Forensic Data Recovery - what is it, really? - A Press Release...
byon 01-11-2010 at 10:15 AM (1886 Views)
Data Recovery may seem an easy practice to earn money by someone who knows their way around the inside of a computer, but it is much more than that. The consequences of using software that simply “plugs and plays” may cause unforeseen, catastrophic consequences for clients. Simon Steggles, of specialist forensic data recovery company, Disklabs, explains:
“I see lots of people making data recovery statements and increasingly, 'Forensic Data Recovery' claims. Because the subject is so easily misunderstood and abused, I feel that someone should explain what is, and isn’t, Forensic Data Recovery.
Firstly, is what you are practising true data recovery? Retrieving deleted software with 'Recovery My Files' or one of a myriad of data recovery software titles isn’t necessarily true data recovery. It ‘is’ in that it recovers some data; however, it ‘isn’t’, because it doesn’t allow the software user to recover data that may be on either physically damaged or firmware corrupted disks. There is also the possible danger that using this kind of software may lead to overwriting data on the original source too, (depending on how the recovery is attempted).
When I consider data recovery, I imagine someone, or an organisation, who is a member of the IPDRA, (International Professional Data Recovery Association). This is a not-for-profit association, and therefore free to join, and was set up to encourage a specific technical standard from its members. If you have the right equipment, secure premises and can demonstrate through references and photographic evidence that you meet the criterion, you will achieve membership. There is also a complaint procedure to allow clients of members that are not satisfied to lodge official objections or protests.
It’s like lots of things in life - there is a right way and a wrong way, at least, when practicing Data Recovery. Software fixes are marginally effective, but can mislead the client that true data recovery has been carried out. If there is a firmware issue, this can still be considered data recovery; however, this is rapidly becoming the next stage of technical ability within data recovery. Further still is hardware recovery. Exchanging heads is relatively simple, (to the experienced practioner), but are the heads being exchanged with the correct heads from a donor drive? Are they going to be changed in the correct environment? This, of course, is either a clean room or a clean bench. Either of these should achieve at least ISO14644 standard to level 5, to be considered acceptable by manufacturers.
From this, it is apparent that although data recovery may be something you offer, you may be misleading your client, depending on your knowledge and working practices.
There’s even more issues with the validation of Forensic Data Recovery - a process which has to follow the principles of ACPO Guidelines. A lot of people offering Forensic Data Recovery don’t even know who or what ACPO is, let alone follow their guidelines. I personally believe that it’s unethical to state that you provide forensic data recovery if you are not fully familiar with ACPO’s guidelines or don’t have experience in delivering them to law enforcement clients. It’s only from this experience that you will gain the knowledge of write-blocking, report writing or evidence continuity. Over and above this, it’s imperative that your clients’ exhibit, (evidence), is kept securely and only handled by appropriately security-cleared staff.
To me, Forensic Data Recovery is the recovery of information whilst ensuring the original data on the media source, (hard drive, memory stick, etc.)is not damaged in any way. If something has to be written, or chips have to be extracted, then a report should be provided, explaining why this was done and the procedures used. It goes without saying that continuity is vital at all times.
Think of the reasons why clients approach you to recover data from their exhibit or other item. Fraud, criminal activity, personal issues, personal safety; if the practitioner is not fully adept and data is not recovered correctly, the effects to the client could be very adverse indeed. It wouldn’t be melodramatic to state that you could have someone’s life in your hands. Although there can be negative connotations associated with your company should your inexperience come to light, the consequences to your client could be far more serious.”
Disklabs are members of the IPDRA and also diligently follow ACPO guidelines. Our experience in data recovery and forensic data recovery is highly commended by our clients and professional bodies.