The IT Law Wiki


Computer forensics refers to the use of specialized techniques for recovery, authentication and analysis of electronic data when an investigation or litigation involves issues relating to reconstruction of computer usage, examination of residual data, authentication of data by technical analysis or explanation of technical features of data and computer usage.


Computer forensics requires specialized expertise that goes beyond normal data collection and preservation techniques available to end users or system support personnel, and generally requires strict adherence to chain of custody protocols.

Computer forensics encompasses e-discovery, intrusion detection and incident response, data recovery, and the packaging and presentation of digital evidence to standards admissible in various legal settings.

The foundation of all computer forensic techniques is the concept of a disk image — a bitstream representation of every bit of information originally stored on an instance of physical media.


The computer forensics process consists of three phases: acquisition, examination, and presentation. Computer forensic investigators must have software tools that can effectively and efficiently accomplish the following tasks:


See also[]