Read the differences between commercial and forensic approach to data recovery . Methods of data recovery forensics, algorithms, and requirements for the collection of evidence of the program. What happens when extracted from the computer hard drive falls into the hands criminalist? Forensic analysis of the disk is very similar to the work of data recovery. But there are significant differences, and these differences is not only the price of the respective programs.

Primary Requirements :

It is no secret that the development of certain tools is subject to the requirements of the customer. In the case of file recovery programs , this is the recovery of the maximum amount of information in the minimum time. How are things going in the forensic field? Requirements are similar and not similar at the same time.

Working In Read-Only Mode :

Read-only operation is one of the few requirements that the two categories of software have in common. Read-only access is used by Data Recovery programs to prevent corrupted or overwritten deleted files. But in forensics, things are much tougher: the requirement for the immutability of the evidence extracted is one of the fundamental principles of legal proceedings. Accordingly, criminalists prefer not to rely on the goodwill of programmers, but insure themselves using special hardware write blockers. The use of such devices obviously excludes any attempts to write to the hard disk under study.

Using Virtual Disk Data Recovery Images :

Use the virtual disk image or recover data “on live” – the choice of each data recovery specialist. In criminologists no such choice: the standard disk analysis procedure involves the removal of an image in Ex01 format, DD and SMART, and subsequent analysis of the image. Practice, convenient to many points of view, but require the presence of free disk large capacity.

Data Recovery

Process Documentation :

One of the duties of a forensic scientist is to carefully document every step of working with digital evidence. All operations performed by an analyst must be transparent and repeatable by another, independent specialist. There are no such requirements for data recovery programs, so the reports generated by such programs are limited to the list of files that could or could not be restored.

Signature Search And Data Recovery Carving :

Data recovery programs use powerful algorithms to search for files by signature on the entire surface of the hard drive. These algorithms use known repeating sections (signatures) in order to detect the beginning of a file. For example, for *.docx and *.xlsx files this is “50 4B”. The subsequent analysis of the file header allows you to calculate its length.

The disadvantage of such algorithms is the impossibility of completely recovering fragmented files (of course, this only applies to files for which there is no corresponding entry in the file table, as well as disks with a damaged or destroyed partition table).

What Exactly Is Being Restored?

It would seem that computer users and forensic scientists should be interested in the same files, but this is not so. Criminologists are interested in the behavior of the suspect over a period of time. Accordingly, Wikipedia data such as the browser cache, a database containing the history of visited websites, Windows registry files, as well as databases of the history of instant messaging programs – Skype, ICQ and the like are retrieved. Photographs and documents are also extracted – perhaps data recovery programs and forensic tools agree only on these two points.