Digital forensics involves investigating computer security incidents by acquiring digital evidence without alteration and then analyzing the evidence to answer key questions like who was involved, what happened, when and how. The typical investigation process involves acquiring evidence by imaging systems or storage media, recovering files and metadata, analyzing the evidence through techniques like event reconstruction or locating contraband material, and presenting findings. Challenges include the massive amounts of potential data, limited system logging, and needing to explain technical details simply. Standards, better system auditing, and databases of known file systems and malware could help advance the field.