Ever accidently delete a file on your computer only to try in vain to recover it. Usually, a simple search in the recycle bin will allow you to recover the file. However, if you permanently deleted the file (such as using the command Ctrl+Shift+Delete) then you won’t have much luck using the recycle bin. There are available software that the home user can install that will provide a chance to recover the file but what if you don’t feel comfortable using such software or worse, the software did not yield the results you were hoping for? This is where the professionals come in.
has been in the game for years and employs its own forensics lab for both cellular and computer forensics investigations. The main function of the lab is forensics data recovery as well as computer forensics analysis. The method forensic examiner uses on most cases is nothing new to the industry, however, the results are highly successful due to experience and the powerful software the lab uses.
The first step of the forensic method used involves is to create a forensic image of the hard drive. This allows the investigator to keep the original hard drive data from being altered in any way. This is paramount in most cases that come through .
The next step involves direct recovery of the files within the scope of the investigation. An example could be a simple text file, which would be recovered by looking for the file name or perhaps strings of ASCII which represent the words the user typed in the document. Some of these files can actually be found in temporary memory or even in the recycle bin. Usually during the investigation the forensic examiner will search using Metadata. Metadata is data describing the file itself. Metadata assists in resource discovery by providing information about the relevant criteria, helping in identifying resources, linking similar resources together, excluding unlike data resources, and giving location information. Information describing when the file was written, updated and last opened is also used to speed up the recovery process.
An important part of this process is to remember that deleted data is not actually removed from the hard drive when the user deletes it. This is why computer forensic firms with forensic investigators and computer forensic analyst can successfully recover deleted files. Deleting a file only marks the file to be written over once the location on the hard drive that houses the data becomes earmarked for new data to be written. This is also why it is important to defragment your hard drive regularly so that the hard drive space can be filtered of void compartments of data which increases loading times.
On a computer hard drive, there is only a finite amount of space available to allocate files. The OS instructs the hard drive to save over the space on a hard drive that has a deleted file on a first come-first serve basis. Up until the segment of data is overwritten with new data then it is usually not a complicated task for a computer forensic specialist to retrieve these files.
Because the allocating of storage space for files can be somewhat random, a portion of the file may be over written but the remaining portion of the file may still be recoverable using data mining software. Also, because computers of today have massive storage space, the chances of a file (or part of the file) not being recoverable are very slim.
Digital forensics, which covers both cell phone forensics and computer forensics electronic discovery, is a very intricate technique. In order to be admissible in court the processes must be completed by professionals using complex and defined protocols for evidence discovery and handling chain of evidence. has been providing forensic services since the beginning. We had one of the first cellular forensics labs in the country and have provided computer forensics and investigation services even before creating our cellular lab. We know forensics and if you need a professional when it comes to computer forensics and investigations, call us.
-Brenda McGinley, CEO, All in Investigations, All in Investigations