ABSTRACT
In this chapter we will examine the concepts of forensic computer science as they apply to an investigation of one or more computer security events (see the next section for the differentiations between events, incidents, and crimes). As in most of the forensic sciences, we do not expect our forensic examination to be the sole source of the solution to an event. We do, of course, expect that the evidence that we collect will contribute to the overall solution. With that in mind, let us begin with a very important concept: we must learn to develop the facts of an event to fit the evidence.
