How Electronic Evidence Discovery Recovers Deleted Data

Electronic evidence discovery recovers data that has been accidentally or deliberately deleted on computer drives.

The word "evidence" suggests that the data to be recovered is part of an investigation into potential wrong-doing... but it could be snooping by a suspicious partner, recipients of your disposed computer, or, a law enforcement agency.

Here's what we'll cover...

  1. Forensic Recovery and Snooping
  2. Protection By Back Up
  3. Understanding How Hard Disks Store Data
  4. Deletion Doesn't Mean It's Gone!
  5. Software For Recovering Data
  6. Supporting Articles

1. Forensic Recovery and Snooping

Why would we or anyone else want to recover lost data from our hard drive? Well, there are two main reasons...

Accidental File Deletion

Accidental file deletion is the most common reason for needing to recover disk information.

If your hard disk is physically damaged, such as being burnt out, it's unlikely you'll be able to recover anything by yourself -- your best chance is a professional data recovery company.

Similarly, if the clusters containing the data were overwritten, you won't be able to do anything without specialized electronic evidence discovery software. To check whether the data is still available, use Phoenix Data Recovery. You download the software for free, run a scan, check your file is recoverable, then buy the license and recover!

Forensic Or Third Party Examination

Electronic evidence discovery experts can recover incriminatory data from hard disks during a crime investigation, even when the suspect deletes it and takes precautions to overwrite the clusters where the data was stored.

By using extremely powerful forensic hardware, such as Magnetic Force Microscopy, data recovery experts can study the positioning of the read/write head of the hard disk and inspect the strength of the signals that it produces on the magnetized platters. From this process a ghost version of the data can be created.

In most cases, data can be recovered even if the cluster containing it was overwritten a number of times.

Forensic software is also widely used in recovering digital evidence from hard drives. The computer forensic industry's software benchmark is a comprehensive package called EnCase.

There are other people who may have an interest in recovering digital evidence from hard drives. This could be an employer, who suspects an employee of using their business computer for personal activities prohibited by the organization... downloading pornography, for example.

Equally, suspicious partners can resort to using undelete software to recover emails and photos that the other partner had thought were gone for good!

Then there are those who want to get hold of that old computer you disposed of... to recover your financial, password and personal details to attempt to access your bank accounts or for identity theft.

If you want to erase your hard disk or specific files beyond recovery by undelete or forensic inspection, you need to use, cyberCide Data Destruction or Privacy Suite -- the former will destroy all data and the latter will destroy online evidence and selected files.

Now we'll look at what types of software are available for electronic evidence discovery...

2. Electronic Evidence Discovery...
Protection By Back Up

A hard disk is a piece of electronics and as with all technology, it’s not 100% safe against failure. So, the first line of defense is to regularly back up your data to an external drive such as a CD, DVD, memory stick, USB drive or one of the many Cloud storage facilities. Many don't and consider it an optional measure -- a big mistake!

3. Understanding How Disks Store Data

Hard disks use a relatively simple mechanism to store data. The disks use one or more circular platters that are covered with a magnetic material, such as cobalt or iron oxide, to record information.

When we save files, the operating system (e.g. Windows or Mac), will place them as small clusters of digital data in these magnetic fields. When we want to see the files, they are read back by a metallic head that magnetizes the data back off the coating on the platter. By spinning at very high speeds, the platters allow the read/write head to easily search for the data pattern that it requires.

Electronic evidence discovery from hard drives is possible even when the platters themselves get damaged, even though the extracted data may be corrupted or made incomplete by the damage.

4. Deletion Doesn't Mean It's Gone!

Whenever data is deleted through the operating system by pressing/clicking 'delete' it is not completely removed. Instead, the files deleted remain but the pathway to them is deleted. They remain there until the cluster is needed for another operation.

If the operating system requires that particular cluster to be used again, it overwrites the deleted data and replaces it with the new data. However, even overwriting the deleted data in this way doesn't guarantee that it's completely gone.

Using specialized hardware and software, the data can be 'undeleted' back to its original format.

5. Software For Electronic Evidence Discovery

There are the high end, professional, software packs such as EnCasefor recovering digital evidence from hard drives. These packages are aimed at the forensic industry and can cost over $2000.

However, there is very effective recovery software to suit the pocket of anyone wanting to recover data from their own computer... or anyone-else's.

If you're short of money or you have a simple one-off 'undelete' task, you can try out one of the number of free recovery software downloads, which are discussed in my article, Electronic Evidence Discovery: Free Recovery of Deleted Files and Photos

The software packages in my article, Software To Undelete That Lost Data are very powerful and allow you to recover data from all computer drives, external drives, USBs, CDs, DVDs and camera and phone cards. My recommendation is, Phoenix Data Recovery for Windows and Mac


6. Supporting Articles

  1. Recover Lost Photos and Data From SD Cards, Hard Drives and External Media
  2. Free Recovery of Deleted Files and Photos
  3. Software To Undelete That Lost Data
  4. Mac Software to Recover Your Lost Files and Photos
  5. Evidence Of What You've Deleted Can Still be Recovered

New! Comments

Have your say about what you just read! Leave me a comment in the box below.