There a number of slightly varying definitions around. However, generally, computer forensics is considered to be the use of analytical and investigative techniques to identify, collect, examine and preserve evidence/information which is magnetically stored or encoded, usually to provide digital evidence of a specific or general activity. A forensic investigation can be initiated for a variety of reasons. The most high profile are usually with respect to criminal investigation, or civil litigation.

Wide and varied! Examples include:

• Employee internet abuse (common, but decreasing).
• Unauthorized disclosure of corporate information and data (accidental and intentional).
• Industrial espionage.
• Damage assessment (following an incident).
• Criminal fraud and deception cases.
• More general criminal cases (many criminals simply store information on computers, intentionally or unwittingly).
• and countless others!

It's a detailed science. However, very broadly, the main phases are sometimes considered to be: secure the subject system (from tampering during the operation); take a copy of hard drive (if applicable); identify and recovery all files (including those deleted); access/copy hidden, protected and temporary files; study 'special' areas on the drive (eg: residue from previously deleted files); investigate data/settings from installed applications/programs; assess the system as a whole, including its structure; consider general factors relating to the users activity; create detailed report. Throughout the investigation, it is important to stress that a full audit log of your activities should be maintained.