What is Forensic Analysis?
The scientific examination of digital devices and data to recover evidence, used by law enforcement and incident responders.
Digital forensics can recover an extraordinary amount of data from devices, even after deletion.
What Can Be Recovered
- Deleted files (from unallocated disk space)
- Browser history and cached pages
- Chat messages and email
- File access timestamps
- USB device connection history
- WiFi network connection history
- GPS location data
Tools
- Autopsy/Sleuth Kit: Open-source forensic suite
- Cellebrite: Mobile device forensics (used by law enforcement)
- GrayKey: iPhone unlocking tool
- EnCase: Enterprise forensic platform
Defense
- Full-disk encryption (data unreadable without key)
- Secure deletion of sensitive files
- Encrypted messaging (no server-side content to seize)
- Tails OS (leaves no trace on the host computer)
- Assume any unencrypted data on a seized device WILL be recovered
Related Terms
Anti-Forensics
Techniques used to prevent, disrupt, or mislead digital forensic investigations by destroying evidence or making analysis difficult.
Cold Boot Attack
A technique for extracting encryption keys from a computer's RAM by physically accessing the memory chips after a shutdown, exploiting the fact that RAM doesn't clear instantly.
Encryption at Rest
Encryption applied to data stored on disks, databases, or other storage media. When data is 'at rest' (not actively being transmitted), encryption protects it from unauthorized access if storage devices are stolen or compromised.
Have more questions?
Use our guided flow to get the right next privacy step for Forensic Analysis.
Open Guided Flow