Computer Forensics And E-Discovery: The Important Difference Between Computer Forensics And E-Discovery

Posted in Forensics and Investigations on May 2, 2024
Computer Forensics And E-Discovery

The computer forensics and E-Discovery. E-Discovery is the process of identifying, preserving, collecting, processing, reviewing, and analyzing electronically stored information (ESI) in legal proceedings. Identifying, preserving, collecting, analyzing, and reporting on digital information is part of the computer forensics process. As you can see, they are very similar until the crucial difference, the party in charge of analyzing the data.

The Computer Forensics And E-Discovery

The expert’s role in an E-Discovery case is to provide information to legal teams in a reviewable format for analysis. When using computer forensics, however, the expert will analyze the data and report the findings to the legal teams. In my opinion, the primary distinction between E-Discovery and computer forensics is the party performing the electronic information analysis.

Computer Forensics And E-Discovery

Computer Forensics

Computer forensics is applying investigation and analysis strategies to gather and store evidence from a certain computing device in a way that is suitable for presentation in a court of law. The goal is to perform a proper investigation and maintain a documented chain of evidence to search what happened on a computing device and who was responsible for it.

Computer forensics, which is sometimes referred to as computer forensic science, is data recovery with legal compliance guidelines to make the information permissible in legal proceedings. The terms digital forensics and cyber forensics are also used for computer forensics.

Why Is Computer Forensics Important?

In the civil and criminal justice system, computer forensics makes sure that the integrity of digital evidence presented in court is preserved. As Data-collecting devices are used frequently in every aspect of life, digital evidence and the forensic process has become more important in solving crimes and other legal issues.

The information these devices collect is not accessible by many. However, this information may be critical in solving a legal matter or a crime, and computer forensic help in collecting that information.

Only digital-world crimes like data theft, network breaches, and illegal online transactions do not use digital evidence but it’s also used to solve physical-world crimes like burglary, assault, hit-and-run accidents, and murder. Businesses mostly use multilayered data management, data governance, and network security technique to keep proprietary information safe which helps streamline the forensic process.

Computer forensics is also used to track information related to a system or network by businesses, which can be used to identify and confront cyber attackers.

Types Of Computer Forensics

There are many types of computer forensic examinations. Each deals with a particular aspect of information technology. Some of the main types include:

Database Forensics

The analysis of information contained in databases, both data, and related metadata is known as database forensics. It follows the normal forensic process and applies investigative techniques to database contents and metadata.

A forensic examination of a database involves the logging of timestamps that log any updates made to the database and capture details such as the name of the user making change, what part of the database was changed, when was the change made. This logging helps provide an audit trail and helps in investigations in the event of any wrongdoing. This aspect of forensic investigation records the logs as the updates are made. Alternatively, a forensic examination may also involve identifying transactions within a database system that indicate evidence of wrongdoing, such as fraud after the transaction has taken place.

This will involve a review of the logs, and other data drill-down exercises to identify unusual trends in the data. Transactions made very late at night, or on weekends, or on public holidays can indicate that these transactions may be made with malicious intent. Forensic accountants identify such perimeters within the database to look for potential wrongdoing.

Forensic accountants also make use of software tools to help them manipulate and analyze data. These tools provide audit logging capabilities which provide documented proof of what tasks or analysis a forensic examiner performed on the database.

Email Forensics

Email forensics is the study of the source and content of the email as evidence to identify the actual sender and recipient of a message along with some other information such as the date or time of transmission and intention of the sender. It involves investigating metadata, port scanning as well as keyword searching. It involves The examination of emails and other information contained in email platforms, such as schedules and contacts.

There are data strands attached to each email that provide information such as whether the email was red when was it read, and if the email includes any links whether those links were clicked on. Such data strands are called metadata and this is stored within the email software. Forensic accountants make use of specialist tools to extract this metadata which can be helpful in their overall investigation.

Malware Forensics

Malware forensics involves examining code to find possible fraud programs and analyzing their payload. Such programs may include Trojan horsesransomware, or various viruses.  It is a way of finding, analyzing, and investigating various properties of malware to seek out the culprits and find a reason for the attack. The method also includes tasks like checking out the malicious code, determining its entry, method of propagation, impact on the system, ports it tries to use, etc. investigators conduct a forensic investigation using different techniques and tools.

Memory Forensics

Memory forensics refers to collecting information stored in a computer’s random access memory (RAM) and cache. It refers to the analysis of volatile data in a computer’s memory dump. Information security professionals conduct memory forensics to investigate and identify attacks or malicious behaviors that do not leave easily detectable tracks on hard drive data.

Mobile Forensics

Mobile forensics is a branch of digital forensics and it is about the acquisition and the analysis of mobile devices to recover digital evidence of investigative interest. It involves the examination of mobile devices to retrieve and analyze the information they contain.

As mobiles become more and more powerful and their computational capabilities increase, a lot of stuff that previously required PCs or laptops can be carried out using mobile phones. Things like approving a payment, approving transactions, or reviewing documents can all be done via mobiles.  As a result of this, a specialist field of mobile forensics has evolved in recent years which involves logging all the actions taken via mobile devices similar to computer forensics.

Network Forensics

Network forensics is the study of data in motion, with a special focus on gathering evidence via a process that will support admission into court. This means the integrity of the data is paramount, as is the legality of the collection process.  It involves looking for evidence by monitoring network traffic. 

Usually, companies have their intranet which restricts access to the world wide web to prevent data leakage and hacking attempts. However, even within intranets, data can be stolen, leaked, or hacked.

Network forensics is deployed in the event of any such data leakage, theft, or cyber-attack and helps identify causes for such an event and potentially also identify the person responsible for such an event. 

The responsible person may have done the actions that lead to such an event deliberately for financial gains in which case they may be subject to a civil or criminal proceeding. Alternately, they may have fallen victim to phishing scams or any other such scams in which case this may indicate a more prevalent issue and may require more training and awareness for staff related to such risks.

Computer Forensics And E-Discovery


Electronic discovery is the discovery made in legal proceedings such as litigation or government investigations, where the information required is in electronic format. Electronic discovery is based on rules of civil procedure and processes, involving review for privilege and relevance before turning over data to the requesting party.

Electronic information is considered different from paper information because of its intangible form, volume, transience, and persistence. Electronic information is usually accompanied by metadata that is not found in paper documents and that can play an important part as evidence. It is fairly easy to preserve metadata from electronic documents to stop spoilation.

Types Of Electronically Stored Information

Any data that is preserved in an electronic form may be subjected to production under common e-Discovery rules. This type of data has included email and office documents, but can also include photos, video, databases, and other filetypes.

Raw data is also included in e-discovery, which forensic investigators can review for hidden evidence. The original file format is called native format. Litigators may review material from e-discovery in several formats like printed paper, native file, or a petrified, paper-like format, such as PDF files or TIFF images. Modern document review platforms lodge the use of native files and allow for them to be converted to TIFF and Bates-stamped for use in court.

Electronic Messages

Some archiving systems register unique code to each archived message or chat to establish authenticity. The systems stop changes to original messages. Messages cannot be deleted, and the messages cannot be accessed by unauthorized persons.

Databases And Other Structured Data

Structured data is normally included in databases or datasets. It is arranged in tables with columns and rows along with defined data types. The most common are Relational Database Management Systems that are capable of handling large volumes of data such as Oracle, IBM DB2, Microsoft SQL Server, Sybase, and Teradata. The structured data domain also comprises spreadsheets, desktop databases like FileMaker Pro and Microsoft Access, structured flat files, XML files, data marts, data warehouses, etc.


Voicemail may be discoverable under electronic discovery laws. Employers may have a duty to retain voicemail if there is a chance of litigation involving that employee. Data from voice assistants like Amazon Alexa and Siri have been used in criminal cases.

Final Thoughts

The science of analyzing electronic data is known as computer forensics. Computer forensics can be performed on any digital medium, whether hardware or software. A Computer Forensics case can involve almost any type of data, from computers, cellular devices, tablets, and flash drives to application-specific data, cloud storage accounts, and everything in between. Different types of computer forensics are primarily an artifact-based service that finds the facts through investigation, as well as reviewing content if necessary.

E-Discovery can be defined as the search for relevant evidence within a collection of data. E-Discovery forensics entails taking data, typically documents, and searching through it using keywords, date restrictions, or other metrics, separating out documents deemed relevant to the case. This type of search service is becoming more popular and requested in the legal world, as electronic searching outperforms physical eye-to-paper review in terms of accuracy and time utilization. E-Discovery is a content-only service that uncovers the truth through targeted, customized searching.