Forensic Data Recovery
One of the most important and technological-sounding parts of computer forensics is definitely the recovery of corrupted or hidden data from computer files. While it may sound like sci-fi nonsense, it is in fact a very real part of forensic science. You have probably seen sensationalized representations of data recovery on TV shows like CSI, but how forensics work on TV is often worlds apart from how it works in reality.
Ways of Data Recovery
Most people have encountered data recovery in some form or another in their lifetime. Whether it was a computer crash or wanting to upgrade to a larger hard drive, many of the same methods are used there as are in forensic data recovery. The simplest form of data recovery is to copy information and files onto a different drive – the type of data recovery that occurs when transferring to a new hard drive. However, forensic data recovery takes this a step further, and searches through places on the computer that can’t be accessed by simply clicking on a few folders and files to retrieve data that someone did not want found. Volatile memory is an excellent place to find hidden information and malware, as most antivirus programs will not catch dangerous bugs, and some technicians may overlook these areas in their initial search. Many times this information is fragmented and requires the use of special procedures and tools to fill in blanks and make the information make sense and expose evidence of illegal activity.
Restoring Damaged or Deleted Files
Forensic technicians can easily restore damaged or deleted files and partitions to the computer, uncovering data many people would have believed completely lost. When files are deleted from a computer, they leave behind shadows of themselves on the hard drive, and the computer will only completely remove them if it has no other option, such as when a hard drive is completely filled up. Most of the time, this limit never happens, and most deleted files can easily be recovered from these “shadow” files. These techniques are not limited to hard drives, either. Deleted data can be recovered from memory cards, USB sticks, and cell phones as well, although the process is a bit different due to the proprietary nature of mobile devices.
Work Around Safety Measures
Sometimes forensic specialists are given machines that have been fitted with safety measures to discourage anyone who attempts to snoop around. This poses a bit more of a challenge to the technicians, but it is still possible to extract information from these computers or discs. Special measures must be taken to avoid tripping one of the alarms placed onto the computer and possibly destroying all the information on it. They must also work in a way that will not change or compromise the data in any way. It is becoming common for criminals to write viruses and Trojans that can damage either the information on the disc being recovered, or the tools being used to recover the information, and it is important that technicians learn to recognize these viruses and dispose of or skirt around them properly.
Steganography -- What is it?
One of the most science fiction and interesting forms of data recovery is the decoding of steganography, or hiding information within other types of information. Steganography has been used for decades, and can be a simple as sign language in a photo letting U.S. troops know that the soldiers in the photos from North Korea were prisoners and not defectors, to as complex hiding information within the code of a photo without the photo itself changing. Criminals may hide information about their crimes, or a hidden photo within the data of a seemingly harmless .JPG file. The only way to see the hidden information is to either open the file up in a special tool, or to alter the data within the file to the correct state. All of these options must be explored by the forensic scientist to ensure that all pieces of information are retrieved.
For questions about forensic data recovery please contact Tim Wilson Investigations.
