When computing was made available to everyone, this included the criminal fraternity. It was apparent from the outset that specialist technical knowledge was needed to investigate this new technology, and thus the art of Forensic Computer Examination was born.

At First, the only method available to the investigator was to obtain a backup of the files on a disk, restore those files to another disk and go through them one at a time. Many early backup packages used the simple imaging method but by the mid 1980s this was being replaced by software which allowed the user to backup and restore selected files.

This was a leap forward as far as the user was concerned, but presented a problem for investigators. Selective backup operates at the file system level and consequently does not copy free and slack space (known as residual data): This is not satisfactory when the investigator is looking for a deleted file. The next step was to examine the original media with a disk editor.

Many hours have been spent with a disk editor going through each sector of the original disk, only to be met at the end of the day with the allegation the investigator has somehow tampered with the original media.