In cyber crimes, physical evidence which was the backbone of criminal investigation, no longer exists. The domain of evidence has transcended from the physical to the virtual – digital evidence. Digital evidence is latent in nature and needs use of some tools to gather and interpret the evidence just like DNA analysis. Since any evidence has to be accepted by the court of law, digital evidence also needs to be produced in a manner acceptable to the court. A new area of computing known as Cyber Forensics to facilitate digital evidence acquisition and analysis has become the need of the hour.

Cyber forensics has been defined as “the use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived from digital sources for the purpose of facilitation or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations”"

Cyber Forensics activities can be broadly classified into three.

Computer (disk) forensics

Deals with gathering evidence from computer media seized at the crime scene

Network Forensics

Deals with gathering digital evidence that is distributed across large-scale, complex networks. Often this evidence is transient in nature and is not preserved within permanent storage media.

Device Forensics

Deals with gathering digital evidence available in different types of devices such as mobile phones, PDA, printers, scanners, camera, fax machines, etc. All these areas itself became independent research areas.

In Cyber Crimes the evidence is digital information available in the computer or devices used in the crime. This digital evidence is highly volatile and prone to modification by others. The challenge before the information technology community is how to prepare evidence in cyber crimes from computers and networks so that it can be effectively presented before the court of law. Cyber Forensics procedure which will conform to the law is needed for proving the digital evidence in the court. The most accepted procedure is Identify, Seize, Authenticate, Acquire, Analyse, and Preserve the evidence. In this authentication of digital evidence is most important component due to the fact that digital evidence is highly tamper prone. Most of the cyber forensics experts use one way hashing methods like MD5 or SHA1 to create a signature of the evidence which will change if the evidence is tampered. Cyber Forensics analysis requires tools which will be able to access any data available on the mass storage media including deleted files and data in unallocated disk areas. Cyber Crime investigation is actually a team effort where law enforcement agencies, computer experts and cyber forensics experts work together to unearth evidence required for proving the crime in the court of law.