Data from computer systems, networks, wireless communications, and storage devices may need to be collected and analyzed in the course of a criminal investigation. The collection and analysis of data for this purpose is called computer forensics. The process of computer forensics encompasses both IT and specific laws to ensure that any data collected is admissible as evidence in court.

Depending on the country, illegal computer or network usage may include:

This is not an exhaustive list.

Two basic types of data are collected when conducting computer forensics procedures: persistent data and volatile data.

Persistent data - Persistent data is stored on a local drive, such as an internal or external hard drive, or an optical drive. When the computer is turned off, this data is preserved.

Volatile data - RAM, cache, and registries contain volatile data. Data in transit between a storage medium and a CPU is also volatile data. It is important to know how to capture this data, because it disappears as soon as the computer is turned off.