Forensic Data Recovery FAQ
In practically every computer there is "deleted" data that can be recovered; however, the data recovered is not always relevant to the case. Typically, it is a judgment call which computers should be investigated when there is more than one computer involved. It helps to establish an order of priority for the computers to be recovered. Using this method, vital data would be revealed first which would eliminate wasting resources on less credible computers. It is possible to predict and prioritize the best computers for recovery based on a series of questions.
Q: How long has it been since files were deleted?
Because of the way files are left behind as dead space on the hard drive, as space is needed by different programs or web pages, the file pieces are gradually overwritten. The longer time that has transpired since the files were deleted the less probability that something can be recovered. Although in some past instances data has been recovered dating back several years.
In practically every computer there is "deleted" data that can be recovered; however, the data recovered is not always relevant to the case. Typically, it is a judgment call which computers should be investigated when there is more than one computer involved. It helps to establish an order of priority for the computers to be recovered. Using this method, vital data would be revealed first which would eliminate wasting resources on less credible computers. It is possible to predict and prioritize the best computers for recovery based on a series of questions.
Q: How long has it been since files were deleted?
Because of the way files are left behind as dead space on the hard drive, as space is needed by different programs or web pages, the file pieces are gradually overwritten. The longer time that has transpired since the files were deleted the less probability that something can be recovered. Although in some past instances data has been recovered dating back several years.
Q: Did any person involved use the computer?
Note that this could include receiving email or files from the party involved. When a file or email is deleted it is not immediately removed from the hard drive. It still exists even though it can not be easily accessed. There is a section of the hard drive that is similar to a "Table of Contents" and when a file is deleted it is just removed from this "Table of Contents". The originally deleted file or email is left as dead space on the hard drive. Since the file exists on the hard drive, special tools that bypass the "Table of Contents" can search for files and potentially recover them. A file can be divided in to several pieces and exist in various locations on a hard drive. Because of this, it is possible that only part of a file might be recovered. A vital component to a case might exist in one of those small pieces. If the item that was deleted was an email, a different set of rules apply. An email, by its nature, exists in more than one place. There is always a From:(the sender) a To:(the recipient) and at least one server (the machines that processed the email). If there was CC:(carbon copy) or BCC:(blind carbon copy) addresses then more copies exist. An email has a greater potential to be recovered because an email is stored in a file similar to a database. Consequently, when an email is deleted it is removed from the "Table of Contents" of the database and not the hard drive itself. It is possible for the email to persist in a file or server for quite a long time after the email is "deleted" by a user. This includes Outlook Express, Outlook 2002, AOL, Exchange Server and several other types of email programs. If email is read via a web browser (i.e. Hotmail) a copy of the email will usually exist in the Internet cache or temporary files on the hard drive of the computer it was viewed from. There is an even greater probability that this might be recovered.
Q: How much has the computer been used since files were deleted?
Because files are overwritten gradually, the more the computer is used the more likely new files have overwritten older files erasing your valuable information. A computer writes files every time that a program is used (including internet accesses). The Windows Operating System will overwrite certain files every time the system is powered on. These standard files are not very large but they account for a significant percentage of the destruction that occurs to recoverable files. This is an excellent reason to stop using a computer as soon as it is learned that it is involved in a case until a Computer Forensic Specialist can examine it. If this computer is necessary for operations of the business the specialist can safely and effectively "clone" the hard drive to preserve the information. If there is someone who can answer these questions there is a good chance of determining the usefulness of the computer in a case. This is not intended to be a final list of questions but is a common set to help determine the possibility that something useful might exist. In some cases the client might not be able to answer any of these questions and it is also often that the answers given are incorrect. Even when there is no one to answer those questions, there is still a good possibility of recovering valuable evidence from the right computer, even when the files never existed on the computer.
Note that this could include receiving email or files from the party involved. When a file or email is deleted it is not immediately removed from the hard drive. It still exists even though it can not be easily accessed. There is a section of the hard drive that is similar to a "Table of Contents" and when a file is deleted it is just removed from this "Table of Contents". The originally deleted file or email is left as dead space on the hard drive. Since the file exists on the hard drive, special tools that bypass the "Table of Contents" can search for files and potentially recover them. A file can be divided in to several pieces and exist in various locations on a hard drive. Because of this, it is possible that only part of a file might be recovered. A vital component to a case might exist in one of those small pieces. If the item that was deleted was an email, a different set of rules apply. An email, by its nature, exists in more than one place. There is always a From:(the sender) a To:(the recipient) and at least one server (the machines that processed the email). If there was CC:(carbon copy) or BCC:(blind carbon copy) addresses then more copies exist. An email has a greater potential to be recovered because an email is stored in a file similar to a database. Consequently, when an email is deleted it is removed from the "Table of Contents" of the database and not the hard drive itself. It is possible for the email to persist in a file or server for quite a long time after the email is "deleted" by a user. This includes Outlook Express, Outlook 2002, AOL, Exchange Server and several other types of email programs. If email is read via a web browser (i.e. Hotmail) a copy of the email will usually exist in the Internet cache or temporary files on the hard drive of the computer it was viewed from. There is an even greater probability that this might be recovered.
Q: How much has the computer been used since files were deleted?
Because files are overwritten gradually, the more the computer is used the more likely new files have overwritten older files erasing your valuable information. A computer writes files every time that a program is used (including internet accesses). The Windows Operating System will overwrite certain files every time the system is powered on. These standard files are not very large but they account for a significant percentage of the destruction that occurs to recoverable files. This is an excellent reason to stop using a computer as soon as it is learned that it is involved in a case until a Computer Forensic Specialist can examine it. If this computer is necessary for operations of the business the specialist can safely and effectively "clone" the hard drive to preserve the information. If there is someone who can answer these questions there is a good chance of determining the usefulness of the computer in a case. This is not intended to be a final list of questions but is a common set to help determine the possibility that something useful might exist. In some cases the client might not be able to answer any of these questions and it is also often that the answers given are incorrect. Even when there is no one to answer those questions, there is still a good possibility of recovering valuable evidence from the right computer, even when the files never existed on the computer.