Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums. Computer forensics is also known as digital forensics.
The goal of computer forensics is to explain the current state of a digital artifact. The term digital artifact can include a computer system, a storage media (such as a hard disk or CD-ROM), an electronic document (e.g. an email message or JPEG image) or even a sequence of packets moving over a computer network. The explanation can be as straightforward as what information is here? and as detailed as what is the sequence of events responsible for this current arrangement of bits?
There are five basic steps to the computer forensics:
Preparation (of the investigator, not the data)
Collection (the data)
Live vs. Dead analysis
Traditionally computer forensic investigations were performed on data at rest – for example, the content of hard drives. This can be thought of as a dead analysis. Investigators were told to shut down computer systems when they were impounded for fear that digital time-bombs might cause data to be erased.
In recent years there has increasingly been an emphasis on performing analysis on live systems. One reason is that many current attacks against computer systems leave no trace on the computer’s hard drive – the attacker only exploits information in the computer’s memory. Another reason is the growing use of cryptographic storage: it may be that the only copy of the keys to decrypt the storage are in the computer’s memory, turning off the computer will cause that information to be lost.