Forensics & IR
Digital Forensics
Also known as: Computer forensics, Cyber forensics
Definition
The scientific discipline of identifying, preserving, analysing, and reporting on digital evidence from computers, networks, and devices in a legally defensible way.
Examples
- Imaging the disk of a compromised laptop with FTK Imager and analysing it in Autopsy.
- Recovering deleted files and chat fragments to support an HR investigation.
Related terms
DFIR (Digital Forensics and Incident Response)
A combined discipline that fuses digital forensic investigation with incident response to detect, contain, eradicate, and learn from cyber incidents.
Chain of Custody
The chronological, documented trail showing every person, location, and action affecting a piece of evidence from seizure through final disposition.
Forensic Imaging
Creating a bit-for-bit copy of a storage medium, verified by cryptographic hashes, for use in forensic analysis and as legally admissible evidence.
Disk Forensics
The analysis of non-volatile storage media — HDDs, SSDs, USB drives — to recover, examine, and interpret file-system, application, and operating-system artefacts.
Memory Forensics
The discipline of acquiring and analysing a system's volatile RAM to reveal running processes, network connections, injected code, and in-memory artefacts.
Evidence Acquisition
Evidence Acquisition — definition coming soon.