Computer forensics, also known as digital forensics, computer forensic science or cyber forensics, combines computer science and legal forensics to gather digital evidence in a way that is admissible in a court of law.
In the same way that law enforcement officials comb crime scenes for clues, computer forensics investigators search digital devices for evidence that lawyers can use in criminal investigations, civil cases, cybercrime investigations and other corporate and national security matters. And like their law enforcement counterparts, computer forensic investigators need to be experts not only in hunting for digital evidence, but in collecting, handling and processing it to ensure its fidelity and its admissibility in court.
Computer forensics are closely related to cybersecurity. Computer forensics findings can help cybersecurity teams speed cyberthreat detection and resolution, and prevent future cyberattacks. An emerging cybersecurity discipline, digital forensics and incident response (DFIR), integrates computer forensics and incident response activities to accelerate remediation of cyberthreats while ensuring that any related digital evidence is not compromised.
Gain insights to prepare and respond to cyberattacks with greater speed and effectiveness with the IBM Security X-Force Threat Intelligence Index.
Register for the Cost of a Data Breach report
Computer forensics first gained prominence in the early 1980s with the invention of the personal computer. As technology became a staple in everyday life, criminals identified an opening and began committing crimes on electronic devices.
Soon after, the internet connected almost everyone overnight, allowing email and remote access to corporate, and organizational computer networks and opening doors to more complex malware and cyberattacks. In response to this new frontier of cybercrime, law enforcement agencies needed a system to investigate and analyze electronic data, and thus, computer forensics was born.
At first, most digital evidence was found on computer systems and IT devices—personal computers, servers, mobile phones, tablets and electronic storage devices. But today an increasing number of industrial and commercial devices and products—from Internet of Things (IoT) and operational technology (OT) devices, to cars and appliances, to doorbells and dog collars—generate and store data and metadata that can be collected and mined for digital evidence.
For example, consider a car accident. In the past, law enforcement officials might have investigated the crime scene for physical evidence, like swerve marks or shattered glass; they might also have checked the drivers’ phones for evidence of texting while driving.
Today, newer automobiles generate and store all sorts of time-stamped digital data and metadata that creates a detailed record of each vehicle's location, speed and operating condition at any given time. This data transforms modern vehicles into another powerful forensics tools, allowing investigators to reconstruct events leading up to, during and after an accident; it might even help determine who was responsible for the accident, even in the absence of traditional physical or eye-witness evidence.
Like physical crime scene evidence, digital evidence must be collected and handled correctly. Otherwise, the data and metadata may be lost—or deemed inadmissible in a court of law.
For example, investigators and prosecutors must demonstrate a proper chain of custody for digital evidence—they must document how it was handled, processed and stored. And they must know how to collect and store the data without altering it—a challenge given that seemingly harmless actions such as opening, printing or saving files can change metadata permanently.
For this reason, most organizations hire or contract computer forensics investigators (also known by the job titles computer forensics expert, computer forensic analyst or forensic computer examiner) to collect and handle digital evidence associated with criminal or cybercriminal investigations.
Computer forensics professionals typically have a bachelor's degree in computer science or criminal justice, and combine a solid functional knowledge of information technology (IT) fundamentals—for example operating systems, information security, network security, programming languages—plus a background in the legal implications of digital evidence and cybercrime. Some might specialize in areas such as mobile forensics or operating system forensics.
Computer forensics investigators are experts at hunting down and preserving legally admissible data. They know to collect data from sources in-house IT staff might ignore, such as offsite servers and home computers. And they can help organizations develop a sound computer forensics policy that can save time and money when collecting digital evidence, mitigate cybercrime fallout, and help protect their networks and information systems from future attacks.
There are four main steps to computer forensics.
The first step is identifying the devices or storage media that might contain data, metadata or other digital artifacts relevant to the investigation. These devices are collected and placed in a forensics lab or other secure facility to follow protocol and help ensure proper data recovery.
Forensic experts create an image, or bit-for-bit copy, of the data to be preserved. Then, they safely store both the image and the original to protect them from being altered or destroyed.
Experts collect two kinds of data: persistent data, stored on a device’s local hard disk drive and volatile data, located in memory or in transit (for example, registries, cache and random access memory (RAM). Volatile data must be handled especially carefully since it's ephemeral and can be lost if the device shuts down or loses power.
Next, forensics investigators analyze the image to identify relevant digital evidence. This can include intentionally or unintentionally deleted files, internet browsing history, emails and more.
To uncover "hidden" data or metadata others might miss, investigators use specialized techniques including live analysis, which evaluates still-running systems for volatile data, and reverse steganography, which exposes data hidden by using steganography, a technique for concealing sensitive information within ordinary-seeming messages.
As a final step, forensic experts create a formal report outlining their analysis, and share the investigation findings and any conclusions or recommendations. Though reports vary by case, they are often used to present digital evidence in a court of law.
There are several areas in which organizations or law enforcement officials might start a digital forensics investigation:
Criminal investigations: Law enforcement agencies and computer forensics specialists can use computer forensics to solve computer-related crimes, like cyberbullying, hacking or identity theft, as well as crimes in the physical world, including robbery, kidnapping, murder and more. For example, law enforcement officials might use computer forensics on a murder suspect's personal computer to locate potential clues or evidence hidden in their search histories or deleted files.
Civil litigation: Investigators can also use computer forensics in civil litigation cases, like fraud, employment disputes or divorces. For example, in a divorce case, a spouse's legal team might use computer forensics on a mobile device to reveal a partner's infidelity and receive a more favorable ruling.
The protection of intellectual property: Computer forensics can help law enforcement officials investigate intellectual property theft, like stealing trade secrets or copyrighted material. Some of the most high-profile computer forensics cases involve intellectual property protection, notably when departing employees steal confidential information to sell it to another organization or set up a competing company. By analyzing digital evidence, investigators can identify who stole the intellectual property and hold them accountable.
Corporate security: Corporations often use computer forensics following a cyberattack, such as a data breach or ransomware attack, to identify what happened and remediate any security vulnerabilities. A typical example would be hackers breaking through a vulnerability in a company's firewall to steal sensitive or essential data. Using computer forensics to fight cyberattacks will continue as cybercrimes remain on the rise. In 2022, the FBI estimated that computer crimes cost Americans USD 10.3 billion in annual losses, up from USD 6.9 billion the previous year.
National security: Computer forensics have become an important national security tool as cybercrimes continue escalating among nations. Governments or law enforcement agencies like the FBI now use computer forensics techniques following cyberattacks to uncover evidence and shore up security vulnerabilities.
Again, computer forensics and cybersecurity are closely related disciplines that often collaborate on protecting digital networks from cyberattacks. Cybersecurity is both proactive and reactive, focusing on cyberattack prevention and detection, as well as cyberattack response and remediation.
Computer forensics are almost entirely reactive, springing into action in the event of a cyberattack or crime. But computer forensic investigations often provide valuable information that cybersecurity teams can use to prevent future cyberattacks.
When computer forensics and incident response—the detection and mitigation of cyberattacks in progress—are conducted independently they can interfere with each other, with negative results for an organization.
Incident response teams can alter or destroy digital evidence while removing a threat from the network. Forensic investigators can delay threat resolution while they hunt down and capture evidence.
Digital forensics and incident response, or DFIR, combines computer forensics and incident response into an integrated workflow that can help security teams stop cyberthreats faster while also preserving digital evidence that might be lost in the urgency of threat mitigation. In DFIR,
Forensic data collection happens alongside threat mitigation. Incident responders use computer forensic techniques to collect and preserve data while they’re containing and eradicating the threat, ensuring the proper chain of custody is followed and that valuable evidence isn’t altered or destroyed.
Post-incident review includes examination of digital evidence. In addition to preserving evidence for legal action, DFIR teams use it to reconstruct cybersecurity incidents from start to finish to learn what happened, how it happened, the extent of the damage and how similar attacks can be avoided.
DFIR can lead to faster threat mitigation, more robust threat recovery and improved evidence for investigating criminal cases, cybercrimes, insurance claims and more.
Outsmart attacks with a connected, modernized security suite. The QRadar portfolio is embedded with enterprise-grade AI and offers integrated products for endpoint security, log management, SIEM and SOAR—all with a common user interface, shared insights and connected workflows.
Proactive threat hunting, continuous monitoring and a deep investigation of threats are just a few of the priorities facing an already busy IT department. Having a trusted incident response team on standby can reduce your response time, minimize the impact of a cyberattack, and help you recover faster.
To prevent and combat modern ransomware threats, IBM uses insight from 800 TB of threat activity data, information on more than 17 million spam and phishing attacks and reputation data on nearly 1 million malicious IP addresses from a network of 270 million endpoints.
DFIR combines two cybersecurity fields to streamline threat response while preserving evidence against cybercriminals.
Cyberattacks are unwelcome attempts to steal, expose, alter, disable or destroy information through unauthorized access to computer systems.
Security information and event management (SIEM) offers real-time monitoring and analysis of events as well as tracking and logging of security data for compliance or auditing purposes.