research on computer forensics

An official website of the United States government

Here’s how you know

Official websites use .gov A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS A lock ( Lock A locked padlock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

https://www.nist.gov/news-events/news/2022/05/nist-publishes-review-digital-forensic-methods

NIST Publishes Review of Digital Forensic Methods

Report documents the scientific foundations of digital evidence examination and recommends ways to advance the field..

The National Institute of Standards and Technology (NIST) has published Digital Investigation Techniques: A NIST Scientific Foundation Review . This draft report, which will be open for public comment for 60 days, reviews the methods that digital forensic experts use to analyze evidence from computers, mobile phones and other electronic devices.

The purpose of NIST scientific foundation reviews is to document and evaluate the scientific basis for forensic methods. These reviews fill a need identified in a landmark 2009 study by the National Academy of Sciences, which found that many forensic disciplines lack a solid foundation in scientific research.

To conduct their review, the authors examined peer-reviewed literature, documentation from software developers, test results on forensic tools, standards and best practices documents and other sources of information. They found that “digital evidence examination rests on a firm foundation based in computer science,” and that “the application of these computer science techniques to digital investigations is sound.”

“Copying data, searching for text strings, finding timestamps on files, reading call logs on a phone. These are basic elements of a digital investigation,” said Barbara Guttman, leader of NIST’s digital forensics research program and an author of the study. “And they all rely on fundamental computer operations that are widely used and well understood.”

The report also discusses several challenges that digital forensic experts face, including the rapid pace of technological change. “Digital evidence techniques don’t work perfectly in all cases,” Guttman said. “If everyone starts using a new app, forensic tools won’t be able to read and understand the contents of that app until they are updated. This requires constant effort.”

To address this challenge, the report recommends better methods for information-sharing among experts and a more structured approach to testing forensic tools that would increase efficiency and reduce duplication of effort across labs.

The report also recommends increased sharing of high-quality forensic reference data that can be used for education, training, and developing and testing new forensic tools.

NIST’s Digital Forensics Research Program , which was launched in 1999, develops methods for testing digital forensics tools and provides access to high-quality reference datasets. NIST also maintains a vast archive of published software, the National Software Reference Library , that is a critical resource for investigating computer crimes.

NIST scientific foundation reviews help laboratories identify appropriate limitations on the use of forensic methods, identify priorities for future research, and suggest steps for moving the field forward. These reviews are conducted as part of NIST’s Forensic Science Program , which works to strengthen forensic practice through research and improved standards. In 2018 Congress directed NIST to conduct these scientific reviews and appropriated funding for them.

Readers can submit comments on the draft report through July 11, 2022. NIST will host a webinar about the draft report on June 1, 2022. Instructions for submitting comments and registration information for the webinar are available on the NIST website .

Published: 16 February 2024 Contributors: Annie Badman, Amber Forrest

Digital forensics is the process of collecting and analyzing digital evidence in a way that maintains its integrity and admissibility in court.

Digital forensics is a field of forensic science. It is used to investigate cybercrimes but can also help with criminal and civil investigations. For instance, cybersecurity teams may use digital forensics to identify the cybercriminals behind a  malware  attack, while law enforcement agencies may use it to analyze data from the devices of a murder suspect.

Digital forensics has broad applications because it treats digital evidence like any other form of evidence. Just as officials use specific processes to gather physical evidence from a crime scene, digital forensics investigators follow a strict forensics process (also known as a chain of custody) when handling digital evidence to avoid tampering.

Digital forensics and  computer forensics  are often referred to interchangeably. However, digital forensics technically involves gathering evidence from  any  digital device, whereas computer forensics involves gathering evidence specifically from computing devices, such as computers, tablets, mobile phones and devices with a CPU.

Digital forensics and incident response (DFIR)  is an emerging cybersecurity discipline that integrates computer forensics and incident response activities to accelerate the remediation of cyber threats while ensuring that any related digital evidence is not compromised.

Digital forensics, or digital forensic science, first surfaced in the early 1980s with the rise of personal computers and gained prominence in the 1990s.

However, it wasn’t until the early 21st century that countries like the United States formalized their digital forensics policies. The shift toward standardization resulted from the rise of computer crimes in the 2000s and the nationwide decentralization of law enforcement agencies. With more crimes involving digital devices—and more individuals involved in prosecuting those crimes—officials needed procedures to ensure criminal investigations dealt with digital evidence in a way that was admissible in a court of law.

Today, digital forensics is only becoming more relevant. To understand why, consider the overwhelming amount of digital data available on practically everyone and everything. As society continues to rely more on computer systems and cloud computing technologies, individuals continue to conduct more of their lives online across an ever-increasing number of devices, including mobile phones, tablets, IoT devices, connected devices, and more.

The result is more data—from more sources in more formats than ever before—that investigators can use as digital evidence to analyze and understand a growing range of criminal activity, including cyberattacks, data breaches, and criminal and civil investigations. Additionally, like all evidence, physical or digital, investigators and law enforcement agencies must collect, handle, analyze and store it correctly. Otherwise, data may be lost, tampered with or rendered inadmissible in court.

Forensics experts are responsible for performing digital forensics investigations, and as demand for the field grows, so do the job opportunities. The Bureau of Labor Statistics estimates computer forensics job openings will increase 31 percent through 2029 (link resides outside ibm.com).

The  National Institute of Standards and Technology (NIST)  (link resides outside ibm.com) outlines four steps in the digital forensic analysis process.

Those steps include:

Identify the digital devices or storage media containing data, metadata or other digital information relevant to the digital forensics investigation. For criminal cases, law enforcement agencies will seize the evidence from a potential crime scene to ensure a strict chain of custody.

To preserve evidence integrity, forensics teams make a forensic duplicate of the data using a hard drive duplicator or forensic imaging tool. Following the duplication process, they secure the original data and conduct the rest of the investigation on the copies to avoid tampering.

Investigators comb through data and metadata for signs of cybercriminal activity.  Forensic examiners can recover digital data from a variety of sources, including web browser histories, chat logs, remote storage devices, deleted space, accessible disk spaces, operating system caches and virtually any other part of a computerized system.

Forensic analysts use different methodologies and digital forensic tools to extract data and insights from digital evidence.

For instance, to uncover "hidden" data or metadata, they might use specialized forensic techniques, like  live analysis , which evaluates still-running systems for volatile data, or  reverse steganography , which exposes data hidden using steganography (a method for concealing sensitive information within ordinary-looking messages). Investigators may also reference proprietary and open-source tools to link findings to specific threat actors.

Once the investigation is over, forensic experts create a formal report that outlines their analysis, including what happened and who may be responsible. 

Reports vary by case. For cyber crimes, they might have recommendations for fixing vulnerabilities to prevent future cyberattacks. Reports are also frequently used to present digital evidence in a court of law and shared with law enforcement agencies, insurers, regulators and other authorities. 

When digital forensics emerged in the early 1980s, there were few formal digital forensics tools. Most forensics teams relied on live analysis, a notoriously tricky practice that posed a significant risk of tampering.

By the late 1990s, the increased demand for digital evidence prompted the development of more sophisticated tools like EnCase and FTK, which allowed forensic analysts to examine copies of digital media without resorting to live forensics.

Today, forensic experts employ a wide range of digital forensics tools. These tools can be hardware or software-based and analyze data sources without tampering with the data. Common examples include file analysis tools, which extract and analyze individual files, and registry tools, which gather information from Windows-based computing systems that catalog user activity in registries.

Certain providers also offer dedicated open-source tools for specific forensic purposes—with commercial platforms, like Encase and CAINE, offering comprehensive functions and reporting capabilities. CAINE, specifically, boasts an entire Linux distribution tailored to the needs of forensic teams.

Digital forensics contains discrete branches based on the different sources of forensic data.

Some of the most popular branches of digital forensics include:

• Computer forensics  (or cyber forensics): Combining computer science and legal forensics to gather digital evidence from computing devices.
• Mobile device forensics : Investigating and evaluating digital evidence on smartphones, tablets, and other mobile devices.
• Database forensics : Examining and analyzing databases and their related metadata to uncover evidence of cybercrimes or data breaches.
• Network forensics:  Monitoring and analyzing data found in computer network traffic, including web browsing and communications between devices.
• File system forensics:  Examining data found in files and folders stored on endpoint devices like desktops, laptops, mobile phones, and servers.
• Memory forensics:  Analyzing digital data found in a device's random access memory (RAM).

When computer forensics and incident response —the detection and mitigation of cyberattacks in progress—are conducted independently, they can interfere with each other and negatively impact an organization. 

Incident response teams can alter or destroy digital evidence while removing a threat from the network. Forensic investigators can delay threat resolution while they hunt down and capture evidence.

Digital forensics and incident response, or DFIR, combines computer forensics and incident response into an integrated workflow that can help information security teams stop cyber threats faster while also preserving digital evidence that might be lost in the urgency of threat mitigation.

Two major benefits of DFIR include :

• Forensic data collection happening alongside threat mitigation. Incident responders use computer forensic techniques to collect and preserve data while they’re containing and eradicating the threat, ensuring the proper chain of custody is followed and that valuable evidence isn’t altered or destroyed.
• Post-incident review including examination of digital evidence. In addition to preserving evidence for legal action, DFIR teams use it to reconstruct cybersecurity incidents from start to finish to learn what happened, how it happened, the extent of the damage and how similar attacks can be avoided.

DFIR can lead to faster threat mitigation, more robust threat recovery, and improved evidence for investigating criminal cases, cybercrimes, insurance claims and other security incidents.

Experience up to a 55% improvement in alert investigation and triage with IBM innovations.

Identify and prevent serious threats and vulnerabilities from disrupting business operations.

Catch hidden threats before it’s too late with network visibility and advanced analytics.

DFIR combines two cybersecurity fields to streamline threat response while preserving evidence against cybercriminals.

Computer forensics involves gathering digital evidence from computing devices to ensure its admissibility in court.

Discover the latest threat intelligence and trends in cloud security and learn how to enhance your security posture using insights from IBM Security X-Force.

Cybersecurity threats are becoming more advanced, more persistent and are demanding more effort by security analysts to sift through countless alerts and incidents. IBM Security QRadar SIEM helps you remediate threats faster while maintaining your bottom line. QRadar SIEM prioritizes high-fidelity alerts to help you catch threats that others miss.

Computer forensics

Ieee account.

• Change Username/Password
• Update Address

Purchase Details

• Payment Options
• Order History
• View Purchased Documents

Profile Information

• Communications Preferences
• Profession and Education
• Technical Interests
• US & Canada: +1 800 678 4333
• Worldwide: +1 732 981 0060
• Contact & Support
• About IEEE Xplore
• Accessibility
• Terms of Use
• Nondiscrimination Policy
• Privacy & Opting Out of Cookies

A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity. © Copyright 2024 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.

Introduction to Computer Forensics

• First Online: 11 November 2018

Cite this chapter

• Xiaodong Lin 2  

168k Accesses

Thousands of years ago in China, fingerprints were used on all business documents in the same way signatures are used today—to provide approval of the document, or authorization to perform any actions that the document outlines. This was the very first application of forensics in the world. Since then, law enforcement around the world has slowly developed the forensic skills and tools to investigate crime scenes, using forensic sciences and methods to learn what happened. An example of this is Song Ci, an outstanding forensics scientist in Ancient China who documented his lifetimes of experience and thoughts on forensic medicine in his book “Washing Away of Wrongs: Forensic Medicine”. These works were the first of their kind in the world (Fig. 1.1).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

• Available as EPUB and PDF
• Read on any device
• Instant download
• Own it forever
• Durable hardcover edition
• Dispatched in 3 to 5 business days
• Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

https://www.guidancesoftware.com/

https://www.dfrws.org/

S. L. Garfinkel. Carving contiguous and fragmented files with fast object validation. Digital Investigation, vol. 4, pp. 2–12, 2007

Article   Google Scholar  

Thomas Laurenson. Performance Analysis of File Carving Tools. In Proc. of Security and Privacy Protection in Information Processing Systems, IFIP Advances in Information and Communication Technology, Volume 405, 2013, pp. 419–433

Google Scholar  

NSPCC study finds that cyberbullies target ‘one in five children’. http://www.theguardian.com/society/2013/aug/10/cyberbullies-target-children-nspcc-internet-abuse-askfm

Yuri Gubanov, Oleg Afonin. Why SSD Drives Destroy Court Evidence, and What Can Be Done About It http://articles.forensicfocus.com/2012/10/23/why-ssd-drives-destroy-court-evidence-and-what-can-be-done-about-it/

Nasir Memon. Challenges of SSD Forensic Analysis - Digital Assembly. http://digital-assembly.com/technology/research/talks/challenges-of-ssd-forensic-analysis.pdf

NTFS Compressed Files. http://www.ntfs.com/ntfs-compressed.htm

http://www.nber.org/sys-admin/overwritten-data-guttman.html

http://en.wikipedia.org/wiki/Edison_Chen

Charter of Fundamental Rights of the European Union 2000 (2000/C364/01), Available: http://www.europarl.europa.eu/charter/pdf/text_en.pdf . Accessed on 13th Feb 2014

European Union (EU), “Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data,” European Community (EU), Tech. Rep., 1995

https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act

B.C.M. Fung, K. Wang, R. Chen, P.S. Yu, “Privacy-Preserving Data Publishing: A Survey of Recent Developments,” in ACM Computing Surveys, Vol. 42, No. 4, Article 14, 2010

https://www.theglobeandmail.com/report-on-business/industry-news/energy-and-resources/getting-to-the-bottom-of-the-griffiths-energy-bribery-case/article8122202/

X. Lin, C. Zhang, T. Dule. On Achieving Encrypted File Recovery. In: X. Lai, D. Gu, B. Jin, Y. Wang, H. Li (eds) Forensics in Telecommunications, Information, and Multimedia. e-Forensics 2010. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 56. Springer, Berlin, Heidelberg

https://www.therecord.com/news-story/4177047-uw-supervisor-stole-from-school-cost-co-workers-their-jobs/

http://en.wikipedia.org/wiki/Digital_evidence

Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition. https://www.ncjrs.gov/pdffiles1/nij/219941.pdf

A password for the Hawaii emergency agency was hiding in a public photo, written on a Post-it note. http://www.businessinsider.com/hawaii-emergency-agency-password-discovered-in-photo-sparks-security-criticism-2018-1

https://en.wikipedia.org/wiki/Dennis_Rader

http://en.wikipedia.org/wiki/Digital_forensics

Casey, Eoghan (2004). Digital Evidence and Computer Crime, Second Edition. Elsevier. ISBN 0-12-163104-4. Archived from the original on 2017-04-10

Daniel J. Ryan; Gal Shpantzer. “Legal Aspects of Digital Forensics” (PDF). Archived (PDF) from the original on 15 August 2011. Retrieved 31 August 2010

Sarah Mocas (February 2004). “Building theoretical underpinnings for digital forensics research”. Digital Investigation. 1(1): 61–68. ISSN 1742-2876. https://doi.org/10.1016/j.diin.2003.12.004

US v. Bonallo, 858 F. 2d 1427 (9th Cir. 1988)

Federal Rules of Evidence #702. Archived from the original on 19 August 2010. Retrieved 23 August 2010

S. McCombie and M. Warren. Computer Forensic: An Issue of Definitions. Proc. the first Australian computer, Network and information forensics, 2003

Kruse II, Warren and Jay, G. Heiser. Computer Forensics: Incident Response Essentials. Addison-Wesley, 2002

Eoghan Casey. “Digital Evidence and Computer Crime”, ACADEMIC Press, 2009

Rodney McKemmish. “What is Forensic Computing?”. Australian Institute of Criminology. http://www.aic.gov.au/media_library/publications/tandi_pdf/tandi118.pdf

http://www.detoxcomic.com/articles/document-metadata.html

http://www.electronicevidenceretrieval.com/molisani_meta_data.htm

http://hackertarget.com/ip-trace/

Financial Crimes Report to the Public http://www.fbi.gov/stats-services/publications/financial-crimes-report-2010-2011

http://www.computerforensicstraining101.com/what-it-is.html

Download references

Author information

Authors and affiliations.

Department of Physics and Computer Science, Faculty of Science, Wilfrid Laurier University, Waterloo, ON, Canada

Xiaodong Lin

You can also search for this author in PubMed   Google Scholar

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this chapter

Lin, X. (2018). Introduction to Computer Forensics. In: Introductory Computer Forensics. Springer, Cham. https://doi.org/10.1007/978-3-030-00581-8_1

Download citation

DOI : https://doi.org/10.1007/978-3-030-00581-8_1

Published : 11 November 2018

Publisher Name : Springer, Cham

Print ISBN : 978-3-030-00580-1

Online ISBN : 978-3-030-00581-8

eBook Packages : Computer Science Computer Science (R0)

Share this chapter

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

• Publish with us

Policies and ethics

• Find a journal
• Track your research

Accessibility Links

• Skip to content
• Skip to search IOPscience
• Skip to Journals list
• Accessibility help
• Accessibility Help

Click here to close this panel.

Purpose-led Publishing is a coalition of three not-for-profit publishers in the field of physical sciences: AIP Publishing, the American Physical Society and IOP Publishing.

Together, as publishers that will always put purpose above profit, we have defined a set of industry standards that underpin high-quality, ethical scholarly communications.

We are proudly declaring that science is our only shareholder.

Research on Computer Forensics Technology Based on Data Recovery

Ruibo Duan 1 and Xiong Zhang 2

Published under licence by IOP Publishing Ltd Journal of Physics: Conference Series , Volume 1648 , Information technology Citation Ruibo Duan and Xiong Zhang 2020 J. Phys.: Conf. Ser. 1648 032025 DOI 10.1088/1742-6596/1648/3/032025

Article metrics

777 Total downloads

Share this article

Author e-mails.

[email protected]

Author affiliations

1 Yunnan College of Foreign Affairs & Foreign Language, China, 651700

2 Songming County Public Security Bureau, China, 651700

Buy this article in print

With the rapid development of information technology, fundamental changes have taken place in the way people work. However, computer crime has also become the main type of cases in the Internet era. Therefore, computer forensics technology has become an important research content of computer crime evidence collection. Firstly, this paper analyzes the relationship between computer forensics and data recovery. Then, this paper analyzes the steps of computer forensics. Finally, this paper analyzes the application of anti-forensics technology and computer forensics technology.

Export citation and abstract BibTeX RIS

Content from this work may be used under the terms of the Creative Commons Attribution 3.0 licence . Any further distribution of this work must maintain attribution to the author(s) and the title of the work, journal citation and DOI.

• Future Students
• Parents and Families

Department of Computer Science and Statistics

College of arts and sciences.

• News and Events

Digital Forensics and Cyber Security Center

• Active Students

Teaching Security for the 21st Century

Academic Excellence in Cybersecurity Education

The NCAE-C have designated URI as a Center of Academic Excellence in Cyber Defense education.

The University of Rhode Island’s Digital Forensics and Cyber Security Center (DFCSC) supports state, national, and international public welfare through education, research, training, and service in forensic investigations and securing information systems. The URI DFCSC is a recognized national leader in providing a strong, cutting-edge, comprehensive program in both fields.

Education and Training

We teach courses in basic and advanced topics of digital forensics and cyber security. We offer undergraduate degrees, graduate certificates, and masters degrees in Digital Forensics and Cyber Security. Read more.

We perform research to develop new tools and techniques for digital forensics and cyber security investigations. Read more.

We have a state-of-the art lab where we perform digital forensics services for the legal community and support law enforcement agencies in their investigations. We also provide consulting support to Emergency Management and Law Enforcement agencies in providing cyber security protection to the public. Read more.