IT forensics (digital forensics) is the scientific investigation and analysis of digital traces following a security incident. The goals are to reconstruct the sequence of events, secure evidence in a court-admissible manner, and determine the scope of the compromise.
The forensic process follows strict principles: evidence is never altered on the original, every action is documented, and the chain of custody remains fully traceable. Tools such as EnCase, Autopsy, or Volatility enable analysis of disk images, memory dumps, and network captures. The incident response plan should define when and how forensics is initiated — early evidence preservation is critical, as volatile data in memory is quickly lost.