Computer forensics is simply the application of computer investigation and analysis techniques in the interests of determining potential legal evidence. Evidence might be sought in a wide range of computer crime or misuse, including but not limited to theft of trade secrets, theft of or destruction of intellectual property, and fraud. Computer specialists can draw on an array of methods for discovering data that resides in a computer system, or recovering deleted, encrypted, or damaged file information. Any or all of this information may help during discovery, depositions, or actual litigation.

Protection of evidence is critical. A knowledgeable computer forensics professional will ensure that a subject computer system is carefully handled to ensure that:

• No possible evidence is damaged, destroyed, or otherwise compromised by the procedures used to investigate the computer.
• No possible computer virus is introduced to a subject computer during the analysis process.
• Extracted and possibly relevant evidence is properly handled and protected from later mechanical or electromagnetic damage.
• A continuing chain of custody is established and maintained.
• Business operations are affected for a limited amount of time, if at all.
• Any client-attorney information that is inadvertently acquired during a forensic exploration is ethically and legally respected and not divulged.

What is the purpose of computer forensics?

• To determine whether the concerned system was compromised
• To determine how the system was compromised
• To determine the perpetrator's identity
• To determine what damage has occurred
• To gather evidence for prosecuting the perpetrator in a law abiding manner
• To recover mission-critical information or any incriminating evidence