This document is an assessment of the current scientific foundations of digital forensics. Weexamined descriptions of digital investigation techniques from peer-reviewed sources,academic and classroom materials, technical guidance from professional organizations, andindependently published sources. Digital investigation techniques are based on establishedcomputer science methods and when used appropriately are considered reliable. The processof evaluating, for example, the contents of a computer hard drive does not create informationthat was not there before the investigation started. However, because the field is rapidlychanging, there are limitations that practitioners and stakeholders need to be aware of: (1) aswith any crime scene not all evidence may be discovered; (2) when recovering deleted files,the results may include extraneous material; (3) examiners need to understand that assoftware (operating systems and applications) is revised the meaning and significance ofdigital artifacts created by different versions of the software can be different.In addition, because there are often multiple ways to search for information, two examinersmay find different subsets of all potentially relevant information. The methods used in digitalinvestigations are often not peer-reviewed in a formal process, but trustworthiness isestablished by members of the digital forensic community trying out proposed methods,testing, and circulating updates within the community. This process strengthens anexaminer’s awareness of the capabilities and limitations of their techniques.
