Skip Top Navigation

Computer Forensics

According to the TechTarget web site, “Computer forensics is the application of investigation and analysis techniques to gather and preserve evidence from a particular computing device in a way that is suitable for presentation in a court of law. The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computing device and who was responsible for it.”

Here at UHCL, we have expanded the term a bit to include any computer investigative process whether we suspect that it involves the commission of a crime or not. 

When might forensic technology be used?

Forensic techniques are used when:

  • It is suspected that an individual is involved in the commission of a crime
  • When it is suspected that a computer is compromised
  • When a device is lost or stolen and a backup of the computer’s hard drive is available. In this specific case, we would copy the backed up files onto a comparable computer to determine if the computer's hard drive contains any information that is protected by law or contract.

What kinds of forensic tools are available?

There are a number of tools that are used in forensic activities including software that can:

  • Make “forensic copies” of a computer’s hard drive to ensure that the data being analyzed is in the same state as when the forensic process began. 
    Important Note:  Making a forensic copy of the hard drive works hand in hand with “chain of evidence” procedures to confirm that the data has not been altered in case prosecution is pursued.
  • Recover deleted data (both full and partial files) from a hard drive – even beyond the time that the recycle bin was emptied. See the Deleting Data page to learn what makes data recovery tools effective. 
  • Anti-virus/anti-malware software that can find evidence of known attacks
  • Security Information and Event Management (SIEM) software that can analyze patterns in the security logs across multiple technologies to determine if a possible cyberattack is in progress or to reconstruct sequences of events

What are the key steps in performing a forensic analysis?

If a computer is compromised, quick action must be taken to preserve the “state” of the device. 

First, the user of the device must immediately:

  • Unplug it from the network
  • Power the computer down
  • Contact the Information Security Office through the OIT Support Center at extension 2828 or

Next, the Information Security Office will:

  • Make one or more forensic copies of the data by:
    • Removing the hard drive from the unit
    • Plugging the hard drive into another device as a secondary hard drive
    • Copying the hard drive’s contents into a storage device that becomes read-only after the data is transferred
    • Physically securing the forensic copy, e.g., placing it is a sealed package that is signed by the person who made the copy
    • Use the forensic analysis and anti-malware software to look for evidence of a compromise on the hard drive
    • Investigate attack paths by analyzing computer and network log data
    • Bring in the University Police Department immediately if criminal activity is suspected


  • Support Center

    Bayou 2300
    2700 Bay Area Blvd.
    Houston, TX 77058-100
    Phone: 281-283-2828

    Monday-Thursday: 8 a.m. - 7:30 p.m.
    Friday: 8 a.m. - 5:30 p.m.
    Saturday: 8 a.m. - 3 p.m.