Forensics

Digital forensics collects and analyzes evidence so findings hold up under scrutiny (and potentially in court). Preserve chain of custody and hash evidence before and after handling to prove it wasn’t altered. Collect by order of volatility — registers/cache → RAM → disk → backups → archives — because the most fleeting data is lost first when a system is touched or powered down.