/disk imaging.htm), 2001.
  17. [17]
    Oxford University Press, Compact Oxford English Dictionary (Third Edition), Oxford, United Kingdom, 2005.Google Scholar
  18. [18]
    L. Pan and L. Batten, Reproducibility of digital evidence in forensic investigations, Proceedings of the 2005 Digital Forensic Research Workshop, 2005.Google Scholar
  19. [19]
    D. Ryan and G. Shpantzer, Legal aspects of digital forensics (www.danjryan.com/papers.htm), 2002.
  20. [20]
    Scientific Working Group on Digital Evidence (www.swgde.org).
  21. [21]
    C. Spenceley, Evidentiary Treatment of Computer-Produced Material: A Reliability Based Evaluation, Ph.D. Thesis, University of Sydney, Sydney, Australia, 2003.Google Scholar
  22. [22]
    U.S. Department of Justice, Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, Com- puter Crime and Intellectual Property Section, Washington, DC (www.usdoj.gov/criminal/cybercrime/s&smanual2002.htm), 2002.

Copyright information

© IFIP International Federation for Information Processing 2008

Authors and Affiliations

  • Rodney McKemmish
    • 1
  1. 1.University of South AustraliaMawson LakesAustralia

Personalised recommendations