Computer forensics is the science behind the investigation of computer media while data recovery is the technique used for the retrieval of data from a damaged media. For a comprehensive investigation to be carried out, both capabilities will have to be used in most cases. Data recovery techniques will be used to retrieve critical data from the target media and then forensic methodologies will be applied to analyze the data most critical to the case.
From laptops thrown in the river to hard drives that have been damaged in an attempt to destroy any evidence of wrongdoing, Kroll Ontrack’s engineers and consultants have successfully assisted hundreds of law enforcement and government agencies, law firms and corporations to recover evidential data that was pivotal for their case. In many instances the media at the center of an investigation, either as the tool used to commit a crime or a repository of evidence of a crime, might be damaged or unreadable due to reasons such as intentional damage, technical failure, fire or water among many others.
Deliberate or accidental?
Kroll Ontrack has been engaged in many investigations over the past two decades where media has been seriously damaged. A recent test of our expertise took place when we were instructed to recover data from computer hard drive which sustained fire damage following an explosion in a residential building. The drive arrived at our facilities in extremely poor condition. The top cover of the drive was destroyed and after an initial examination it was determined that the original electronics were faulty and the drive also suffered internal mechanical failure.
The hard drive was opened in Kroll Ontrack’s cleanroom laboratory. The failures were overcome and an image (a sector-by-sector copy of the drive) was taken. This image was analyzed in both our data recovery and forensic labs to determine whether the logical data had been damaged in any way.
In this case, all the data was recovered and provided to the authorities so they could further analyze and perform an investigation on the evidence from the original drive.
Following the due process
This is a typical example of where the data recovery and computer forensics worlds meet and work collaboratively. Techniques to retrieve data and overcome failures on damaged media were used while maintaining all the relevant protocols on how to handle media that contain evidence. The proper handling is as paramount as the physical recovery and investigation efforts, because media that has been handled inappropriately could jeopardize its evidentiary admissibility.
The generally accepted protocols used by Computer Forensics specialists in the UK are drawn out of the ACPO (The Association of Chief Police Officers) guidelines. The practice guidelines to computer-based evidence offers good and sound advice on how to handle media from the seizure, to the handling, copying, processing and final analysis.
One of these accepted guidelines is that data held on a computer should not be changed in any shape or form. Another of these is that proper documentation and a chain of custody needs to be in place. This documentation explains the procedures so that another expert would be able to reproduce the same results.
In any case, it’s vital that these guidelines and protocols are followed. It’s also crucial that the expert analyzing the media has the skills and experience required to handle and analyze electronic data storage devices.
Investigating a murder
Another case handled by Kroll Ontrack was for a foreign Magistrates Courts involving a hard drive that was used to record CCTV images. The footage captured possibly contained evidence of a murder being committed. Unfortunately for the local investigation team the drive was not operational and they called in our experts to assist.
The damaged drive was flown into London by personal escort and after a cursory examination the media seemed to suffer from electronics failure. Further examination revealed that the drive also suffered from media corruption damage. In these instances, the fault lies with the storage device, not a virus or the operating system. In many cases, not only is the data overwritten, but also low-level information that is critical to the basic operation of the hard drive.
Despite this level of corruption, Kroll Ontrack managed to copy 99% of the raw data. Unfortunately the data structures were affected which meant that in order to recover the files, they needed to be repaired. As it is often the case with CCTV systems, the operating system is of a proprietary nature. However, Kroll Ontrack was able to bypass the damaged structures and recover image files that could be used by the court.
In general, you get one shot at recovering data from damaged media, so it is paramount that the assistance of experts with the right level of skills, qualifications and experience are engaged from the very beginning. Sometimes risk just isn’t an option.