Ready to Start Your Career?

Digital Forensics: Quick Overview

Divya Bora's profile image

By: Divya Bora

August 16, 2021

digital forensics header Digital Forensics is a branch of forensic science encompassing preservation, acquisition, documentation, analysis, and interpretation of evidence identified from various storage media types while preserving the integrity of the information and maintaining a strict chain of custody for the data. This includes data from computers, mobiles, and laptops, but it is not limited to just that. It also includes data transmitted over public and private networks. Digital Forensics aims to support the elements of troubleshooting, recovery, monitoring, and the protection of sensitive data.


A few goals Digital Forensics aims to achieve are:

  • Identification of the culprit: It aims to identify the prime culprit behind the crime and also helps in postulating the motive behind the crime.

  • Data Redundancy: It recovers the deleted files and provides a method to validate the digital media.

  • Evidence to court: Recovering, analyzing, and preserving digital and forensic evidence assists in carrying out the proper investigation of the evidence and presenting it to the court.

  • Legal Procedures: These are used to assure that the evidence at the crime scene remains uncorrupted.

  • Identify the attack’s impact: It assists in finding the evidence instantly and helps measure the potential impact of the crime or attack.

-Storing evidence properly: It always stores the evidence legally as defined by the court of law and abiding by the chain of custody.


Digital Forensics is a diverse field in cybersecurity. A few types of Digital Forensics are:

1. Memory Forensics Memory Forensics is defined as the analysis of volatile data in a computer’s memory dump. Volatile data is stored in the computer’s temporary memory while it is running, and a memory dump is a snapshot capture of computer memory data from a specific timestamp. Memory forensics consists of the acquisition and analysis of a system’s volatile memory, and hence it is also known as Volatile Memory forensics. It is a crucial step during an investigation. It helps to calculate the damage caused and gathers information about any malicious program used to compromise the system.

2. Malware Forensics Malware Forensics is defined as the process of analyzing and investigating the various properties of malware to determine the attacker’s intent and damage caused. It encompasses checking malicious code, determining the method of propagation based on its entry into the system, and ports used for compromising the systems to calculate the damages caused. A few examples of malware are botnets, rootkits, worms, backdoors, scareware, and virus. Malware analysis is generally of two types: Static Malware analysis and Dynamic Malware Analysis. In Static Malware analysis, the investigator analyzes the code and determines the malware used and its functionality. In Dynamic Malware analysis, the investigator executes the malware to check its functional operations and identify the malware’s intent.

3. Network Forensics Network Forensics is defined as analyzing and recording the various kinds of activities that take place on a network. It also consists of sniffing, acquiring, and analyzing the event logs in a given network, checking for a network security incident. It is essentially used to determine the type of attack over the network and draw a conclusion about the attacker’s intent and damage caused.

4. Database Forensics Database Forensics is defined as the process of analyzing a database where sensitive information is stored. It mainly deals with the permissions granted for database access and the actions performed. It is essential after data security breaches to ascertain the core of the issue. It encompasses the investigation, preservation, authentication, and analysis of the timestamps and verifies the actions performed by the user.

5. Email Forensics Email forensics is defined as the process of analyzing the source and content of an email message, identifying the sender and receiver, establishing the date and time of email, then followed by an analysis of all the entities involved to find out any email forgery in advance. It consists of a thorough understanding of email headers analysis, server investigation, bait tactics, network device investigation, software embedded identifiers, attachment analysis, and sender mailer fingerprints.

6. Wireless Forensics Wireless Forensics is defined as the process of capturing the data traveling over a network, analyzing the network events to gain an understanding of the network vulnerabilities, discovering the source of attacks, and investigating any breaches on the network. It is generally used to determine the nature of activities performed on a network, e.g., Wi-Fi or VoIP.

7. Disk Forensics Disk forensics is defined as the process of extracting specific information from digital media storage devices like CDs, DVDs, floppy disks, flash drives, and USB drives. It consists of searching for active, deleted, or modified files from the media storage device as required during an investigation.


The most common steps followed during a digital forensic investigation are: forensics lifecycle

1. Identification This is where the investigator determines the type of item and whether it is relevant to the investigation. If the item is not relevant, it is marked and kept aside. If the item discovered is relevant, then it is added to the list of Relevant Data. All the data items that were extracted and identified should be enough for the investigator to move forward with their case.

2. Collection This is where the investigator acquires the digital evidence as mentioned in their list created in the previous step. This consists of seizing physical assets like phones, hard drives, and laptops. The investigator needs to be very cautious as no data should be damaged or lost.

3. Preservation In this step, the investigator must safely store and secure the digital media evidence collected from the previous step. It requires secure storage and preservation of the assets from any theft or damage. Data from the asset can be copied or imaged to maintain the integrity of the data.

4. Examination Examination is one of the most crucial steps of the investigation. This involves various methods for identifying and extracting data from the previously identified, collected, and preserved assets. Here, the investigator also determines how to deal with the live system, e.g., power on the seized laptop and dead, or a hard drive connected to a desktop.

5. Analysis During the Analysis step, the investigator analyzes all the previously examined evidence and connects all the dots. They try to create a timeline of any important events that would have taken place and explain their relevance with the case to prove the accused’s malicious intent behind the crime. At times, it takes a number of iterations to conclude from the evidence gathered.

6. Presentation This is where the investigator communicates their findings with the requester by formulating all the evidence in a report. The report contains detailed information about the evidence collected, its examination, and the conclusions.


Some of the pros of Digital Forensics are:

  • Integrity: It assists in ensuring the integrity of the computer system.
  • Chain of custody: Since Digital Forensics is all about extracting, processing, and interpreting factual evidence, it abides by the chain of custody, which is acceptable in court and used to prove the intentions and actions of the accused.
  • Evidence: It assists in producing evidence in court, which could lead to the punishment of the guilty.
  • Protection: It assists organizations in saving valuable time and financial resources.
  • Essential information: It assists organizations in capturing essential information about their systems and networks and helps determine whether they are compromised.
  • Efficiency: It assists in tracking down the attacker from wherever the attack occurred.


Some of the cons of Digital Forensics are:

  • Standardized tools: The forensic tools used while investigating the case should meet the specific standards approved by the court of law. Otherwise, the evidence may be disregarded by the court.
  • Expensive: The production and storage of electronic or digital records can become expensive.
  • Lack of physical evidence: In some cases, the lack of physical evidence makes the prosecution of the accused difficult.
  • Tamperproof: The digital evidence produced in court is only valid if the investigator proves its authenticity and integrity. If it’s tampered with, it will be disregarded.
  • Technical knowledge: For the digital evidence to be properly accommodated and judged in a case, the legal practitioner must have extensive technical knowledge. Lack of knowledge can lead to impaired results.

Everyday Forensics is a course specifically designed to strengthen essential knowledge of Digital Forensics for a beginner. Digital Forensics Investigation will provide hands-on training and make the topics covered in this article clearer. DFIR Investigations and witness testimony will be a perfect start for students with intermediate knowledge as it is a deep dive into the Digital Forensics investigation process.


  1. (Image 1)
  8. 2)
Schedule Demo