Computer forensics is not magic, in fact it is very technical in nature and can be very exacting. People always wonder how the computer forensics experts at can “conjure” up “stuff” from computers that the owners thought was gone. How does forensics data recovery work?
When it comes to files, forensic computer investigations and computer forensic analysis works from a three-pronged approach.
- The first is to recover files as we users know them. For example, a Word document or an Excel worksheet or workbook. These are files that openly exist on the computer. These are not files the user thinks has been deleted or removed. Although some of those could exist in their original form in the recycle or trash folders.
- The second is the metadata. This is data about the file itself. Users don’t think about it too much. It reveals information such as when the file was written, updated and last opened. This sort of information can be very useful when dates and times are critical in an investigation.
- The last approach is all about the deleted files. These are the files that users think are gone “forever.” These are the files that people think of when they think computer forensics firms can work magic. The forensic investigator knows it isn’t magic, but a highly technical organization and storage space conundrum. It’s not 100% foolproof or logical, in fact, how the computer allocates space can be very random and it’s the job of the computer forensic analyst to figure it out.
There is a finite amount of storage on a computer hard drive. When a file is created, the computer assigns so much space – or allocates space – to that file. When the file is deleted or trashed, the allocated space is still there – with the file. It stays there until the space is re-allocated to another “fresh” or “current” file. Using data mining software and highly technical protocols, a computer forensic specialist can retrieve all files allocated.
Because the computer is random at allocating storage space for files, a portion of the file may be over written, but part of it may still be retrievable. Since computers today have huge (although finite) reservoirs of storage, the chances of a file really being completely gone are slim.
Digital forensics, including both computer forensics electronic discovery and cell phone forensics is not magic. It is highly sophisticated and in order to be admissible in court, must be completed by professionals using complex and defined protocols for evidence recovery and handling in the chain of evidence.
has been on the forefront of digital forensics since the beginning. We had one of the first computer forensics and cellular forensics labs in the country. We know forensics. If you need a professional when it comes to computer forensics and investigations, call us.
-Brenda McGinley, CEO, All in Investigations, All in Investigations
