Talk:Digital forensics

Major Contribution Proposed

Dear Wikipedians: I run the Forensics Wiki at a URL that I cannot put here because apparently the XYZ domain is banned by Wikipedia, but it is at forensicswiki dot xyz. The wiki is getting too much for me, and I would like to move the articles over to Wikipedia. How do I get approval to do this? It's a lot of articles, and they are inconsistent in their quality. Simsong (talk) 03:11, 1 October 2022 (UTC)

Checklist

done I think :) --Errant [tmorton166] (chat!) 10:40, 13 September 2010 (UTC)

Points copied from peer review so I can check them off as I work on them: Dablinks (toolbox on the right of this peer review page) shows a disambiguation link; please fix it. done, thanks Checklinks say sciencedirect.com is down; the website says it is for maintenance.It's back up now but I will keep an eye on it Lede "Computer forensics, Network forensics, Database forensics and Mobile device forensics" Do these sub-branches need to have their first word capitalised? no, no particular reason for them to be, now made lower case, thanks History Listing a few common computer crimes to give readers an idea would be better than asking them to go to another article to read details they may not wish to know; it also helps to establish a readily associable context right at the start. done, added a paragraph on the development of computer crime (and laws) and listed some relevant crimes for context. Why should we care about GL Palmer and M Reith's words on digital forensics (i.e. what are they qualifications to speak on this topic)? simply removed the direct reference to them, sourced as widely accepted Investigative tools Possibly describe how the old methods are done (live analysis on media)? Seems quite skimpy and inaccessible to the common person otherwise. rewrote/expanded to be a lot clearer Digital evidence "... authenticity of evidence." Any cases where authenticity has come into dispute? Illustrating one or two such cases could help beef this point up and make it clearer to the reader its weight in the matter. Branches Seems a bit bare bones here... I think giving a case study/example for each branch could help the reader readily identify which branch a digital crime would be investigated under. added examples to each one. Might still need some expansion once the sub articles are complete. Sources What makes the TectTarget site, a general IT media site, a reliable source for digital forensics? done, found a book citation --Errant [tmorton166] (chat!) 10:33, 31 August 2010 (UTC)

References

The article was tagged "refimprove" - I don't think that this is accurate, the article is sourced from several books (some printed by academic presses), articles by forensics experts and several peer reviewed papers. There may be sections where referencing is light and I'd love to get feedback on where those areas are so I can improve them, however I do not think a general tag is specific enough. I'm active on the article so specific concerns would be great to hear :) --Errant [tmorton166] ^(chat!) 13:26, 25 September 2010 (UTC)

GA Review

This review is transcluded from Talk:Digital forensics/GA1. The edit link for this section can be used to add comments to the review.

Reviewer: TonyTheTiger (T/C/BIO/WP:CHICAGO/WP:FOUR) 18:34, 7 November 2010 (UTC)

I am going to comment on this as I read through. Please respond line by line and I will strike issues as they are resolved.--TonyTheTiger (T/C/BIO/WP:CHICAGO/WP:FOUR) 03:17, 9 November 2010 (UTC)

I am not a computer science or information systems specialist. Netiher am I a law enformcement or legal studies expert. Thus, I am a typical untrained reader of this subject. On initial review the second paragraph of the WP:LEAD is a bit abstract to me. I will reconsider this comment after reading the entire article.--TonyTheTiger (T/C/BIO/WP:CHICAGO/WP:FOUR) 03:17, 9 November 2010 (UTC)

• A: Ok, I rejigged that paragraph. Moved the part you refer to down to the   bottom of the 4th para (now 3rd paragraph) and expanded it slightly. Does it make more sense in that context? --Errant [tmorton166] ^(chat!) 09:53, 9 November 2010 (UTC)

History

• "the Florida Computer Crimes Act legislated" is ungrammatical. A law does not legislate. The law was passed to regulate against . . .--TonyTheTiger (T/C/BIO/WP:CHICAGO/WP:FOUR) 03:17, 9 November 2010 (UTC)
  •  Done reworded --Errant [tmorton166] ^(chat!) 11:01, 9 November 2010 (UTC)
    • "the 1978 Florida Computer Crimes Act which included legislation protecting against the unauthorized modification or deletion of data on a computer system" is still wrong. Better as "the 1978 Florida Computer Crimes Act which included legislation for the unauthorized modification or deletion of data on a computer system"--TonyTheTiger (T/C/BIO/WP:CHICAGO/WP:FOUR) 03:41, 11 November 2010 (UTC)
      • Hmm, when I checked this morning it was using "for" as you suggest :D but on reflection that is factually inaccurate, so I changed it to "the 1978 Florida Computer Crimes Act which included legislation against the unauthorized modification or deletion of data on a computer system" is that what you meant? --Errant [tmorton166] ^(chat!) 10:03, 11 November 2010 (UTC)
        • I seem to have copied the sentence twice and modidfied the wrong one.--TonyTheTiger (T/C/BIO/WP:CHICAGO/WP:FOUR) 14:43, 11 November 2010 (UTC)
• "laws were brougt in" should be laws were passed.--TonyTheTiger (T/C/BIO/WP:CHICAGO/WP:FOUR) 03:17, 9 November 2010 (UTC)
  •  Done fixed as suggested --Errant [tmorton166] ^(chat!) 11:01, 9 November 2010 (UTC)
• "Canada being the first" Is an ambiguous referent. It refers back to the prior sentence, which does not refer to coutnries as subjects. X Canadian Law was the first or Canada was the first country.--TonyTheTiger (T/C/BIO/WP:CHICAGO/WP:FOUR) 03:17, 9 November 2010 (UTC)
  • A: reworded, might need more work though --Errant [tmorton166] ^(chat!) 11:01, 9 November 2010 (UTC)
    • It is still ungrammatical. Just make it two sentences.--TonyTheTiger (T/C/BIO/WP:CHICAGO/WP:FOUR) 03:41, 11 November 2010 (UTC)
      • Well, the grammar seemed fine (might be a British idiom again). But I did as you suggested :) --Errant [tmorton166] ^(chat!) 10:03, 11 November 2010 (UTC)
        • Can we now have an inline citation immediately following "Canada was the first country to pass legislation in 1983."?--TonyTheTiger (T/C/BIO/WP:CHICAGO/WP:FOUR) 14:45, 11 November 2010 (UTC)
          •  Done --Errant [tmorton166] ^(chat!) 16:45, 11 November 2010 (UTC)
• Link cyberspace--TonyTheTiger (T/C/BIO/WP:CHICAGO/WP:FOUR) 03:17, 9 November 2010 (UTC)
  • It is within a quote, WP:MOSQUOTE discourages linking in it. I could do a "See Also" link? --Errant [tmorton166] ^(chat!) 09:57, 9 November 2010 (UTC)
    • See also is O.K.--TonyTheTiger (T/C/BIO/WP:CHICAGO/WP:FOUR) 03:41, 11 November 2010 (UTC)
• The contrast in this sentence is not clear: "Digital forensics evolved, during this time, from a number of ad-hoc tools and techniques rather than from the scientific community (in contrast to other forensic sciences)." It compares things to a group of people.--TonyTheTiger (T/C/BIO/WP:CHICAGO/WP:FOUR) 03:17, 9 November 2010 (UTC)
  •  Done Ok, reworded to In the 90s the science of digital forensics grew out of ad-hoc tools and techniques developed by practitioners. This is in contrast to other forensics disciplines, which grew out of work by the scientific community. - this hopefully makes it clearer --Errant [tmorton166] ^(chat!) 15:08, 9 November 2010 (UTC)
• 90s should be 1990s, I believe.--TonyTheTiger (T/C/BIO/WP:CHICAGO/WP:FOUR) 03:41, 11 November 2010 (UTC)
  • Good point, I need to have a proper re-read of WP:MOSDATE again ;) tweaked that whole paragraph to make the wording flow better & corrected dates --Errant [tmorton166] ^(chat!) 10:03, 11 November 2010 (UTC)
    • You missed the Investigative tools subsection.--TonyTheTiger (T/C/BIO/WP:CHICAGO/WP:FOUR) 14:49, 11 November 2010 (UTC)
      •  Done --Errant [tmorton166] ^(chat!) 16:45, 11 November 2010 (UTC)

Investigative tools

• It seems like specialist should be specialised.--TonyTheTiger (T/C/BIO/WP:CHICAGO/WP:FOUR) 03:17, 9 November 2010 (UTC)
  •  Done specialist is a legit modifier, but it may be a British idiom. Changed to specialised. --Errant [tmorton166] ^(chat!) 11:01, 9 November 2010 (UTC)
• Why are all the software tools in the Investigative tools section not linked. If they are notable, they should exist shouldn't they?--TonyTheTiger (T/C/BIO/WP:CHICAGO/WP:FOUR) 03:17, 9 November 2010 (UTC)
  • A: notability does not cover article content, they are significant tools (within the context of this article), but establishing notability for an article is generally a problem for these tools (for example EnCase is by far the de-facto standard Computer Forensics tool, it is the only one guaranteed to stand in court w/o problems, but as you can see the article is very light). As it is: I hope to fill in come of the links when I have the top level articles to GA standard. --Errant [tmorton166] ^(chat!) 09:44, 9 November 2010 (UTC)

Thanks for the feedback so far. I'm moving house this week, but will get through this as fast as I can. I gave feedback on your last point - and will make article modifications for the other points later :) --Errant [tmorton166] ^(chat!) 09:44, 9 November 2010 (UTC)

Uses

• "For example personal documents", "For example the Internet" and "for example by changing the computer clock" should have a comma after for example.--TonyTheTiger (T/C/BIO/WP:CHICAGO/WP:FOUR) 03:46, 11 November 2010 (UTC)
  •  Done --Errant [tmorton166] ^(chat!) 10:03, 11 November 2010 (UTC)
    • e.g., is just latin for for example and should also be followed by a comma.--TonyTheTiger (T/C/BIO/WP:CHICAGO/WP:FOUR) 05:18, 16 November 2010 (UTC)
      •  Done --Errant [tmorton166] ^(chat!) 09:40, 16 November 2010 (UTC)
• "During the investigation into the Soham murders" should be preceded by for example.--TonyTheTiger (T/C/BIO/WP:CHICAGO/WP:FOUR) 03:46, 11 November 2010 (UTC)
  •  Done --Errant [tmorton166] ^(chat!) 10:03, 11 November 2010 (UTC)
    • It should also be followed by a comma.--TonyTheTiger (T/C/BIO/WP:CHICAGO/WP:FOUR) 05:21, 16 November 2010 (UTC)
      •  Done --Errant [tmorton166] ^(chat!) 09:40, 16 November 2010 (UTC)
• Is artefacts spelled correctly?--TonyTheTiger (T/C/BIO/WP:CHICAGO/WP:FOUR) 03:46, 11 November 2010 (UTC)
  •  Done Looks like it's one of those words where there is no strong preference either way. I switched it to the US spelling --Errant [tmorton166] ^(chat!) 10:03, 11 November 2010 (UTC)

Digital evidence

• US v. Bonallo could use a proper legal citation and maybe {{ussc}} (or similar) template.--TonyTheTiger (T/C/BIO/WP:CHICAGO/WP:FOUR) 03:52, 11 November 2010 (UTC)
  • Need more help on this one, I cannot find a template that works (I could manually format it I suppose). {{ussc}} didn't work because this is an appeals court ruling. Let me look into it --Errant [tmorton166] ^(chat!) 10:03, 11 November 2010 (UTC)
    • Look around at Category:Law citation templates.--TonyTheTiger (T/C/BIO/WP:CHICAGO/WP:FOUR) 23:03, 11 November 2010 (UTC)
      •  Done {{cite court}} worked. --Errant [tmorton166] ^(chat!) 13:30, 12 November 2010 (UTC)
        • I am looking for a more complete citation with number like 432 2nd App, 324 or something like that appended to the current citation. I thought a template might encourage proper full citation.--TonyTheTiger (T/C/BIO/WP:CHICAGO/WP:FOUR) 05:23, 16 November 2010 (UTC)
        • Actually, I am looking at some articles I have been involved in and see that Saxbe fix does not always include the full citation. Neither John Marshall Harlan nor John Marshall Harlan II does. I guess I will view this as resolved.--TonyTheTiger (T/C/BIO/WP:CHICAGO/WP:FOUR) 05:34, 16 November 2010 (UTC)
          • According to Case citation#Lower federal courts what is there is a correct citation for a published opinion from this court, there are no other details that could be added to the best of my knowledge (I have court, year, reporter, volume, opinion - I'm not sure there is anything else :)) --Errant [tmorton166] ^(chat!) 09:40, 16 November 2010 (UTC)
• This paragraph needs to be expanded: "Many of the sub-branches of digital forensics have their own specific guidelines for handling and investigating evidence."--TonyTheTiger (T/C/BIO/WP:CHICAGO/WP:FOUR) 03:52, 11 November 2010 (UTC)
  •  Done Expanded with some examples --Errant [tmorton166] ^(chat!) 10:03, 11 November 2010 (UTC)

Forensic Process

• Needs a paragraph on stage 1.--TonyTheTiger (T/C/BIO/WP:CHICAGO/WP:FOUR) 03:54, 11 November 2010 (UTC)
  •  Done Good idea. Expanded --Errant [tmorton166] ^(chat!) 10:03, 11 November 2010 (UTC)
    • Is hashed a technical term that should be linked or explained?--TonyTheTiger (T/C/BIO/WP:CHICAGO/WP:FOUR) 05:39, 16 November 2010 (UTC)
      •  Done --Errant [tmorton166] ^(chat!) 09:40, 16 November 2010 (UTC)

Are there some books you could use to beef up this article. At my local borders (where I am sitting right now) the Computer Forensics for Dummies book is out of stock. I know there are other books you could use though.--TonyTheTiger (T/C/BIO/WP:CHICAGO/WP:FOUR) 22:44, 11 November 2010 (UTC)

Beef up... the content? or the sourcing? I can dig out some more books, unfortunately most of the books we use are reference manuals for various software so not really reliable - so I'll need to grab a few books from Amazon etc. (not a problem) --Errant [tmorton166] ^(chat!) 13:30, 12 November 2010 (UTC)

I was just hoping this would be a meatier article. It just seems a little light compared to some scientific GAs. I was hoping for more content.--TonyTheTiger (T/C/BIO/WP:CHICAGO/WP:FOUR) 05:43, 16 November 2010 (UTC)

It's a problem knowing how far to go. This is not really a science - it's computing topic more than anything (i.e. a faux science, one of my main gripes with it :)). The other problem is where to go with the content; there are two main aspects to this, the technical aspect of actually digging for information, and the legal aspect of what you can do and where/how it is used. My outstanding plan for this whole field was to use Digital forensics as a starter/overview article (i.e. deal with the history, and then draw the other topics together in summary form) and then focus on the sub-topics individually one by one in their own article. To beef this up I suppose I could merge Digital forensic process, but am somewhat loathe to do that because I can make that a pretty lengthy article when I get the time :). The part that could probably do with expansion is the history, so I will wait and see what I can pick out of the sources I have coming :) (btw, if you want to fail it for being light on content, no worries, it has been useful to get outside input!) --Errant [tmorton166] ^(chat!) 09:40, 16 November 2010 (UTC)

Let me think about this a while. I will be at Borders again this afternoon. I want to poke around there and then comment on use of sources. I will comment further this afternoon. Don't buy any books from Amazon to get a GA. WP is a free collaboration and you should not invest any more in it than you are paid for contributing to it.--TonyTheTiger (T/C/BIO/WP:CHICAGO/WP:FOUR) 13:37, 16 November 2010 (UTC)

Don't worry, any excuse to buy some more books.... ;) --Errant [tmorton166] ^(chat!) 14:15, 16 November 2010 (UTC)

I am sorry. I got caught up in something yesterday and did not get a chance to snoop around at Borders. I'll get back to you in a few days.--TonyTheTiger (T/C/BIO/WP:CHICAGO/WP:FOUR) 16:07, 17 November 2010 (UTC)

Don't worry, I won't be around for a few days either. Look forward to your comments :) --Errant [tmorton166] ^(chat!) 16:35, 17 November 2010 (UTC)

I have stepped back and looked at this fresh and feel it passes.--TonyTheTiger (T/C/BIO/WP:CHICAGO/WP:FOUR) 03:16, 22 November 2010 (UTC)

confusing of the base terms.

The proper hierarchy of sub fields should be:

Digital forensics:

• Digital media forensics (traditionally called by the less precise name 'computer forensics').
• Network forensics

The article seems to be rather confused and inconsistent about this. Pibara (talk) 20:18, 30 December 2010 (UTC)

Computer forensics was very much the original name back in the 80s :) so when someone says "computer forensics" they usually mean the whole shebang. If you'd stopped by a couple of months ago you'd have found Computer forensics as the main topic! This article, as an umbrella topic, is a fairly new addition. I have to confess that "Digital media forensics" is not a term I've ever seen used in a scholarly or professional context. We usually just use "computer forensics", even in white papers etc. Do you have any reliable sources discussing this? In addition practitioners/professionals quite particularly differentiate between mobile devices and computer devices; the process and guidelines relating to them share similarities but also significant differences, so we usually treat them as two seperate sub-disciplines :) --Errant ^(chat!) 21:23, 30 December 2010 (UTC)

Sure, "computer forensics" was very much the original name back in the 80s, before there was such a thing as network forensics. Having done network forensics in the 90s when network forensics was first starting to become something tangeable, to me it seems that network forensics has always been seperate from computer forensics. So if you state that "computer forensics" ever was used to include even network forensics. As you state, practitioners/professionals quite particularly differentiate between mobile devices and computer devices, at least some of us do while others don't. Thats why some of us do still include mobile devices when talking about "computer forensics" while others dont, making "computer forensics" a rather fuzzy term. As a result professionals sometimes talked about "computer forensics in the narow sense" and "computer forensics in the broad sense". For this reason I believe that many now refer to "computer forensics in the broad sense" (that is including mobile devices but not including network forensics) as "digital media forensics". So basicaly the tree looks something like:

Digital forensics:

• Computer forensics in the broad sense (aka digital media forensics)
  • Computer forensics (implicitly in the narow sense)
  • Mobile forensics
• Network forensics.

The flattened down version the article seems to propose would I guese look something like:

Digital forensics:

• Computer forensics (implicitly in the narow sense)
• Mobile forensics
• Network forensics

There are clearly two layers in the sub-field tree, ignoring these by flattening them like the article does IMHO is wrong. Possibly there is an other accademic term for "digital media forensics" or "computer forensics in the broad sense" that would be more suitable, and that is important to get right, but my main point is that the "flat" model of sub fields that this article proposes is simply wrong and not at all in sync with every day usage of terminology. I hope this makes sense and hope that this can be corrected. Pibara (talk) 22:35, 30 December 2010 (UTC)

Well, most of the academic and professional literature (check the sources) are quite fastidious in identifying mobile device forensics as distinct. There is a whole separate class of tools, for example. The problem in defining these terms is, as you say, they are often used ambiguously. However most of the books identify computer forensics as the "old term" now used in a more specific sense and mobile device forensics as phone forensics. I don't think there is much sourcing or literature to suggest that digital media forensics is a widely used term (certainly :) I've never heard anyone use it). I mean; I'm in no way adverse to creating a hierarchy as you suggest - but current work and practices doesn't (to me anyway) seem to hold it up. I'm also not entirely convinced that your proposal brings more clarity to the topic - it really just introduces another sub-heading.

Network forensics is, as you say, somewhat different. As I understand, it developed more out of the security side of things rather than the forensic. So, yeh, I doubt it was ever considered under the original "computer forensics". If you have experience in that area it would be great to get your input in that topic area and on the article. I can do the other stuff :) but never really touched Network forensices. Trying to find someone with knowledge in the area has been a pain. --Errant ^(chat!) 11:49, 31 December 2010 (UTC)

One of four?

Which are the "four categories" mentioned in the lead? The paragraph seems to list either just two, or five (including the examples of "sub-branches"). Ever wonder (talk) 17:02, 11 December 2011 (UTC)

Reading further in the article (and thinking a bit more on it), it seems clear that what is meant is the sub-branches of "computer forensics, network forensics, database forensics and mobile device forensics". However, the way it's written in the lead it's very easy to think the categories in question are "forensic investigation", "eDiscovery" and... what? Also, I realize now that this has been discussed before and that there might be more behind it than a simple formulation problem. I really think something must be changed to make it less confusing, but it should probably be done by someone with more knowledge of the subject than myself. Ever wonder (talk) 17:47, 11 December 2011 (UTC)

However, the way it's written in the lead it's very easy to think the categories in question are ; yes, these are the ones. As detailed in Digital forensics#Forms and uses the four forms are:

• forensic analysis
• intelligence gathering
• eDiscovery
• intrusion investigation

The sub-branches are four areas where the actual technical act of investigation requires different approaches and involves differing devices/media. I see what you mean about the prose - if I get chance I will tweak that lead section to more clearly delineate the four (as they are a bit wrapped up atm). --Errant ^(chat!) 18:52, 11 December 2011 (UTC)

External links modified

Hello fellow Wikipedians,

I have just modified 3 external links on Digital forensics. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:

• Added archive https://web.archive.org/web/20110728051616/http://www.ssddfj.org/papers/SSDDFJ_V2_1_Punja_Mislan.pdf to http://www.ssddfj.org/papers/SSDDFJ_V2_1_Punja_Mislan.pdf
• Added archive https://web.archive.org/web/20100905202407/http://www.utica.edu/academic/institutes/ecii/ijde/ to http://www.utica.edu/academic/institutes/ecii/ijde/
• Added archive https://web.archive.org/web/20080222030859/http://www.ssddfj.org/ to http://www.ssddfj.org/

When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.

This message was posted before February 2018. After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template {{source check}} (last update: 18 January 2022).

• If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
• If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers.—InternetArchiveBot (Report bug) 16:41, 10 September 2017 (UTC)