Skip to content ↓ | Skip to navigation ↓

Computer forensics involves the processes of analyzing and evaluating digital data as evidence. It is the analysis of information contained within and created with computer systems and computing devices, typically in the interest of figuring out what happened, when it happened, how it happened, and who was involved.

Computer forensics is considered to be the use of analytical and investigative techniques to identify, collect, examine, and preserve information that is magnetically stored or encoded.

Uses for Computer Forensics

Computer forensics is used for:

  • Law enforcement
  • Enforcing employee policies
  • Gathering evidence against an employee while being careful to follow the legal requirements for an organization wishes to terminate
  • Recovering data in the event of a hardware or software failure
  • Understanding how a system works.

Steps Involved in Computer Forensics


Data Mirroring

One of the most important steps in digital forensics is the process of data mirroring, more commonly known as disk imaging. Disk imaging takes a sector-by-sector copy, usually for forensic purposes, and as such it will contain some mechanism to prove that the copy is exact and has not been altered.

It is the process of disk imaging that allows a forensic investigator to view the contents of a storage medium or computer without altering the original data in any way.

Tool: Live View

Live View is a forensics tool that creates a VMware virtual machine out of a raw disk image or physical disk. This allows the forensic examiner to boot up the image or disk and gain an interactive, user-level perspective of the environment, all without modifying the underlying image or disk.

Because all changes made to the disk are written to a separate file, the examiner can instantly revert all of his or her changes back to the original pristine state of the disk.


The end result is that one need not create extra “throw-away” copies of the disk or image to create the virtual machine.

Tool: DumpIt

DumpIt is used to generate a physical memory dump of Windows machines. It works with both 32-bit and 64-bit machines. Perfect to deploy the executable on USB keys, for quick incident response needs.


In the next article in this series we will look at free tools for registry forensics – stay tuned!


About the Author: Mohit Rawat writes for Infosec Institute and is an engineering graduate and works as a Security Analyst.Specialized in social engineering, penetration testing, application vulnerability assessments, digital forensics investigations and IT security architecture. He works for both public and private sector clients, perform penetration testing, digital forensics investigations and deliver security training to IT professionals.


Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.


Related Articles:



picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].


picDefinitive Guide to Attack Surface Analytics

Also: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.


Title image courtesy of ShutterStock