Digital forensics is a subset of forensics — the collection and analysis of criminal evidence — that focuses on digital information. Examples include retrieving data from a computer, analyzing the metadata of specific files, and monitoring network traffic.
A common first step in the digital forensics process is accessing data from an electronic device. For example, a laptop, smartphone, or cloud storage account may contain data that pertains to a specific investigation. In some cases, the data is easily accessible, while in others, the data may be encrypted or require a login. Digital forensics may also involve recovering data from a damaged or partially erased storage device.
After gaining access to the data, investigators may search or browse through folders and files to find relevant information. For instance, they may look for emails or text messages sent at a specific time. Images or videos may also provide useful evidence. The metadata of certain files can be helpful as well. For example, an email header may include the IP address of the device that sent the message. Image EXIF data may include GPS location information, as well as the date and time the image was taken.
While digital forensics typically focuses on recovering existing data, it may also involve monitoring data in realtime. For instance, a detective may use a packet sniffer to record packets sent over an individual's wireless connection.
Regardless of the process used to recover digital information, the authenticity of the data is paramount in criminal cases. Since digital information can easily be copied or modified, it is often difficult to verify original data. Corroborating evidence may be required to ensure that digital data has not been altered. Examples include copies of data from multiple devices and log files from a server.