Computer Forensics is the science of examining computers, networks, and data storage devices in order to obtain information relevant to a specific litigation, investigation or criminal proceeding.
Such information may be located in intact or deleted data files, as well as in artifacts that show prior actions related to the data or to the digital devices.
A qualified Computer Forensics expert has specific training (and usually corresponding certifications) in locating, analyzing and interpreting such findings, and in reporting clearly the source and meaning of the data. Usually the expert will present these results to a client as a report, and often support them before the trier of fact through affidavit and/or testimony.
The analysis usually requires access to computer data which is unavailable to the normal user (obtained by the use of specialized forensics software), in order to recover deleted materials and to examine the operating system’s own records of events and settings. At the same time, the analyst has an absolute obligation to protect all the original evidence against any form of alteration. This includes secure storage to prevent unauthorized access and the use of special equipment that allows reading stored data but prevents any writing to the same devices, which could otherwise spoliate evidence. To support how information was obtained, the analyst will document the chain of custody, analytic steps taken, and the corresponding results produced.
When Computer Forensics experts have followed these principles, they will usually be successful in having their findings admitted, and their opinions as to proper inferences will generally be accepted.