Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.
The technical and applied forensic disciplines (digital forensics, questioned documents, forensic engineering, fingerprints and biometrics, and ballistics) examine man-made systems, instruments, and records for legal purposes.
Last updated:
A forensic investigation in 2025 is as likely to turn on what a phone's GPS log recorded at 11:47 pm as on what a fingerprint on a door handle looks like. The technical and applied forensic sciences occupy the space where man-made systems, instruments, and records intersect with legal questions. They are not concerned primarily with biological material or with the human body: they deal with what devices store, what documents say, why structures and machines fail, what friction-ridge impressions look like, and how a bullet moved through space.
Five disciplines define this cluster. Digital forensics recovers and analyses data from electronic devices, networks, and cloud services. Questioned documents (QDE) examines paper, ink, handwriting, and printing to detect fraud and establish authenticity or authorship. Forensic engineering reconstructs failures and accidents to assign causation. Friction-ridge analysis (fingerprints) and broader biometrics identify individuals from physical characteristics. Forensic ballistics examines firearms, cartridges, and wound patterns to reconstruct shooting events.
What unites these otherwise disparate disciplines is a shared focus on recorded or manufactured artefacts rather than biological specimens, and a shared chain-of-custody challenge: digital data can be altered silently, documents can be fabricated, physical mechanisms can be tampered with. The technical procedures in each discipline are designed explicitly to detect and guard against those possibilities.
Data is volatile, deletion is rarely complete, and the chain of custody starts before the examiner touches the device.
Digital forensics covers four broad device categories: storage media (hard drives, SSDs, USB drives, memory cards), mobile devices (phones, tablets, GPS units), network-based evidence (logs, cloud data, email servers), and the internet of things (smart speakers, connected vehicles, wearables). Each category has its own acquisition challenges, but the underlying discipline is consistent: preserve integrity first, then examine and interpret.
Deleted files are a major focus of digital examination because file deletion in most operating systems does not immediately erase the underlying data: it marks the space as available for reuse. Until overwritten, the content remains in unallocated space and can be recovered using file carving tools that search for known file headers and footers. Solid-state drives with TRIM enabled complicate this, as the operating system actively zeroes freed blocks for performance reasons, reducing recovery rates. Modern phone file systems present different challenges: most use encryption by default, so the acquisition must obtain the device in an unlocked state or apply appropriate legal authority to obtain the encryption key.
Paper and ink carry more information than the words printed on them.
Questioned document examination covers a wider range of work than its name suggests. Handwriting comparison is the most visible task, but QDE practitioners also examine paper and ink composition to date or source documents, detect alterations, obliterations, indented writing (pressure-transferred from an overlying page), and laser-printed or inkjet-printed text to attribute it to a specific device. In financial and corporate fraud cases, the document examiner often provides more evidentially actionable findings than any other forensic discipline.
Handwriting comparison proceeds through three stages. Known exemplars (samples of the individual's genuine writing, called 'request specimens' if collected for the case or 'course of business exemplars' if pre-existing) are collected. The questioned writing is examined for its range of natural variation. Then comparison identifies both class characteristics (general letter forms, slant, spacing, proportions consistent with a broad group of writers) and individual characteristics (specific idiosyncratic features that narrow to one writer). The conclusion is expressed on a calibrated scale from 'identification' through degrees of probability to 'elimination' or 'inconclusive'.
Engineering failures leave a physical record of what went wrong, in what order, and why.
Forensic engineering investigates failures and accidents to determine their cause, mechanism, and sequence of events. The scope is broad: structural collapses, fires and explosions, vehicle accidents, product liability, construction defects, and industrial incidents all generate forensic engineering work. The forensic engineer is engaged either to reconstruct what happened (fact-finding for litigation or criminal prosecution) or to apportion responsibility (was the failure due to design, manufacture, maintenance, or misuse?).
The investigative method draws on materials science, structural analysis, and the applicable engineering codes and standards for the jurisdiction and industry. Fracture surface analysis distinguishes fatigue cracking (progressive, showing beach marks) from overload fracture (sudden, with a different surface morphology). Fire-origin determination uses burn patterns, char depth, and V-patterns to locate the seat of a fire and distinguish accidental from incendiary causation. Vehicle accident reconstruction uses crush analysis, tyre mark geometry, electronic data from the vehicle's event data recorder, and kinematic equations to calculate speeds and collision geometry.
| Subdiscipline | Typical question | Key technique |
|---|---|---|
| Structural failure | Why did the building or component fail? | Fracture analysis, materials testing, code review |
| Fire investigation | Where did the fire originate and was it accidental? | Burn pattern mapping, V-pattern analysis, accelerant testing |
| Vehicle accident reconstruction | What was the speed and configuration at impact? | Crush analysis, event data recorder, kinematics |
| Product liability | Was the product defective, and did the defect cause the injury? | Design review, failure mode analysis, comparative testing |
Friction-ridge skin has been the workhorse of personal identification for over a century.
Fingerprint identification rests on two premises: that friction-ridge arrangements are unique to individuals (including identical twins), and that they are persistent across a lifetime. The first premise has very strong empirical support, accumulated across hundreds of millions of tenprint comparisons over more than a century. The second is demonstrated by the stability of ridge detail through normal life, though severe injury, deliberate abrasion, or certain skin conditions can alter surface morphology.
Latent prints recovered from scenes are developed using fingerprint powder, chemical reagents (cyanoacrylate fuming, ninhydrin, 1,8-diazafluoren-9-one known as DFO, physical developer for wet surfaces), or optical imaging methods including alternate light sources. The developed print is photographed and digitised, then searched against databases (AFIS systems) or compared directly against reference prints from a suspect. The comparison is conducted by a trained fingerprint examiner who identifies corresponding minutiae features (ridge endings, bifurcations, short ridges) and assesses distortion between the latent and the reference.
A fired cartridge case is a record of the weapon that fired it.
Forensic firearms examination covers three linked areas. First, firearm and cartridge case comparison: when a cartridge is fired, the breechface, firing pin, extractor, and ejector all leave microscopic toolmarks on the case. A bullet passing through the barrel acquires striation marks from the rifling grooves. These marks can be compared under a comparison microscope to determine whether a cartridge or bullet was fired by a specific weapon. The comparison follows the same ACE-V logic as fingerprint examination: it is a feature-by-feature assessment by a trained examiner.
Second, trajectory reconstruction: the direction and angle of a bullet's path can be reconstructed from entry and exit holes in surfaces, the geometry of secondary fragmentation, and the location of recovered cartridge cases. Rod-based and laser trajectory kits allow the physical path to be modelled. Combined with the victim's position and the wound track from the pathologist, trajectory work can test consistency with a stated shooting position or sequence.
Third, gunshot wound analysis: the range and direction of a shot are estimated from wound characteristics. Contact and close-range shots leave stippling (burnt powder embedded in skin), smoke deposits, and laceration patterns from gas pressure. Intermediate-range shots leave stippling without the larger gas effects. Distant shots leave only the wound track. The forensic pathologist and the firearms examiner typically collaborate on wound interpretation, with the examiner providing test-fire data from the weapon to calibrate the range estimate.
Why must digital forensic examiners use a write-blocker when acquiring evidence from a storage device?
Test yourself on Basics of Forensic Science with free, timed mocks.
Practice Basics of Forensic Science questionsSpotted an error in this page? Report a correction or read our editorial standards.