thumb|A forensic expert examining a mobile device that was seized during an investigation

thumb|Media types used for computer forensic analysis: a [[Fujifilm FinePix digital camera, two flash memory cards, a USB flash drive, a 5GB iPod, a CD-R or DVD recordable, and a Mini CD.]]

Computer forensics (also known as computer forensic science) Today, computer forensics is used to investigate a wide variety of crimes, including child pornography, fraud, espionage, cyberstalking, murder, and rape. The discipline also features in civil proceedings as a form of information gathering (e.g., Electronic discovery).

Forensic techniques and expert knowledge are used to explain the current state of a digital artifact, such as a computer system, storage medium (e.g., hard disk or CD-ROM), or an electronic document (e.g., an email message or JPEG image).

Computer forensics are used to convict those involved in physical and digital crimes. Some of these computer-related crimes include interruption, interception, copyright infringement, and fabrication. Interruption relates to the destruction and stealing of computer parts and digital files. Interception is the unauthorized access of files and information stored on technological devices. Copyright infringement refers to using, reproducing, and distributing copyrighted information, including software piracy. Fabrication involves accusing someone of using false data and information inserted into the system through an unauthorized source. Examples of interceptions include the Bank NSP case, Sony.Sambandh.com case, and business email compromise scams.

Use as evidence

In court, computer forensic evidence is subject to the usual requirements for digital evidence. This requires that information be authentic, reliably obtained, and admissible. Metadata within the documents implicated an author named "Dennis" at "Christ Lutheran Church," helping lead to Rader's arrest.

  • Joseph Edward Duncan: A spreadsheet recovered from Duncan's computer contained evidence showing him planning his crimes. Prosecutors used this to demonstrate premeditation and secure the death penalty.

Techniques

Various techniques are used in computer forensic investigations, including:

; Cross-drive analysis

: This technique correlates information found on multiple hard drives and can be used to identify social networks or detect anomalies.

; Live analysis

: The examination of computers from within the operating system using forensic or existing sysadmin tools to extract evidence. This technique is particularly useful for dealing with encrypting file systems where encryption keys can be retrieved, or for imaging the logical hard drive volume (a live acquisition) before shutting down the computer. Live analysis is also beneficial when examining networked systems or cloud-based devices that cannot be accessed physically.

; Deleted files

: A common forensic technique involves recovering deleted files. Most operating systems and file systems do not erase the physical file data, allowing investigators to reconstruct it from the physical disk sectors. Forensic software can "carve" files by searching for known file headers and reconstructing deleted data.

; Stochastic forensics

: This method leverages the stochastic properties of a system to investigate activities without traditional digital artifacts, often useful in cases of data theft.

; Steganography

: Steganography involves concealing data within another file, such as hiding illegal content within an image. Forensic investigators detect steganography by comparing file hashes, as any hidden data will alter the hash value of the file.

Mobile device forensics

; Phone logs

: Phone companies typically retain logs of received calls, which can help create timelines and establish suspects' locations at the time of a crime. A digital forensic analyst may also be referred to as a computer forensic analyst, digital forensic examiner, cyber forensic analyst, forensic technician, or other similarly named titles, though these roles perform similar duties.

Certifications

Several computer forensics certifications are available, such as the ISFCE Certified Computer Examiner, Digital Forensics Investigation Professional (DFIP), and IACRB Certified Computer Forensics Examiner. The top vendor-independent certification, particularly within the EU, is the Certified Cyber Forensics Professional (CCFP).

Many commercial forensic software companies also offer proprietary certifications.

Computer forensics investigations are frequently driven by regulatory requirements that mandate specific evidence preservation and analysis capabilities.

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires covered entities to implement audit controls that record and examine activity in information systems containing protected health information under 45 CFR 164.312(b), and to establish procedures for monitoring log-in attempts and reporting discrepancies under 45 CFR 164.308(a)(5)(ii)(C). When breaches of protected health information occur, forensic analysis of electronic systems is typically required to determine the scope and nature of unauthorized access as part of the breach notification assessment under 45 CFR 164.402. The December 2024 HIPAA Security Rule notice of proposed rulemaking (90 FR 898) would mandate deployment of technology solutions capable of detecting and responding to suspicious activity, strengthening the evidentiary requirements that necessitate computer forensics capabilities.

The Payment Card Industry Data Security Standard (PCI DSS) version 4.0 Requirement 12.10.5 requires organizations to include provisions for forensic investigation following security incidents, and major card brands require merchants experiencing breaches to engage PCI Forensic Investigators (PFIs) for formal analysis. NIST Special Publication 800-86 provides guidelines for integrating forensic techniques into incident response, covering data collection, examination, analysis, and reporting across multiple media types.

See also

  • Certified Forensic Computer Examiner
  • Counter forensics
  • Cryptanalysis
  • Cyber attribution
  • Data remanence
  • Disk encryption
  • Encryption
  • Hidden file and hidden directory
  • Information technology audit
  • MAC times
  • Steganalysis
  • United States v. Arnold

References

</references>

Further reading

  • A Practice Guide to Computer Forensics, First Edition (Paperback) by David Benton (Author), Frank Grindstaff (Author)
  • Incident Response and Computer Forensics, Second Edition (Paperback) by Chris Prosise (Author), Kevin Mandia (Author), Matt Pepe (Author) "Truth is stranger than fiction..." (more)
  • IEEE Transactions on Information Forensics and Security
  • Journal of Digital Forensics, Security and Law
  • International Journal of Digital Crime and Forensics
  • Journal of Digital Investigation
  • International Journal of Digital Evidence
  • International Journal of Forensic Computer Science
  • Journal of Digital Forensic Practice
  • Cryptologia
  • Small Scale Digital Device Forensic Journal