What is Forensic Data Recovery?
Mary McMahon
Mary McMahon
Forensic data recovery is a process which is used to retrieve data which will be used for legal purposes. This technique is classically used in criminal or civil investigations which are designed to yield information which can be used in court, although forensic data recovery can also be used by auditing firms and in a variety of other circumstances. This process is performed by trained technicians who have studied computer science, information technology, and forensics.
The need for data recovery is not uncommon; many people have experienced lost or corrupted files at some point in their lives, and some are familiar with the techniques which can be used to restore or rebuild such data. Forensic data recovery is similar, but a bit more complex, because it also includes accessing areas of a computer which would not normally be seen or used to check for specific activities of interest, along with data recovery which is aimed at recovering data which was deliberately erased, damaged, or corrupted.
Sometimes, forensic data recovery is as simple as trying to reconstruct the information on a damaged hard drive, disc, or memory card. At other times, it may include the resurrection of data thought to be lost or deleted, the bypassing of security systems, or the study of a computer system to look for traces of illegal activity. It can be applied to situations ranging from suspected cases of creative accounting to analysis of a computer believed to belong to a sexual predator to look for incriminating or identifying information.
Instead of looking specifically for files, which is what most people do when they engage in data recovery, forensic data recovery specialists are primarily interested in information. They don't necessarily care what form the information is presented in, and they can use a variety of techniques to fill in missing pieces or make information meaningful. For example, a technician might uncover and restore a damaged or deleted partition, looking for traces of information which could reveal how and when the partition was used.
Because specialists in forensic data recovery may be working with computers which have been seeded with safety measures to prevent legal investigations, they must use special procedures to avoid triggering failsafes which could compromise or erase the data. They must also be able to work with information in a way which will not change or compromise it. For example, a technician might copy the data from a hard drive found at a crime scene to another hard drive, resealing the original hard drive in evidence and working with the copy of the data.
Mary McMahon
Ever since she began contributing to the site several years ago, Mary has embraced the exciting challenge of being a EasyTechJunkie researcher and writer. Mary has a liberal arts degree from Goddard College and spends her free time reading, cooking, and exploring the great outdoors.
Mary McMahon
Ever since she began contributing to the site several years ago, Mary has embraced the exciting challenge of being a EasyTechJunkie researcher and writer. Mary has a liberal arts degree from Goddard College and spends her free time reading, cooking, and exploring the great outdoors.
AS FEATURED ON:
AS FEATURED ON:
-
![Forensic data recovery involves the acquisition of sensitive data stored on a physical hard drive that will assist in a criminal investigation.]()
By: meepoohyaphotoForensic data recovery involves the acquisition of sensitive data stored on a physical hard drive that will assist in a criminal investigation. -
![Computer forensics specialists can sometimes retrieve information that was meant to be destroyed or deleted.]()
By: dbj65Computer forensics specialists can sometimes retrieve information that was meant to be destroyed or deleted.
Discussion Comments
Use Eraser. If you realize you've got something you shouldn't on your computer. Delete the file with Eraser. If you've already deleted something that should have been erased, run Eraser on the free space of your drive. You can use a 3 pass Department of Defense erasure technique, all the way up to a 35 pass Gutmann erasure.
I dare any investigator to try to recover data on a hard drive that has had a 35 pass Gutmann erasure used on its freespace. The only data they'll see is the data that exists in files (freespace is wiped now, only file space is left at the time of the "investigation"). Which means you will know exactly what they will see because the only remaining data after such a procedure are files that you too can see. This means 100 percent sureness that you can control what the investigators find out about you.
Very powerful, and very useful software, especially if you have important private data, or you are a cyber criminal.
delete early, defrag often.
Post your comments