Computer forensics involves recovering data from a device with the goal of revealing evidence of criminal activity. It is a reactionary practice, meaning it usually takes place after a security breach has already happened, and is not concerned with the prevention of cybercrime, like cyber security is. However, while computer forensics professionals do not prevent cybercrime themselves, the information they uncover can help inform cyber security professionals about how to prevent cybercrimes in the future.
Computer forensics professionals usually work in one of two capacities: they work either with investigators to access a device’s data, or with companies to help them recover lost data. In the first scenario, a computer forensics professional is given access to a suspect’s device in order to help uncover evidence. After receiving the device, they use programming, hardware and software knowledge to help reveal data that can serve as evidence in a trial. In order to do this, the data must be recovered in a very particular manner that does not violate the suspect's rights.
Others who work in computer forensics do so for private companies. These professionals use similar skills to those who work in criminal investigations, but their goal is to recover data so that the company can resume normal operations and regain security for its customers and stakeholders. If the data loss was the result of cybercrime, they may turn over the data as evidence to a law enforcement agency.