Computer Forensics Data Recovery
One of the most frequent situations faced by a computer forensics analyst is the need to recover deleted data. Forensic data recovery defines the actions involved in scanning or searching a hard drive or other digital media for deleted files. Many computer users do not realise that simply deleting a file from their PC does not actually raised it from the hard drive or floppy drive. Files that have been deleted in this manner simply have their file information removed from the file system; the raw data is often left intact unless a new file overwrites the area of the media which previously contained the deleted file. This is
Due to the fact that files are often still in existence, although no longer visible to the file system, forensic data recovery becomes a real possibility. Using a set of special software tools the analyst will attempt to perform forensic data recovery by interrogating the actual physical data stored on the hard drive. If the deleted file has not been overwritten too much, it is often possible for the analyst to recreate the file pointers, and restore the file. In cases where the file has been overwritten or damaged, forensic data recovery software can then be used to copy raw data into a new file. This saved data can then be interrogated, and it is highly possible that whole segments of the original file will still be readable in some form. In some cases this partial data can be used to reconstruct the original deleted file entirely. At the very least it allows the analyst to judge whether the reclaimed file should be noted as evidence in the ongoing computer forensics investigation.
In many ways forensic data recovery forms the backbone of almost every computer forensics investigation. If we consider that forensic proof is being sought for crimes committed, then it stands to reason that almost every offender will have gone to some lengths to cover their tracks. Forensic data recovery allows the technician undertaking the forensic investigation to gain access to much of this deleted information. This allows them to prove or disprove the accusations made against the computer user.