what is digital forensics

What is Digital Forensics?

By ERMProtect Staff

According to the FBI, in 2021, over 800,000 cybercrimes occurred. Such crimes can occur so easily because of their secret nature. As you sit in a coffee shop, using their Wi-Fi, how do you know you're not the victim of a crime already by someone on the same network?

Attorneys and prosecutors combat such crimes with the help of digital forensics experts. A digital forensic investigation will unveil the necessary data and digital evidence needed to convict cyber criminals.

But exactly what is digital forensics? And exactly what is the process of digital forensics?

By the time you finish reading this article, you will have a solid understanding of the types of digital forensics that exist as well as the process of digital forensics.

Answering the Question, “What Is Digital Forensics?”

Digital forensics consists of the process of identifying, preserving, extracting, and documenting computer evidence that attorneys use in a court of law. Forensics is the science of finding and extracting evidence in its digital format. Forensic experts will extract the evidence from mobile phones, servers, computers, or networks.

Usually, a team of digital forensics experts works together with purposeful techniques and tools so they can solve complicated cases. This is the same type of expert who can manage security breaches as well.

History of Digital Forensics

The need for digital forensics began when the first computer crime occurred in 1971 when Bob Thomas wrote the virus named "The Creeper." This virus was just a general nuisance but not harmful. However, it did indicate the growing need for computer crime experts.

By the 1990s, the term "computer crime" had become common in the world of investigation. In the early 21st century, the federal government began to put together policies on digital forensics.

Now attorneys have an arsenal of evidence thanks to digital forensics experts. They can find the data that they need to prove a cyber criminal's guilt or prove important facts in a civil litigation case.

Objectives of a Digital Forensics Investigation

Digital forensics investigators have a few primary objectives in addition to finding, recovering, analyzing, and preserving digital, computer, and related materials. Such materials must be in a form that a prosecutor can use as evidence in a court of law.

Here are a few other objectives of a digital forensics investigator:

  • Help theorize the reasons for the crime or malfeasance
  • Help discover the identity of the main perpetrator
  • Design procedures that ensure the investigators do not corrupt the digital evidence
  • Acquire and duplicate data such as deleted files
  • Identify the evidence quickly
  • Produce a computer forensic report that an attorney can use in a court of law
  • Preserve digital evidence by following a chain of custody properly

Process of Digital Forensics Investigations

Digital forensics consists of a precise set of steps. Failing to follow any single step can damage the case.

Here are the basic steps in the digital forensics investigation process:

1. Identification

The forensic process begins with identification. An investigator will identify what evidence exists, where a criminal has stored it, and how the criminal has stored it.

Mobile phones, PDAs, personal computers, and a variety of other electronic devices can store media. Forensic investigators must determine exactly which device has the data they need for evidence.

2. Preservation

Once an investigator knows what they're looking for and where to look at it, they can begin to isolate, secure, and preserve the data. The investigator will confiscate the digital device, thereby preventing individuals from tampering with the digital evidence.

3. Analysis

After preserving the digital evidence, the investigators will reconstruct fragments of data and draw some conclusions based on the evidence they found. Such analysis can take several tries before they will have the evidence they need to support the crime theory.

4. Documentation

The investigator then creates a record of all the visible data. They will recreate the crime scene and review it. They will create a timeline of events based on available data.

5. Presentation

At this point, the investigator will summarize and explain the findings. The investigators should use common terms when talking about the evidence and the methods, though to make it more court friendly. The clearer the investigator can make the process, the more likely the jury and other members in the court will understand them.

Types of Digital Forensics

Not all types of digital forensics are the same. Here are the most common types of digital forensics.


This sub-branch of digital forensics focuses on analyzing and monitoring the traffic on a computer network. The investigators will collect legal evidence and important information.


A digital forensics expert in disk forensics understands how to extract data from storage media. They spend time searching modified, active, or deleted files to find evidence.


Forensic experts who focus on database forensics will spend their time studying databases. They examine vast quantities of metadata daily to find evidence of crimes.


Wireless forensics experts will provide the tools investigators need to collect and analyze data from traffic on a wireless network.


Malware experts identify and remedy malicious code. They study viruses, worms, payloads, and all other things related to malicious code.


Email forensics experts understand how to recover and then analyze emails. They can even find evidence in deleted emails, contacts, and calendars.


Memory forensics experts collect data from system memory. They understand how to extract evidence from the cache, RAM, and registers in a raw form. They then can extract data from the raw dump.

Mobile Phone

Since mobile phones are mobile computers, some forensics experts have made cell phones their main focus. They examine and analyze mobile devices to retrieve SIM and phone contacts, incoming data, call logs, outgoing data, videos, audio, and anything else a mobile phone holds.

Protect Yourself with ERMProtect’s Digital Forensics Expertise

Do you need help extracting data, investigating malfeasance, or digging out evidence for criminal or civil court? If so, contact us. Our experts are ready to help you with your digital forensics needs.

Get a curated briefing of the week's biggest cyber news every Friday.

Stop Phishing Attacks with ERMProtect's Security Awareness Training

Turn your employees into a human firewall with our innovative Security Awareness Training.

Our e-learning modules take the boring out of security training.

Intelligence and Insights

NIST Cybersecurity Framework

Complete Guide to the NIST Cybersecurity Framework 2.0

In this comprehensive guide, we explain in simple terms every aspect of complying with the NIST Cybersecurity Framework 2.0 …
Musings From a Pen Tester’s Diary

Musings From a Penetration Tester’s Diary – Part 2

We asked Akash to take a trip down memory lane and discuss some of his more interesting intrusion cases. This is Part 2 of “Musings from Pen Tester’s Diary.” …
Musings From a Pen Tester’s Diary

Musings From a Penetration Tester’s Diary – Part 1

Ever want to peek inside the mind of an ethical hacker? Akash Desai, our Director of IT Consulting for 18 years, is sharing his diary of experiences “hacking” banks, factories, fire departments, airports, etc …