Computer Forensics


Computer forensics (also known as computer forensic science) is a branch of digital forensic science pertaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information.

Although it is most often associated with the investigation of a wide variety of computer crime, computer forensics may also be used in civil proceedings. The discipline involves similar techniques and principles to data recovery, but with additional guidelines and practices designed to create a legal audit trail.

Evidence from computer forensics investigations is usually subjected to the same guidelines and practices of other digital evidence. It has been used in a number of high-profile cases and is becoming widely accepted as reliable within U.S. and European court systems.


Computer forensics is the practice of collecting, analysing and reporting on digital data in a way that is legally admissible. It can be used in the detection and prevention of crime and in any dispute where evidence is stored digitally. Computer forensics follows a similar process to other forensic disciplines, and faces similar issues.

The purpose of computer forensics techniques is to search, preserve and analyze information on computer systems to find potential evidence for a trial. Many of the techniques detectives use in crime scene investigations have digital counterparts, but there are also some unique aspects to computer investigations.

Digital forensics is powerful because computer systems are windows into the past. Many retain vast quantities of information—either intentionally, in the form of log files and archives, or inadvertently, as a result of software that does not cleanly erase memory and files. As a result, investigators can frequently recover old email messages, chat logs, Google search terms, and other kinds of data that were created weeks, months or even years before. Such contemporaneous records can reveal an individual’s state of mind or intent at the time the crime was committed.

But whereas pre-computer evidence, such as handwritten letters and photographs, could be reproduced and given to attorneys, judges, and juries, computerized evidence requires special handling and analysis. Electronic data are easily changed, damaged, or erased if handled improperly. Simply turning on a consumer GPS may cause the device to delete critical evidence. Additionally, computers frequently harbor hidden evidence that may be revealed only when specialized tools are used—for example, a digital camera may appear to have 30 photos, but expert examination may show another 300 deleted photos that can be recovered. (When a device “erases” a file, it doesn’t clear the memory space, but notes that the space is available; the file may not be really deleted until a new one is written over it.)

Digital evidence can even be examined to show that something did not happen. Here they are less powerful, for the well-known reason that the absence of evidence is not the evidence of absence. In May 2006 a laptop and external hard drive containing sensitive personal information of 26.5 million veterans and military personnel was stolen from an employee at the U.S. Department of Veterans Affairs. After the laptop was recovered in June 2006, forensic investigators analyzed the media and determined that the sensitive files probably had not been viewed.

When would computer forensics be used?



  • When corporate information is disclosed without permission, either by accident or by design.
  • When an employee steals intellectual property from their employer and passes it to a competitor or uses it to set up a competing company.
  • When an employee violates a computer policy, such as when and how to use the Internet. Some organisations have rules on how the computer or the Internet should be used. If the systems in the office are used for any illegal activity, computer forensics can help determine when and how these illegalities happened.
  • Damage analysis and assessment after an incident has occurred.
  • White-collar crimes. These are nonviolent and financially-motivated crimes that are committed by government or business professionals. These crimes include identity theft, Ponzi schemes and advance fee schemes. White-collar crimes can wipe out life savings, destroy companies or cost investors billions in losses. Computer forensics can be used to help in investigating such crimes.



  • Industrial espionage. This involves stealing trade secrets from a competitor by recording or copying confidential documents. Examples of documents involved include secret formulas, product specifications and business plans. Industrial espionage is an illegal activity, and computer forensics can help during investigations.
  • This involves deliberately providing false or misleading information to gain something unfairly. A lot of fraud is perpetrated through the Internet or with the help of technology, and computer forensics can help investigate these crimes.
  • Sexual harassment, deception and negligence.
  • Collection of information that may be used to terminate a person’s employment in future.
  • General criminal and civil cases. This is because criminals sometimes store information in computers.
  • Commercial organizations and companies can also use computer forensics to help them in cases of intellectual property theft, forgeries, employment disputes, bankruptcy investigations and fraud compliance.

Investigators sometimes need computer forensics to investigate a crime. The computer system itself may act as a scene of a crime in cases of denial-of-service attacks and hacking. The computer system may also hold evidence of the crime. A lot of people may also store information in computer systems unwittingly or unintentionally. Evidence that computer forensics investigations produces may be in the form of emails, documents and Internet history. There may also be files relevant to crimes such as kidnapping, drug trafficking, money laundering or fraud.

In addition to the information on the computer, investigators may use a file’s metadata to find out more about a particular crime. The computer forensics analyst will determine when the file was first created, when it was edited and when it was printed or last saved. The forensics examination can also determine which user carried out these activities.

In all of these cases, the evidence must be acquired and handled properly to be admissible in court. This is the only way the acquired information can serve as evidence and used to support allegations or defend a person from accusations.

Case Types


  • Criminal
  • Civil
  • Family Law

Investigation Types


  • Criminal Felonies
  • Criminal Misdemeanors
  • Divorce
  • Harassment
  • Job Action
  • Probate