Data Recovery Digest

The need recover data can happen to everyone, whether you’re an individual or an enterprise. But there’s one industry that probably charts highly for the importance of data recovery – the world of crime.

Many reputable data recovery companies are employed by government agencies to help them recover data that they need to solve a case or for evidence to use in court. Computer forensics would be needed to investigate the computer media in a scientific way and data recovery is the technique to pull the data from the damaged storage device. Forensic methodologies will then be used to assess which data is most pertinent to the case.

A drive involved in a crime case can be damaged in many ways. The drive could have been used to help commit a crime or it could contain evidence of a crime. Whatever the case, it’s paramount that the data within is successfully recovered from whatever failure the drive has undergone – technical, elemental, intentional and so on.

The ability to recover data from a drive should never be totally discounted, no matter what state it is in. In the past, recovery companies have been able to get data from drives that have had their outer casing exploded, their circuits damaged in fire, the entire drive submerged in water and more.

These companies need to follow due process due to the sensitive nature of the recovery. In fact, handling the drive in the proper way is as important as the data recovery itself. This is because if media is handled incorrectly then it could jeopardise its ability to submitted as evidence.

There are different protocols in different countries. For example, those in the UK are created by The Association of Chief Police Officers, which detail how to handle the device, along with how to copy, process and present the analysis.

One key point from these guidelines is that the data held within should not be altered in any way. Another point is that documentation and a full chain of accountability is put in place so that the process is fully traceable. It also means that another recovery expert would be able to follow the same steps and achieve the same results.

An example of this comes from Kroll Ontrack. They were given a hard drive that was used to record CCTV images, the footage potentially containing evidence of a murder being committed. However, the drive wasn’t operational and the recovery experts was called upon.

The drive was flown to Kroll Ontrack via personal escort and was determined to be suffering from electronics failure and media corruption damage. This often means that the data has been overwritten and the low-level information to support the functions of the hard drive has been corrupted.

Despite this, they were able to copy 99% of the raw data. They then had to repair the data structures, which meant overcoming the propriety operating system used by the CCTV system. Despite all of this, the recovered images were able to be used in court.

Recovery is always a difficult job when a drive is mechanically damaged. But it becomes even more difficult when the world of crime is involved and even more important that specialists are involved.