Digital forensics, also known as computer forensics, is generally concerned with evidence of activities or occurrences on digital systems. This evidence may be found by examining storage media (e.g. hard disk drives) and/or memory (e.g. RAM). In this regard, digital forensics techniques may be applied to identify, examine, and analyze forensic data in a manner that may preserve the integrity of the information and maintain a strict chain of custody for the data. Analysis of forensic data may be used to support the investigation of crimes, violations of policies, security incidents, reviews of operational problems, and recovery from accidental system damage.
Many organizations today utilize numerous computer systems. Often questions arise regarding activities on those systems, especially as related to legal proceedings or investigations. These questions may relate to an “incident” such as a data breach (for example, an employee, outsider or program accessing data she or he should not) or system compromise (for example, infection by malicious software). Currently, digital forensics investigation and analysis techniques are generally applied only after an incident occurs.