Digital Forensics


Information Technology; System Analysis; Privacy


Digital forensics is a branch of science that studies stored digital data. The field emerged in the 1990s but did not develop national standards until the 2000s. Digital forensics techniques are changing rapidly due to the advances in digital technology.



Digital forensics is the science of recovering and studying digital data, typically in the course of criminal investigations. Digital forensic science is used to investigate cybercrimes. These crimes target or involve the use of computer systems. Examples include identity theft, digital piracy, hacking, data theft, and cyberattacks. The Scientific Working Group on Digital Evidence (SWGDE), formed in 1998, develops industry guidelines, techniques, and standards.


Digital forensics emerged in the mid-1980s in response to the growing importance of digital data in criminal investigations. The first cybercrimes occurred in the early 1970s. This era saw the emergence of “hacking,” or gaining unauthorized access to computer systems. Some of the first documented uses of digital forensics data were in hacking investigations.

Prior to the Electronic Communications Privacy Act (ECPA) of 1986, digital data or communications were not protected by law and could be collected or intercepted by law enforcement. The ECPA was amended several times in the 1990s and 2000s to address the growing importance of digital data for private communication. In 2014, the Supreme Court ruled that police must obtain a warrant before searching the cell phone of a suspect arrested for a crime.

Digital forensics encompasses computer forensics, mobile forensics, computer network forensics, social networking forensics, database forensics, and forensic data analysis or the forensic analysis of large-scale data EBSCO illustration.

Digital forensics encompasses computer forensics, mobile forensics, computer network forensics, social networking forensics, database forensics, and forensic data analysis or the forensic analysis of large-scale data
EBSCO illustration.

Once forensic investigators have access to equipment that has been seized or otherwise legally obtained, they can begin forensic imaging. This process involves making an unaltered copy, or forensic image, of the device's hard drive. A forensic image records the drive's structures, all of its contents, and metadata about the original files.

A forensic image is also known as a “physical copy.” There are two main methods of copying computer data, physical copying and logical copying. A physical copy duplicates all of the data on a specific drive, including empty, deleted, or fragmented data, and stores it in its original configuration. A logical copy, by contrast, copies active data but ignores deleted files, fragments, and empty space. This makes the data easier to read and analyze. However, it may not provide a complete picture of the relevant data.

After imaging, forensics examiners analyze the imaged data. They may use specialized tools to recover deleted files using fragments or backup data, which is stored on many digital devices to prevent accidental data loss. Automated programs can be used to search and sort through imaged data to find useful information. (Because searching and sorting are crucial to the forensic process, digital forensics organizations invest in research into better search and sort algorithms). Information of interest to examiners may include e-mails, text messages, chat records, financial files, and various types of computer code. The tools and techniques used for analysis depend largely on the crime. These specialists may also be tasked with interpreting any data collected during an investigation. For instance, they may be called on to explain their findings to police or during a trial.


The SWGDE works to create tools and standards that will allow investigators to effectively retrieve and analyze data while keeping pace with changing technology. It must also work with legal rights organizations to ensure that investigations remain within boundaries set to protect personal rights and privacy. Each forensic investigation may involve accessing personal communications and data that might be protected under laws that guarantee free speech and expression or prohibit unlawful search and seizure. The SWGDE and law enforcement agencies are debating changes to existing privacy and surveillance laws to address these issues while enabling digital forensic science to continue developing.

—Micah L. Issitt

“Digital Evidence and Forensics.” National Institute of Justice. Office of Justice Programs, 28 Oct. 2015. Web. 12 Feb. 2016.

Gogolin, Greg. Digital Forensics Explained. Boca Raton: CRC, 2013. Print.

Holt, Thomas J., Adam M. Bossler, and Kathryn C. Seigfried-Spellar. Cybercrime and Digital Forensics: An Introduction. New York: Routledge, 2015. Print.

Pollitt, Mark. “A History of Digital Forensics.” Advances in Digital Forensics VI. Ed. Kam-Pui Chow and Sujeet Shenoi. Berlin: Springer, 2010. 3–15. Print.

Sammons, John. The Basics of Digital Forensics: The Primer for Getting Started in Digital Forensics. Waltham: Syngress, 2012. Print.

Shinder, Deb. “So You Want to Be a Computer Forensics Expert.” TechRepublic. CBS Interactive, 27 Dec. 2010. Web. 2 Feb. 2016.