Home
The Internet Risks
Critical Protection
Anonymous Surfing
Antivirus
Data Recovery
Firewalls & Hacking
Identity Theft
Kids' Online Safety
Rootkits
Secure Deletion
Spam & Phishing
Spyware & Removal
Newsletter/Blog
Contact Us

How Recovering Digital Evidence From Hard Drives Works



Recovering digital evidence from hard drives is used to undelete data from a computer -- whether accidentally or deliberately deleted.

The word "evidence" suggests that the data to be recovered is part of an investigation into potential wrong-doing... say by a law enforcement agency or even a suspicious partner.

Besides looking at that aspect of data recovery, we're also going to talk about recovering digital evidence from hard drives by the computer owner who has lost or erased data accidentally.

We'll look at both scenarios together because, although the intent is different, the process of recovery is very similar.

Here's what we'll cover...

  1. Avoiding Accidental Deletion

  2. How Hard Disks Store Data

  3. Deletion Doesn't Mean It's Gone!

  4. Who Wants To Recover Data?

  5. Software For Recovering Data

  6. Articles On Recovering Digital Evidence

1. Recovering Digital Evidence From Hard Drives...
Avoiding Accidental Deletion

Since computer users are used to things working the way they should, many don't backup their data and consider it an optional measure.

By relying so much on the integrity of our hard disks, we give room to unexpected problems that, unfortunately, WILL occur at some point. The hard disk is still a piece of technology and, as with all technology, it's not 100% safe against failure.

Data can't be fully recovered all the time, especially when the hard disk suffers physical damage... so don't rely on data recovery software to get out of a jam.

Before going into how recovering digital evidence from hard drives works, remember... the first line of defense against data loss is to frequently backup the data. Use an external memory source, such as a CD, DVD, memory stick, USB drive or one of the many Web storage facilities.


2. Recovering Digital Evidence From Hard Drives...
How Hard Disks Store Data
Hard disks use a relatively simple mechanism to store data. The disks use one or more circular platters that are covered with a magnetic material, such as cobalt or iron oxide, to record information.

When we save files, the operating system (e.g. Windows or Linux), will place them as small clusters of digital data in these magnetic fields.

When we want to see the files, they are read back by a metallic head that magnetizes the data back off the coating on the platter. By spinning at very high speeds, the platters allow the read/write head to easily search for the data pattern that it requires.

Recovering digital evidence from hard drives is possible even when the platters themselves get damaged and the disk cannot be connected to a PC... although the extracted data may be corrupted or made incomplete by the damage.


3. Recovering Digital Evidence From Hard Drives...
Deletion Doesn't Mean It's Gone!

Whenever data is deleted through the operating system by pressing/clicking 'delete' -- and here's the catch -- it is not completely removed. Instead, the files deleted are simply renamed to a special form not visible from the operating system. They remain there until the cluster is needed for another operation.

If the operating system requires that particular cluster to be used again, it overwrites the deleted data and replaces it with the new data. However, even overwriting the deleted data in this way doesn't guarantee that it's completely gone.

Using specialized hardware and software, the data can be 'undeleted' back to its original format. Nowadays, recovering digital evidence from hard drives is all about what physical and virtual technology is at hand and knowing how to use it.


4. Recovering Digital Evidence From Hard Drives...
Who Wants To Recover Data?

Why would we or anyone else want to recover lost data from our hard drive?

Well, as I said earlier, there are two main reasons for recovering digital evidence from hard drives...

  1. Accidental file deletion
  2. Forensic or third party examination

Accidental File Deletion

Accidental file deletion is one of the most common reasons for needing to recover disk information.

Recovering lost data from your hard drive by yourself depends on whether the loss of data was caused by a hardware problem and whether or not the cluster containing it has been overwritten.

If your hard disk is physically damaged, such as being burnt out, it's unlikely you'll be able to recover anything by yourself -- your best chance is a professional data recovery company.

Similarly, if the clusters containing the data were overwritten, you won't be able to do anything without specialized recovery software. We'll get on to recovery software later.

Forensic Or Third Party Examination
Crime investigation can oftentimes be easily solved by recovering digital evidence from hard drives. Digital evidence experts can recover incriminatory data from hard disks even when the suspect deletes it and takes extensive precautions to overwrite the clusters where the data was stored.

By using extremely powerful forensic hardware, such as Magnetic Force Microscopy, data recovery experts can create a "shadow" of the data that was previously written to the disk.

By studying the positioning of the read/write head of the hard disk or by inspecting the strength of the signals that it produces on the magnetized platters, a ghost version of the data can be created.

In most cases, data can be recovered even if the cluster containing it was overwritten up to 6-7 times. However, even this technique can be beaten by Evidence Eliminator ... software to guard privacy and which uses magnetic remenance to under-write files and remove evidence from detection by Magnetic Force Microscopy.

Forensic software is also widely used in recovering digital evidence from hard drives. The computer forensic industry's software benchmark is a comprehensive package called EnCase.

You can read more about EnCase in the article I've written about Encase vs Evidence Eliminator

There are other people who may have an interest in recovering digital evidence from hard drives. This could be an employer, who suspects an employee of using their business computer for personal activities prohibited by the organization... downloading pornography, for example.

Equally, suspicious partners can resort to using undelete software to recover emails and photos that the other partner thought had gone for good!

So, what types of software are available for recovering digital evidence from hard drives?...


5. Software For Recovering Digital Evidence From Hard Drives

There are the high end, professional, software packs such as EnCase for recovering digital evidence from hard drives. These packages are aimed at the forensic industry and can cost over $2000.

However, there is very effective recovery software to suit the pocket of anyone wanting to recover data from their own computer... or anyone-else's.

If you're short of money or you have a simple one-off 'undelete' task, you can try out one of the number of free recovery software downloads.

To give these software packages full justice, I've written a separate article... Compare And Review Data Recovery Software Programs


6. Articles On Recovering Digital Evidence From Hard Drives

  • Compare And Review Data Recovery Software Programs

  • Recovering Digital Evidence From Hard Drives

  • Encase vs Evidence Eliminator

    • Google
    Webwww.guard-privacy-and-online-security.com


    footer for recovering digital evidence from hard drives page