What is computer forensics?
Computer forensics (sometimes called digital forensics) refers to the identification, recovery, and preservation of information contained within and created by computer systems, usually for the purpose of analysis.
The goal of computer forensics is to explain the present condition of a digital artefact, which can include a computer system, an electronic document, or a storage medium.
Computer Forensics: examination and evidence
The examination of such artefacts must be undertaken in a manner that complies with the Rules of Evidence and that produces evidence of criminal activity in a format that will be acceptable in court. The prevailing principle of computer forensics is that artefacts examined should not be affected by such an examination. Examinations by subsequent investigators should, therefore, produce the same results, irrespective of the tools used.
Why is computer forensics useful?
There are several reasons for using computer forensics:
To analyse a computer system after a break in, e.g. to determine how they gained access.
To gather evidence against an employee—for example, in a disciplinary situation.
To gain information about how computer systems work for the purpose of performance optimization or debugging.
To recover data in the event of a failure (hardware or software).
To analyze computer systems belonging to defendants in legal cases.