Digital Investigation Techniques: A NIST Scientific Foundation Review
James R. Lyle, Barbara Guttman, John Butler, Kelly Sauerwein, Christina Reed, Corrine Lloyd
This document is an assessment of the scientific foundations of digital forensics. We examined descriptions of digital investigation techniques from peer-reviewed sources, academic and classroom materials, technical guidance from professional organizations, and independently published sources. Digital investigation techniques are based on established computer science methods and when used appropriately are considered reliable. The process of evaluating, for example, the contents of a computer hard drive does not create information that was not there before the investigation started. However, because the field is rapidly changing there are limitations that practitioners and stakeholders need to be aware of: (1) as with any crime scene not all evidence may be discovered; (2) when recovering deleted files, the results may include extraneous material; (3) examiners need to understand that as software (operating systems and applications) are revised the meaning and significance of digital artifacts created by the software can change over time.
, Guttman, B.
, Butler, J.
, Sauerwein, K.
, Reed, C.
and Lloyd, C.
Digital Investigation Techniques: A NIST Scientific Foundation Review, NIST Interagency/Internal Report (NISTIR), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.IR.8354, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=935497
(Accessed December 4, 2022)