Computer forensics (sometimes called digital forensics) refers to the identification, recovery and preservation of information contained within and created by computer systems, usually for the purpose of analysis.
The goal of computer forensics is to explain the present condition of a digital artifact, which can include a computer system, an electronic document or a storage medium.
Computer Forensics: examination and evidence
The examination of such artifacts must be undertaken in a manner which complies with the Rules of Evidence and which produces evidence of criminal activity in a format that will be acceptable in court. The prevailing principle of computer forensics is that artifacts examined should not be affected by such an examination. Examinations by subsequent investigators should, therefore, produce the same results, irrespective of the tools used.
Why is computer forensics useful?
There are several reasons for using computer forensics:
To analyze a computer system after a break in, e.g. to determine how they gained access.
To gather evidence against an employee, for example in a disciplinary situation.
To gain information about how computer systems work for the purpose of performance optimization or debugging.
To recover data in the event of a failure (hardware or software).
To analyze computer systems belonging to defendants in legal cases.