Forensic Data Recovery
|
What is the difference between Forensic Data Recovery (FDR), and normal Data Recovery?
There are many answers to this question, so the following summary is just one solution. Both tasks are required to recover files when they have been lost, corrupted, deleted, or just cannot be read by the operating system. The desired result is a selection of files that can then be read.
Both solutions can use the same technique of tolerant reading, searching for lost directory entries, or just a raw file search using signatures - often refered to as data carving. The difference comes with the associated documentation and monitoring of how a file was recovered. This can often mean logging the sectors that made up the file, and also retaining the metadata from any directory entry. For a secure recovery, it is advisable to create a MD5 (or SHA-256) hash value of the file data in order to trap any subsequent, accidental or deliberate changes to the file. CnW Recovery will always log an MD5 and a SHA-256 hash value for all files recovered
Forensic investigation of a file is not part of FDR. Thus one is not interested in how a file has been edited, but all dates relating to how and when a file has been written to the disk drive are very important.
CnW Software has a comprehensive range of logs which track all sector numbers, fragments, dates etc. There is also a report generating function to produce an XML report.
When do an FDR, it is essential that the data on the drive is not changed. Thus a Write Blocker should always be used, and identical copies of the disk should be used, after the original imaging.