Digital evidence has become unavoidable in modern litigation. A single personal injury case might involve text messages from a passenger’s iPhone, GPS data from a vehicle’s infotainment system, surveillance footage from a smart doorbell, and cloud-stored work documents that establish a timeline. Each of those evidence sources requires a different forensic specialization, and the differences matter — both for what can be recovered and for what will hold up under cross-examination.
The umbrella term “digital forensics” hides a fairly granular set of disciplines underneath it. Some focus on specific device categories, others on specific data sources, and a few are defined by the procedural context in which they’re applied. Knowing which type fits a given matter affects who you should retain, what data you can realistically expect, and which technical objections to anticipate from opposing counsel.
Mobile Forensics
Mobile forensics is the analysis of smartphones, tablets, and similar handheld devices, and it’s the single most common type of digital evidence in both civil and criminal matters. The reason is concentration: a modern phone contains a denser collection of personal data than any other device a person owns — messages, photos, location history, health metrics, app activity, browsing history, biometric records, and credentials for dozens of accounts.
The acquisition process varies dramatically depending on the device. Older Android phones may permit physical extractions that yield deleted data, while modern iPhones running current iOS versions typically only allow logical or file-system extractions. The encryption posture of the device at the time of seizure — whether it’s powered down or recently unlocked — often determines what’s recoverable.
A common misconception in litigation is that “we got the phone” means “we have everything from the phone.” That’s rarely true. Cloud backups, third-party app data, and content that was never synced locally all live elsewhere, which is why smartphone forensic analysis frequently intersects with cloud and SaaS evidence collection.
Computer Forensics
Computer forensics covers laptops, desktops, and servers — the discipline most people associate with the broader term “digital forensics” because it’s been around the longest. The evidence here is structurally diverse: documents and their metadata, email stored locally in PST or OST files, browser history, USB device connection logs, file timestamps, deleted files recoverable from unallocated space, and entries in the Windows registry or macOS plists.
Solid-state drives have meaningfully changed the discipline over the past decade. SSDs perform background operations like garbage collection and TRIM that can overwrite data the examiner is trying to recover, often within minutes of the drive being powered on. That changes the procedural calculus around what you can and can’t promise the court about a recovered artifact.
Examples of where computer forensic analysis typically becomes pivotal:
- Employment disputes involving alleged data theft or trade secret misappropriation
- White-collar criminal matters where document authorship or modification timing is contested
- Family law cases where a shared computer contains evidence of hidden assets or communications
- Internal investigations into policy violations by employees with elevated system access
The technical depth matters because objections about contamination, write-blocker use, and hash verification routinely come up at deposition and trial.
Cloud and SaaS Forensics
Cloud forensics deals with evidence that lives on someone else’s infrastructure. That includes Microsoft 365, Google Workspace, iCloud, Dropbox, AWS, Salesforce, Slack, and the long tail of SaaS platforms that businesses now run on. The technical and legal complications here are different in kind from on-premises forensics, not just in degree.
Acquisition typically happens through provider APIs, native export tools, or formal preservation requests rather than by imaging a physical drive. That introduces issues around scope (you only get what the provider’s tool exposes), authenticity (you’re trusting the provider’s audit logs), and jurisdiction (where the data physically sits versus where the case is being tried).
A subtle but important point: many cloud platforms retain deleted data for a finite window, often 30 to 90 days depending on the provider and license tier. Once that window closes, the data is gone regardless of any preservation letter served afterward.
Speed of preservation often matters more in cloud and SaaS investigations than in any other type of digital forensics.
Network Forensics
Network forensics is the analysis of data in transit rather than data at rest. The evidence sources are packet captures, NetFlow records, firewall and proxy logs, intrusion detection alerts, DNS query logs, and authentication records from identity providers. Each tells a different part of the story of what moved across a network and when.
This discipline shows up most often in incident response, where the question is “what did the attacker do, when, and how far did they get.” It also appears in trade secret cases (to demonstrate that a file was actually exfiltrated rather than just opened), in employment matters involving inappropriate use of corporate networks, and in any case where a timeline has to be reconstructed across multiple systems. Network evidence is volatile by nature. Unless a packet capture or log was running at the time of the event, the underlying data may simply not exist anymore — which is why organizations with mature security programs configure long retention periods specifically for forensic purposes.
IoT Forensics
The internet of things now includes smart speakers, video doorbells, smart locks, fitness wearables, connected appliances, GPS trackers, and an expanding category of ambient devices that quietly record activity in homes and workplaces. IoT forensics is the youngest of the major disciplines and the one evolving fastest.
The challenges are largely structural. Most smart devices have proprietary firmware, minimal local storage, and a heavy reliance on companion mobile apps and vendor clouds. The data of interest is rarely on the device itself — it’s usually a mix of device, companion app, and cloud-side records that have to be acquired separately and reassembled into a coherent timeline.
Smart speakers and video doorbells have appeared in homicide and assault cases as either inculpatory or exculpatory evidence. Wearables have become important in personal injury matters where step counts, heart rate, and GPS movement contradict a party’s claimed timeline. Expect this category of smart device investigations to expand significantly over the next several years as more home and office activity becomes silently recorded.
Email Forensics
Email forensics is its own discipline despite touching every other category on this list. The reasons are practical: email is the primary documentary record in most civil litigation, the most common initial vector in cybercrime, and the evidence type that most routinely requires authenticity analysis at the message-header level.
The forensic work splits into a few common matter types. Business email compromise investigations focus on header analysis, login records, and inbox rule manipulation to reconstruct how an attacker impersonated an executive. Phishing analysis traces a message back to its origin to support attribution. Authenticity disputes — where one party claims an email is fabricated or altered — rely on chain-of-custody analysis, header forensics, and comparison against the sender’s mail server records.
Most modern email lives in Microsoft 365 or Google Workspace, which means email forensic analysis is increasingly a cloud forensics exercise. The legacy PST and OST files that store local Outlook copies still come up, particularly in older matters or when a former employee’s archived mailbox is the only surviving record.
Vehicle Forensics
Modern vehicles are rolling computers with dozens of electronic control units, infotainment systems, telematics modules, and sensors. Vehicle forensics extracts data from those components to reconstruct what happened before, during, and after an incident — most commonly a collision, but also theft, vehicular homicide, and DUI matters.
The primary evidence sources include the event data recorder (often called the “black box”), the infotainment system (which logs paired Bluetooth devices, navigation history, and recent calls), telematics modules in connected vehicles, and the diagnostic data preserved in various ECUs. Electric vehicles, particularly Teslas, store substantially more data than internal combustion vehicles, including detailed driving logs and in some cases exterior camera footage.
Two procedural notes matter here. First, vehicle data must be preserved promptly because EDR data can be overwritten and ignition cycles can degrade certain logs. Second, the manufacturer often controls the proprietary tools required to access certain data formats, which can become an issue in matters where a manufacturer is a party to the litigation.
Drone Forensics
Drone forensics is a narrower discipline focused on unmanned aerial vehicles — most often consumer DJI drones, but increasingly commercial and law-enforcement platforms as well. The relevant evidence lives in three places: the drone itself, the controller or paired mobile device, and the vendor’s cloud services.
UAV forensic analysis tends to cluster around a few scenarios. Privacy and trespass complaints often need flight path reconstruction to establish whether a drone was actually over the complainant’s property. Critical infrastructure incursions and airport incidents require attribution work to identify the operator. Property damage and personal injury matters involve mechanical and operational reconstruction similar to vehicle work.
The technical specifics of acquisition vary by manufacturer and model. DJI has historically been the most well-documented platform, but newer firmware versions have limited some acquisition methods that worked on older devices, which is one reason drone investigations require examiners who keep current with the platform.
Cell Site Analysis
Cell site analysis sits at the intersection of mobile forensics and telecommunications evidence. It uses historical cell site records — the records carriers maintain showing which towers and sectors a phone connected to over time — to estimate where a device, and presumably its user, was located during specific time windows.
The discipline has been controversial. Early prosecutions sometimes overstated the precision of cellular location evidence, and appellate decisions over the past decade have pushed back on testimony that treated tower coverage areas as small, fixed geographic zones. Modern, defensible cell tower forensics accounts for tower load balancing, sector overlap, signal propagation through different terrain, and the meaningful distinction between “pinged” and “served” connections.
Cell site analysis appears most often in homicide, assault, robbery, and conspiracy cases. It also shows up in civil matters where a party’s claimed location at a specific time is in dispute — wrongful death suits, employment cases involving claimed off-the-clock work, and certain insurance disputes.
Mobile Device Unlocking
Mobile device unlocking is technically a subspecialty of mobile forensics, but it has become significant enough on its own to warrant separate treatment. Modern smartphones — particularly recent iPhones and high-end Android devices — encrypt user data by default and require a passcode, biometric, or vendor cooperation to decrypt.
The forensic landscape around unlocking changes constantly. Tools and techniques that worked six months ago may be defeated by the next operating system update. The state of the device at seizure (locked, before-first-unlock, or after-first-unlock) significantly affects what’s possible. Chip-off and JTAG techniques exist for some older devices but generally do not defeat modern full-disk encryption.
Examples of where mobile unlocking expertise becomes essential:
- Criminal matters where a defendant’s device was seized lawfully but is locked
- Decedents’ estates where a phone contains data needed by executors or family members
- Family law cases involving discovery of a child’s device or a spouse’s hidden device
- Corporate investigations involving departed employees whose company-issued phones are locked
The legal and ethical posture matters as much as the technical capability. Accessing locked phones generally requires either consent, a warrant, or some other lawful basis — questions that come up routinely in suppression motions.
Malware Analysis
Malware analysis is the discipline of examining malicious software to understand what it does, who deployed it, and what damage it caused. The forensic context is most often incident response — a ransomware deployment, a data breach, a business email compromise — but the work also surfaces in criminal cases involving fraud, intellectual property theft, and unauthorized access.
The work splits into two complementary approaches. Static analysis examines the malware’s code, structure, and embedded indicators without executing it. Dynamic analysis runs the malware in a controlled environment to observe its behavior, network connections, and file system changes. Serious matters typically require both, with each method confirming or extending the findings of the other.
In litigation, examining malicious software appears most often in subrogation cases between insurers and breach victims, in regulatory enforcement actions following data breaches, and in attribution disputes where one party claims a specific threat actor is responsible.
eDiscovery
eDiscovery — electronic discovery — is the process of identifying, preserving, collecting, processing, reviewing, and producing electronically stored information in litigation. It’s a workflow rather than a single technical discipline, but it shares enough methodology with forensics to be considered alongside it.
The standard reference framework is the EDRM, or Electronic Discovery Reference Model, which breaks the process into discrete stages from initial information governance through final presentation. Forensic principles apply most heavily at the preservation and collection stages, where chain of custody, hash verification, and defensible methodology determine whether the produced data will hold up under challenge.
Modern electronic discovery faces three pressures that didn’t exist a decade ago: massive cloud and SaaS data volumes, ephemeral messaging platforms like Signal and Snapchat, and the rise of AI-generated content that may need to be authenticated or excluded. Each has changed how attorneys negotiate ESI protocols and how examiners structure collections.
Digital Forensics Expert Testimony
Forensic findings are only useful in litigation if they can be presented credibly in court. Digital forensics expert testimony is the discipline of translating technical work into admissible, persuasive evidence — both in written reports and in live testimony at deposition, hearing, or trial.
The governing legal framework in federal court is the Daubert standard, which requires testimony to be based on reliable methods, applied reliably to the facts of the case, and offered by a qualified expert. State courts follow either Daubert, the older Frye standard, or some hybrid of the two. A competent forensic examiner structures methodology with admissibility in mind from the outset, not after the fact.
Cross-examination is where weak forensic work usually breaks down. Opposing counsel will probe assumptions, ask about alternative explanations, challenge tool reliability, and look for gaps in the chain of custody. Reports written with anticipation of those challenges hold up substantially better than reports written purely as technical documentation, which is why qualified expert witnesses are typically engaged well before trial preparation begins.
How the Disciplines Fit Together
A single litigation matter often pulls from four or five of the above disciplines simultaneously. A breach of contract case involving a former employee might combine computer forensics on her work laptop, mobile forensics on a personal phone produced in discovery, cloud and SaaS forensics on her Microsoft 365 account, email forensics on disputed messages, and ultimately expert testimony to put the whole picture in front of a jury. Each discipline contributes a fragment of the timeline, and the value comes from how those fragments fit together.
The practical implication for attorneys and investigators is that engagement decisions should be made early. Determining which types of digital forensics a matter requires — and confirming that the retained examiner has direct expertise across all of them — avoids the common problem of a generalist mishandling a discipline that requires specialized tools, training, and recent platform knowledge.
Chain of custody is the connective tissue across everything above. Regardless of which disciplines are in play, the evidentiary value of any digital forensics work product depends on a documented, defensible chain from acquisition through analysis to presentation. That’s a procedural standard rather than a technical one, and it applies equally to a packet capture, a smartphone extraction, an EDR download, and a cloud preservation.