Forensic data recovery is a process which is used to retrieve data which will be used for legal purposes. This technique is classically used in criminal or civil investigations which are designed to yield information which can be used in court, although forensic data recovery can also be used by auditing firms and in a variety of other circumstances. This process is performed by trained technicians who have studied computer science, information technology, and forensics.
The need for data recovery is not uncommon; many people have experienced lost or corrupted files at some point in their lives, and some are familiar with the techniques which can be used to restore or rebuild such data. Forensic data recovery is similar, but a bit more complex, because it also includes accessing areas of a computer which would not normally be seen or used to check for specific activities of interest, along with data recovery which is aimed at recovering data which was deliberately erased, damaged, or corrupted.
Sometimes, forensic data recovery is as simple as trying to reconstruct the information on a damaged hard drive, disc, or memory card. At other times, it may include the resurrection of data thought to be lost or deleted, the bypassing of security systems, or the study of a computer system to look for traces of illegal activity. It can be applied to situations ranging from suspected cases of creative accounting to analysis of a computer believed to belong to a sexual predator to look for incriminating or identifying information.
Instead of looking specifically for files, which is what most people do when they engage in data recovery, forensic data recovery specialists are primarily interested in information. They don't necessarily care what form the information is presented in, and they can use a variety of techniques to fill in missing pieces or make information meaningful. For example, a technician might uncover and restore a damaged or deleted partition, looking for traces of information which could reveal how and when the partition was used.
Because specialists in forensic data recovery may be working with computers which have been seeded with safety measures to prevent legal investigations, they must use special procedures to avoid triggering failsafes which could compromise or erase the data. They must also be able to work with information in a way which will not change or compromise it. For example, a technician might copy the data from a hard drive found at a crime scene to another hard drive, resealing the original hard drive in evidence and working with the copy of the data.