Forensic Data Recovery Investigation
I would like to separate Forensic Data Recovery Investigation into two categories: Business Forensic Investigations & Family Forensic Investigations.
Business Forensic Investigations is the practice of recovering data from large and small business hard drives. The most common business situation an employee is fired or quit his job and has deleted or stolen company data. Other areas of business investigations are fraud, intellectual property theft and inappropriate computer and email use.
Family Forensic Investigations is the practice of collecting and analyzing digital data from child or spouse’s computer, tablet or smartphone. This data is used in divorce cases and child protection.
According to Wikipedia, data recovery is:
Data recovery is a process of salvaging (retrieving) inaccessible, lost, corrupted, damaged or formatted data from secondary storage, removable media or files, when the data stored in them cannot be accessed in a normal way. The data is most often salvaged from storage media such as internal or external hard disk drives (HDDs), solid-state drives (SSDs), USB flash drives, magnetic tapes, CDs, DVDs, RAID subsystems, and other electronic devices. Recovery may be required due to physical damage to the storage devices or logical damage to the file system that prevents it from being mounted by the host operating system (OS).
Forensic Data Recovery Investigation
The following steps should be taken by investigator retrieving computer data as evidence.
- Secure the computer to make sure the computer data is safe. To control access by an unauthorized computer user. Create a chain of custody document of the computer and hard drive.
- Create a clone of the hard drive to maintain the integrity of the forensic investigation. The original computer and hard drive must be preserved as evidence.
- Recover the contents of hard drive’s files with programs; also, look for hidden and deleted files. When a file is deleted from your hard drive the sectors of the deleted files now shows as unallocated space and can be used to write new data. If the sectors have not been written with new data we can recover the deleted files.
- Document every step of recovering data. This is important to show investigator did not change or damage data.
- At this point, the examiner will produce written a report of the findings. Also, the data forensically recovered will be referenced as exhibits. The referenced data will be given as exhibits on a hard drive, USB external drive or portable thumb drives.
The above steps are all important to preserve the integrity of the forensic investigation. If you need professional help for data recovery services, please give us a call at (800) 339-3412.