Skip to main content Skip to navigation

Digital Forensics

Digital forensics is a branch of computer science that focuses on developing evidence pertaining to digital files for use in civil or criminal court proceedings. Digital forensic evidence would relate to a computer document, email, text, digital photograph, software program, or other digital record which may be at issue in a legal case.

cogsHow does it work?

Investigative process of digital forensics can be divided into four major stages, preservation, collection, examination, and analysis.

Preservation: Preservation stage corresponds to freezing the crime scene.

Collection: Collection stage consists in finding and collecting digital information that may be relevant to the investigation.

Examination: Examination stage consists in an in-depth systematic search of evidence" relating to the incident being investigated.

Analysis: The aim of analysis is to draw conclusions based on evidence found.


A number of techniques are used during computer forensics investigations:

Cross-drive analysis: A forensic technique that correlates information found on multiple hard drives. The process, which is still being researched, can be used for identifying social networks and for performing anomaly detection

Live analysis: The examination of computers from within the operating system using custom forensics or existing system administration tools to extract evidence. The practice is useful when dealing with Encrypting File Systems, for example, where the encryption keys may be collected and, in some instances, the logical hard drive volume may be imaged (known as a live acquisition) before the computer is shut down.

Deleted files: A common technique used in computer forensics is the recovery of deleted files. Modern forensic software have their own tools for recovering or carving out deleted data.[9] Most operating systems and file systems do not always delete physical file data, allowing it to be reconstructed from the physical disk sectors. File carving involves searching for known file headers within the disk image and reconstructing deleted materials.

Volatile data: When seizing evidence, if the machine is still active, any information stored solely in RAM that is not recovered before powering down may be lost. One application of "live analysis" is to recover RAM data (for example, using Microsoft's COFEE tool) prior to removing an exhibit. RAM can be analyzed for prior content after power loss, because the electrical charge stored in the memory cells takes time to dissipate. The length of time for which data recovery is possible is increased by low temperatures and higher cell voltages. Holding unpowered RAM below −60 °C will help preserve the residual data by an order of magnitude, thus improving the chances of successful recovery. However, it can be impractical to do this during a field examination.

Analysis tools: A number of open source and commercial tools exist for computer forensics investigation. Typical forensic analysis includes a manual review of material on the media, reviewing the Windows registry for suspect information, discovering and cracking passwords, keyword searches for topics related to the crime, and extracting e-mail and pictures for review.

Complementary techniques:

Conventional analogue forensic diagnostics (eg. Optical Microscopy, SEM, EDX)

Warwick capability:

Warwick Digital Forensics Laboratory


Claire Gerard: c dot gerard at warwick dot ac dot uk / 07385 145064

Digital Forensics Equipment
Typical results format, and sample:

Digital Forensics OutputDigital Forensics Output



Warwick collect/analyse data

Warwick collect data
 green_tick.gif Available to user with expertise/ contribution
 green_tick.gif Spare capacity for collaborative research