What is Digital Forensics?

Digital forensics is the science of examining information that resides on digital devices or systems, to determine with a reasonable degree of certainty past events recorded or stored by the devices or systems.

Do courts recognize digital forensics as a science?

Digital forensic practice is derived from computer science. The ephemeral nature of digital evidence requires a forensic examiner to follow the rigorously disciplined collection process computer scientists follow. Digital forensics stands apart from some evidence-gathering techniques that have recently been called into question, because its practitioners abide by a scientific process.

Properly performed, these forensic techniques produce a result that's reproducible, a key indicator of a scientific process.

The Federal Courts issued rules for eDiscovery (the preservation and presentation of digital evidence) in 2005, following recognition among by a conference of judges and legal scholars that electronic evidence required a new set of discovery guidelines.

What does “properly performed” mean?

The forensic practitioner follows a prescribed process governing the interaction with the subject device or system. The evidence is collected, analyzed, preserved, and presented according to a generally-accepted standard.

Proper preservation and presentation are both crucial for admissibility in a court of law. Read about our digital preservation service here.

How does data recovery differ from digital forensics?

The difference is the purpose, not the process. Data recovery is necessary following such incidents as power outages, floods, fires, or other disasters that destroy systems and devices. The recovery operation is often called "incident response."

Incident response is also the term that's used when a cyber crime has occurred, or when a ransomware attack has made files inaccessible.

Business may be halted, or the business may have only partial access to files while the data recovery is taking place. The data recovery must be performed in a forensically sound manner to minimize the amount of data that might be lost. There may also be audits, litigation, or insurance issues that require forensically sound presentation of the recovered data.