IT Security Outsourced IT

Computer Forensics

What are Computer Forensics?

Computer forensics, also known as digital forensics, computer forensic science, or cyber forensics, combines legal forensics and computer science to gather digital evidence in such a way that it is admissible in a court of law. Computer forensics is closely related to cybersecurity. Computer forensics findings can help cybersecurity teams speed cyberthreat detection and resolution and can help to prevent future cyberattacks. Digital forensics and incident response (DFIR), integrate computer forensics and incident response activities to accelerate remediation of cyberthreats, while ensuring that any related digital evidence is not compromised.

The four main steps to computer forensics are as follows1:

  1. Device identification. Identify the devices or storage media that might contain data, metadata, or other digital artifacts that may be relevant to the investigation. The devices are collected and placed in a secure facility or forensics lab to follow correct protocol to ensure proper data recovery.
  2. Data preservation. Forensic experts create an image, or bit-for-bit copy, of the data to be preserved and then they safely store both the image and the original to protect them from being altered or destroyed. Experts collect two kinds of data: persistent data, stored on a device’s local hard drive, and volatile data, located in memory or in transit (e.g., registries, cache, and RAM).
  3. Forensic analysis. Forensics investigators analyze the image to identify relevant digital evidence. This might include intentionally or unintentionally deleted files, internet browsing history, emails, and more. To uncover “hidden” data or metadata others might miss, investigators use specialized techniques including live analysis, which evaluates still-running systems for volatile data, and reverse steganography, which exposes data hidden using steganography, a technique for concealing sensitive information within ordinary-seeming messages.
  4. Reporting. Forensic experts create a formal report outlining their analysis and share the investigation findings and any conclusions or recommendations. These reports are often used to present digital evidence in a court of law.

Use cases for digital forensics include:

  • Corporate security. Organizations often use computer forensics following a cyberattack, in order to identify what happened and remediate any security vulnerabilities.
  • Criminal investigations. Law enforcement agencies and computer forensics specialists can use computer forensics to solve computer-related crimes such as cyberbullying, identity theft, or hacking, as well as crimes in the physical world, such as robbery and murder.
  • Civil litigation. Investigators can also use computer forensics in civil litigation cases, such as fraud, employment disputes, and divorce cases.
  • Intellectual property protection. Computer forensics can help law enforcement officials investigate intellectual property theft, such as stealing trade secrets or copyrighted material.
  • National security. Computer forensics has been used by governments and law agencies following cyberattacks, in order to uncover evidence and address security vulnerabilities.

1 IBM, 2023, “What is computer forensics?”