Computer forensics (also known as computer forensic science) is a branch of digital forensic science pertaining to evidence found in computers and digital

storage media Data storage is the recording (storing) of information (data) in a storage medium. Handwriting, phonographic recording, magnetic tape, and optical discs are all examples of storage media. Biological molecules such as RNA and DNA are cons ...

. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing, and presenting facts and opinions about the digital information. Although it is most often associated with the investigation of a wide variety of

computer crime Cybercrime encompasses a wide range of criminal activities that are carried out using digital devices and/or networks. It has been variously defined as "a crime committed on a computer network, especially the Internet"; Cybercriminals may exp ...

, computer forensics may also be used in civil proceedings. The discipline involves similar techniques and principles to

data recovery In computing, data recovery is a process of retrieving deleted, inaccessible, lost, corrupted, damaged, overwritten or formatted data from computer data storage#Secondary storage, secondary storage, removable media or Computer file, files, when ...

, but with additional guidelines and practices designed to create a legal

audit trail An audit trail (also called audit log) is a security-relevant chronological record, set of records, and/or destination and source of records that provide documentary evidence of the sequence of activities that have affected at any time a specific ...

. Evidence from computer forensics investigations is usually subjected to the same guidelines and practices as other digital evidence. It has been used in a number of high-profile cases and is accepted as reliable within U.S. and European court systems.

Overview

In the early 1980s, personal computers became more accessible to consumers, leading to their increased use in criminal activity (for example, to help commit

fraud In law, fraud is intent (law), intentional deception to deprive a victim of a legal right or to gain from a victim unlawfully or unfairly. Fraud can violate Civil law (common law), civil law (e.g., a fraud victim may sue the fraud perpetrato ...

). At the same time, several new "computer crimes" were recognized (such as cracking). The discipline of computer forensics emerged during this time as a method to recover and investigate

digital evidence In evidence law, digital evidence or electronic evidence is any probative information stored or transmitted in digital form that a party to a court case may use at trial. Before accepting digital evidence a court will determine if the evid ...

for use in court. Since then, computer crime and computer-related crime has grown, with the FBI reporting a suspected 791,790 internet crimes in 2020, a 69% increase over the amount reported in 2019. Today, computer forensics is used to investigate a wide variety of crimes, including

child pornography Child pornography (also abbreviated as CP, also called child porn or kiddie porn, and child sexual abuse material, known by the acronym CSAM (underscoring that children can not be deemed willing participants under law)), is Eroticism, erotic ma ...

, fraud,

espionage Espionage, spying, or intelligence gathering, as a subfield of the intelligence field, is the act of obtaining secret or confidential information ( intelligence). A person who commits espionage on a mission-specific contract is called an ...

cyberstalking Cyberstalking is the use of the Internet or other electronic means to stalk or harass an individual, group, or organization. It may include false accusations, defamation, slander and libel. It may also include monitoring, identity theft, thr ...

, murder, and rape. The discipline also features in civil proceedings as a form of information gathering (e.g.,

Electronic discovery Electronic discovery (also ediscovery or e-discovery) refers to discovery in legal proceedings such as litigation, government investigations, or Freedom of Information Act requests, where the information sought is in electronic format (often r ...

). Forensic techniques and expert knowledge are used to explain the current state of a ''digital artifact'', such as a computer system, storage medium (e.g.,

hard disk A hard disk drive (HDD), hard disk, hard drive, or fixed disk is an electro-mechanical data storage device that stores and retrieves digital data using magnetic storage with one or more rigid rapidly rotating hard disk drive platter, pla ...

CD-ROM A CD-ROM (, compact disc read-only memory) is a type of read-only memory consisting of a pre-pressed optical compact disc that contains computer data storage, data computers can read, but not write or erase. Some CDs, called enhanced CDs, hold b ...

), or an

electronic document An electronic document is a document that can be sent in non-physical means, such as telex, email, and the internet. Originally, any computer data were considered as something internal—the final data output was always on paper. However, the ...

(e.g., an email message or JPEG image). The scope of a forensic analysis can vary from simple

information retrieval Information retrieval (IR) in computing and information science is the task of identifying and retrieving information system resources that are relevant to an Information needs, information need. The information need can be specified in the form ...

to reconstructing a series of events. In a 2002 book, ''Computer Forensics'', authors Kruse and Heiser define computer forensics as involving "the preservation, identification, extraction, documentation and interpretation of computer data". They describe the discipline as "more of an art than a science," indicating that forensic methodology is backed by flexibility and extensive

domain knowledge Domain knowledge is knowledge of a specific discipline or field in contrast to general (or domain-independent) knowledge. The term is often used in reference to a more general discipline—for example, in describing a software engineer who has ge ...

. However, while several methods can be used to extract evidence from a given computer, the strategies used by law enforcement are fairly rigid and lack the flexibility found in the civilian world.

Cybersecurity

Computer forensics is often confused with

cybersecurity Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It consists of the protection of computer software, systems and networks from thr ...

. Cybersecurity focuses on prevention and protection, while computer forensics is more reactionary and active, involving activities such as tracking and exposing. System security usually encompasses two teams: cybersecurity and computer forensics, which work together. A cybersecurity team creates systems and programs to protect data; if these fail, the computer forensics team recovers the data and investigates the intrusion and theft. Both areas require knowledge of computer science.

Computer-related crimes

Computer forensics are used to convict those involved in physical and digital crimes. Some of these computer-related crimes include interruption, interception, copyright infringement, and fabrication. ''Interruption'' relates to the destruction and stealing of computer parts and digital files. ''Interception'' is the unauthorized access of files and information stored on technological devices.

Copyright infringement Copyright infringement (at times referred to as piracy) is the use of Copyright#Scope, works protected by copyright without permission for a usage where such permission is required, thereby infringing certain exclusive rights granted to the c ...

refers to using, reproducing, and distributing copyrighted information, including software piracy. ''Fabrication'' involves accusing someone of using false data and information inserted into the system through an unauthorized source. Examples of interceptions include the Bank NSP case, Sony.Sambandh.com case, and business email compromise scams.

Use as evidence

In court, computer forensic evidence is subject to the usual requirements for

. This requires that information be authentic, reliably obtained, and admissible. Different countries have specific guidelines and practices for evidence recovery. In the

United Kingdom The United Kingdom of Great Britain and Northern Ireland, commonly known as the United Kingdom (UK) or Britain, is a country in Northwestern Europe, off the coast of European mainland, the continental mainland. It comprises England, Scotlan ...

, examiners often follow

Association of Chief Police Officers The Association of Chief Police Officers of England, Wales and Northern Ireland (ACPO) was a not-for-profit private limited company that for many years led the development of policing practices in England, Wales, and Northern Ireland. Established ...

guidelines that help ensure the authenticity and integrity of evidence. While voluntary, the guidelines are widely accepted in British courts. Computer forensics has been used as evidence in

criminal law Criminal law is the body of law that relates to crime. It proscribes conduct perceived as threatening, harmful, or otherwise endangering to the property, health, safety, and Well-being, welfare of people inclusive of one's self. Most criminal l ...

since the mid-1980s. Some notable examples include: * BTK Killer: Dennis Rader was convicted of a string of serial killings over sixteen years. Towards the end of this period, Rader sent letters to the police on a floppy disk.

Metadata Metadata (or metainformation) is "data that provides information about other data", but not the content of the data itself, such as the text of a message or the image itself. There are many distinct types of metadata, including: * Descriptive ...

within the documents implicated an author named "Dennis" at "Christ Lutheran Church," helping lead to Rader's arrest. *

Joseph Edward Duncan Joseph Edward Duncan III (February 25, 1963 – March 28, 2021) was an American convicted serial killer and child molester who was on death row in federal prison following the 2005 kidnappings and murders of members of the Groene family of Coeu ...

: A spreadsheet recovered from Duncan's computer contained evidence showing him planning his crimes. Prosecutors used this to demonstrate premeditation and secure the

death penalty Capital punishment, also known as the death penalty and formerly called judicial homicide, is the state-sanctioned killing of a person as punishment for actual or supposed misconduct. The sentence ordering that an offender be punished in s ...

. *

Sharon Lopatka Sharon ( 'plain'), also spelled Saron, is a given name as well as a Hebrew name. In English-speaking areas, Sharon is now predominantly a feminine given name, but historically it was also used as a masculine given name. In Israel, it is used a ...

: Hundreds of emails on Lopatka's computer led investigators to her killer, Robert Glass. *

Corcoran Group Corcoran Group is an American real estate firm founded in 1973 by Barbara Corcoran. History Barbara Corcoran, a former diner waitress, founded her own real estate company in 1973 with a $1,000 loan. In 2001, Barbara Corcoran sold her company ...

: In this case, computer forensics confirmed parties' duties to preserve

when

litigation A lawsuit is a proceeding by one or more parties (the plaintiff or claimant) against one or more parties (the defendant) in a civil court of law. The archaic term "suit in law" is found in only a small number of laws still in effect today. ...

had commenced or was reasonably anticipated. Hard drives were analyzed, though the expert found no evidence of deletion, and evidence showed that the defendants intentionally destroyed emails. * Dr. Conrad Murray: Dr. Conrad Murray, the doctor of

Michael Jackson Michael Joseph Jackson (August 29, 1958 – June 25, 2009) was an American singer, songwriter, dancer, and philanthropist. Dubbed the "King of Pop", he is regarded as Cultural impact of Michael Jackson, one of the most culturally significan ...

, was convicted partially by digital evidence, including medical documentation showing lethal amounts of

propofol Propofol is the active component of an intravenous anesthetic formulation used for induction and maintenance of general anesthesia. It is chemically termed 2,6-diisopropylphenol. The formulation was approved under the brand name Diprivan. Nu ...

. * Mark Twitchell, also known as the "Dexter Killer," Twitchell was convicted with the help of a deleted document recovered from his laptop titled "SKConfessions." This file, which detailed his criminal activities, served as a key piece of evidence in the case.

Forensic process

Computer forensic investigations typically follow the standard digital forensic process, consisting of four phases: acquisition, examination, analysis, and reporting. Investigations are usually performed on static data (i.e., acquired images) rather than "live" systems. This differs from early forensic practices, when a lack of specialized tools often required investigators to work on live data.

Computer forensics lab

The computer forensics lab is a secure environment where electronic data can be preserved, managed, and accessed under controlled conditions, minimizing the risk of damage or alteration to the evidence. Forensic examiners are provided with the resources necessary to extract meaningful data from the devices they examine.

Techniques

Various techniques are used in computer forensic investigations, including: ; Cross-drive analysis : This technique correlates information found on multiple hard drives and can be used to identify

social networks A social network is a social structure consisting of a set of social actors (such as individuals or organizations), networks of dyadic ties, and other social interactions between actors. The social network perspective provides a set of meth ...

or detect anomalies. ; Live analysis : The examination of computers from within the operating system using forensic or existing sysadmin tools to extract evidence. This technique is particularly useful for dealing with encrypting file systems where encryption keys can be retrieved, or for imaging the logical hard drive volume (a live acquisition) before shutting down the computer. Live analysis is also beneficial when examining networked systems or cloud-based devices that cannot be accessed physically. ; Deleted files : A common forensic technique involves recovering deleted files. Most

operating systems An operating system (OS) is system software that manages computer hardware and software resources, and provides common daemon (computing), services for computer programs. Time-sharing operating systems scheduler (computing), schedule tasks for ...

and file systems do not erase the physical file data, allowing investigators to reconstruct it from the physical disk sectors. Forensic software can "carve" files by searching for known file headers and reconstructing deleted data. ; Stochastic forensics : This method leverages the stochastic properties of a system to investigate activities without traditional digital artifacts, often useful in cases of data theft. ;

Steganography Steganography ( ) is the practice of representing information within another message or physical object, in such a manner that the presence of the concealed information would not be evident to an unsuspecting person's examination. In computing/ ...

: Steganography involves concealing data within another file, such as hiding illegal content within an image. Forensic investigators detect steganography by comparing file hashes, as any hidden data will alter the hash value of the file.

Mobile device forensics

; Phone logs : Phone companies typically retain logs of received calls, which can help create timelines and establish suspects' locations at the time of a crime. ; Contacts : Contact lists are useful in narrowing down suspects based on their connections to the victim. ; Text messages : Text messages contain timestamps and remain in company servers, often indefinitely, even if deleted from the device. These records are valuable evidence for reconstructing communication between individuals. ; Photos : Photos can provide critical evidence, supporting or disproving alibis by showing the location and time they were taken. ; Audio recordings : Some victims may have recorded pivotal moments, capturing details like the attacker's voice, which could provide crucial evidence.

Volatile data

Volatile data is stored in memory or in transit and is lost when the computer is powered down. It resides in locations such as registries, cache, and RAM. The investigation of volatile data is referred to as "live forensics." When seizing evidence, if a machine is still active, volatile data stored solely in

RAM Ram, ram, or RAM most commonly refers to: * A male sheep * Random-access memory, computer memory * Ram Trucks, US, since 2009 ** List of vehicles named Dodge Ram, trucks and vans ** Ram Pickup, produced by Ram Trucks Ram, ram, or RAM may also ref ...

may be lost if not recovered before shutting down the system. "Live analysis" can be used to recover RAM data (e.g., using Microsoft's COFEE tool, WinDD, WindowsSCOPE) before removing the machine. Tools like CaptureGUARD Gateway allow for the acquisition of physical memory from a locked computer. RAM data can sometimes be recovered after power loss, as the electrical charge in memory cells dissipates slowly. Techniques like the

cold boot attack In computer security, a cold boot attack (or to a lesser extent, a platform reset attack) is a type of side channel attack in which an attacker with physical access to a computer performs a memory dump of a computer's random-access memory (RAM) ...

exploit this property. Lower temperatures and higher voltages increase the chance of recovery, but it is often impractical to implement these techniques in field investigations. Tools that extract volatile data often require the computer to be in a forensic lab to maintain the chain of evidence. In some cases, a live desktop can be transported using tools like a mouse jiggler to prevent sleep mode and an

uninterruptible power supply An uninterruptible power supply (UPS) or uninterruptible power source is a type of continual power system that provides automated backup electric power to a electrical load, load when the input power source or mains electricity, mains power fai ...

(UPS) to maintain power. Page files from file systems with journaling features, such as

NTFS NT File System (NTFS) (commonly called ''New Technology File System'') is a proprietary journaling file system developed by Microsoft in the 1990s. It was developed to overcome scalability, security and other limitations with File Allocation Tabl ...

and

ReiserFS ReiserFS is a general-purpose, journaling file system initially designed and implemented by a team at Namesys led by Hans Reiser and licensed under GPLv2. Introduced in version 2.4.1 of the Linux kernel, it was the first journaling file syst ...

, can also be reassembled to recover RAM data stored during system operation.

Analysis tools

Numerous open-source and commercial tools exist for computer forensics. Common forensic analysis includes manual reviews of media, Windows registry analysis, password cracking, keyword searches, and the extraction of emails and images. Tools such as Autopsy (software), Belkasoft Evidence Center X, Forensic Toolkit (FTK), and EnCase are widely used in digital forensics.

Professional education and careers

Digital forensics analyst

A digital forensics analyst is responsible for preserving digital evidence, cataloging collected evidence, analyzing evidence relevant to the ongoing case, responding to cyber breaches (often in a corporate context), writing reports containing findings, and testifying in court. A digital forensic analyst may also be referred to as a computer forensic analyst, digital forensic examiner, cyber forensic analyst, forensic technician, or other similarly named titles, though these roles perform similar duties.

Certifications

Several computer forensics certifications are available, such as the ISFCE Certified Computer Examiner, Digital Forensics Investigation Professional (DFIP), and IACRB Certified Computer Forensics Examiner. The top vendor-independent certification, particularly within the EU, is the Certified Cyber Forensics Professional (CCFP). Many commercial forensic software companies also offer proprietary certifications.