Data Recovery & Forensic Recovery Explained

Friday, November 9th, 2007

The advances in communication that have been made in the last two decades created a new branch of detectives. These are electronic detectives, and they are required because electronic communication almost replaced the written hard copy form of communication, the majority of corporate data onlyexisting in electronic format. Because of this, hard disk data recovery experts have become a required aid for detectives or they became electronic detectives themselves.

The computer has become a focal point for investigations or for corporations to identify their employs activities.

Nowadays, a significant part of corporate investigations is the data recovery process. Through data recovery, a volume of data can be obtained and evidence can be found in documents that might be relevant to the investigation. The data recovery process ensures a mass of important information that can be used.

There are a number of terms used to describe the data on a hard disk based on its state. “Active Data”, is used to describe the data form that is accessible to the user of the computer. The term “Recovered Data” is used to describe the information that has been recovered after it has been deleted from the Active Data. This data is either in a very easy to recognize format, entire files, or an expert will be required to interpret it as it is in bits and pieces. The last type of term is “Unused” and it describes either parts of the hard disk that have never been used or parts that have been deleted from the Active Data and are available to be rewritten.

If covert corporate activities take place, then the data they leave behind will be deleted and probably the hard disk will be formatted and re partitioned to hide any traces. In this case, hard disk data recovery experts can help acquire proof by using advanced hdd data recovery tools and their expertise. This proof might then be used to conclude a case.

Data recovery specialists can help police investigations in many cases but the most expectable are cyber crime investigations that are related to credit card information theft or online money transfers. They also help in cases of child pornography.

With computers becoming a required standard in any office and workplace hdd data recovery experts will be tomorrows detectives in many investigations that include cyber crimes. They will be the ones that will uncover vital information for the conclusion of important cases.


By: Nahar Dijla
Recupero Dati milano Data Recovery services data recovery LONDON

Emergence of E-Discovery In Civil Litigation

Wednesday, November 7th, 2007

The law, as a means of administering dispute resolution and criminal accountability, must be able to adapt to revolutions of industry or technology. We are currently in the beginning years of a technological revolution that will only grow and continue to change the way humans live their lives. Computer and internet use have changed the way that people and business think and act. In today’s judicial system, a case (either civil or criminal) is often decided by the evidence produced and discovered prior to trial.

As computers have become the integral components of any successful business operation, the records on those computers have become more difficult to discover. Not only because of the difficulty of gaining access to an adversary’s computer records, but also because many seasoned attorneys do not even know what to look for when they do gain access. Adding to the confusion is a lack of guiding procedural and case law. New methods of discovery have hampered older, traditional attorneys who carry with them the knowledge and experience from the days of paper and pen.

The old rules are obsolete, and in today’s world if you can not keep up with the technology and developments in the law then you will be left as ineffectual as the paper and pen you hold in your hand.

In response to the increased demands for structure in E-discovery, the ABA has proposed new Amendments to Civil Discovery Standards relating to the use of E-discovery. In part, these proposed amendments are aimed at providing guidance for evidence retention, destruction and production.

Electronic evidence presents many issues not previously experienced with more traditional forms of evidence. Certain forms of electronic evidence may be misleading and prejudicial to one party or the other, because one piece of evidence may only represent an initial draft of a document, containing information leading to the inference of liability. From a simple printout of electronic evidence, it can be extremely difficult to ascertain whether that evidence is the first or final draft, and whether that evidence has any impact on the dispute. In many ways electronic evidence provides for easier access because there is no need to search through cumbersome boxes of paper, but conducting the actual discovery process may exponentially increase the costs to both the producing and discovering parties. It takes substantial time to track down trails of information throughout a company’s network. From a plaintiff’s point of view, electronic evidence is difficult to destroy, as it takes an extremely complicated and sophisticated process to completely erase an electronic signature and metadata associated with the files. As demonstrated, electronic evidence may at times be more difficult to find, but conversely, it is also harder to destroy. This juxtaposition of qualities can make a process that appears more concise in theory, to actually become more cumbersome and costly when actually put into practice.

In response to these growing concerns, as part of its proposed amendments, the ABA has focused on E-discovery issues ranging from pre-trial conferences and electronically stored information to a party’s failure to comply with discovery or to cooperate. Unnerving to many plaintiff’s attorneys is proposed Amendment 37(f), which provides that:

“Unless a court order requiring preservation of electronically stored information is violated, the court may not impose sanctions under these rules on a party when such information is lost because of the routine operations of its electronic information system if the party took reasonable steps to preserve discoverable information.”

This is perhaps the most troublesome (at least for plaintiff’s attorneys), because it effectively creates a safe-harbor for the destruction of electronic evidence. Sanctions would be barred when information is destroyed as a result of routine destruction practices. The rule mentions nothing about what a reasonable destruction practice is or whether a party must freeze those practices once it learns that there is a potential for litigation. Other important proposed amendments include:

Rule 33(d). Under the traditional Rule 33, a party responding to an interrogatory could produce business records as a substitute for explicitly responding to the interrogatory. Under Amended Rule 33(d), the responding party will be permitted to produce electronic dates and records when responding to interrogatories provided that the requesting party can easily identify and locate the sought after information.

Rule 34(b). The new proposed amendments do not require an attorney to choose a particular evidentiary format when responding to discovery requests, but its mere mention suggests a policy toward favoring electronic evidence. When a requested production format is not specified, the responding party should produce evidence in the manner in which that information is ordinarily maintained or, alternatively, in a form that is reasonably easy to access and use.

Rule 26(b)(5)(B). This amendment addresses the inadvertent production of privileged or protected information. This rule will allow a party who unintentionally discloses the privileged information to retrieve it from the accidental receiving party unless that party can prove that they have a right to that information.

Rule 45. This amendment to Rule 45 would essentially allow parties to subpoena electronically stored information pursuant to any of the other adopted amendments contained in the Rules.

These are not the only proposed changes, but this brief summary of the proposed amendments is a good demonstration of the increasing preference for electronic discovery. The legal world is changing and those attorneys who are unable to keep up with the changes will be left in the dust. This move by the ABA should serve as a sign to those attorneys frightened by technology and advancements in the law. Electronic discovery is here to stay, unlike those who refuse to welcome the changes to the judicial discovery process.


This article was written by Nicholas Deleault, a Franklin Pierce Law Student. Nicholas writes select legal articles for the Law Firm of Goldstien and Clegg, a Massachusetts cyberlaw firm.

Collecting Personal Data for E-Discovery

Monday, October 8th, 2007

A huge component of e-discovery relates to electronic files that are created and stored every day by employees – e-mails, word documents, spreadsheets, presentations and more. Oftentimes, it is inadvertent spoliation or omission of such files in discovery that results in undesired sanctions and even default judgments. Thus, developing sound methodologies for identifying, preserving, and collecting files from personal data repositories is a key component of being litigation ready.Know what data exists and where
The first consideration in improving an organization’s litigation readiness is to identify where and how personal data is being created and stored. What applications are used to create messages and/or documents throughout the organization? Are application programs centrally managed to limit the types or versions being used?

Once electronic information is created, where are files being stored? Are they on desktop and laptop computer hard drives, mapped network share drives, portable flash drives or other removable media? Are document management systems, such as SharePoint sites or other collaboration repositories utilized? Are portable computing devices being used, such as PDAs, Blackberries or smart phones? Do employees use computers at home for business?
For these systems, it’s important to ask the following questions:

  • Are personal files backed up for disaster recovery?
  • Where are backup files stored?
  • Are entire hard drives backed up or only those files stored in “My Documents”?
  • Are the back-up processes automated and scheduled or do they rely on an employee’s action?

If using enterprise-wide content management systems:

  • Are there guidelines on how to move or restore files in and out of the records management repository?
  • Does a records retention plan exist that requires the preservation of specific file types?
  • Are e-mail mailboxes governed in terms of timeframes, file size, or overall mailbox capacity?
  • Can e-mails be archived to personal data stores?
  • How does the organization manage files from departing employees?
  • Are e-mail mailboxes routinely archived and files from computer hard drives preserved before redeploying computer hardware or disposing of stored network files?

Determine an approach to file collection.
Once an employee’s personal data repositories has been identified as potentially relevant to a particular matter, there are a variety of methods used to preserve or copy source files for electronic discovery. Typical collection methodologies range from user discretion, where the employee chooses which files are appropriate, to full forensics imaging that use investigative software to preserve an entire hard drive. Different methodologies have differing cost and risk impacts and, therefore, vary in their applicability.

1. User Discretion
The simplest and most straightforward approach to file collection is to rely on the end-user to provide relevant files and e-mail messages. Typically, employees are the most knowledgeable as to where their personal data is at least logically stored and how it is organized. They also know if files are password-protected or encrypted.

However, relying on witnesses to identify relevant evidence increases the risk of incomplete preservation or spoliation of crucial metadata, whether inadvertent or willful. Employees may not be aware of every location a file has been copied, such as back up locations or temporary folders.

Such user discretion may be appropriate if the exposure of the matter is low, chain-of-custody not critical, or metadata deemed irrelevant. However, user discretion relies on the integrity and thoroughness of the employee to assure all relevant files are indeed preserved and collected. And metadata is rarely preserved, since even opening the file to check on its relevance can update the “last modified date” and expose a claim for spoliation. Relevant dates may be retained if files are moved as part of zip files or as entire folders, but care must be taken both in copying and in saving files to a target repository. In addition, context can be lost when files are no longer stored as they were originally created and stored during the normal course of business.

2. Forensic Imaging

We oftentimes hear the word “forensics” when it comes to collecting potentially relevant evidence for electronic discovery1. Creating a forensic image of a hard drive, for example, typically refers to creating a bit-by-bit replication of a hard drive – not only active files, but also deleted files, swap space, and unallocated slack space2. This approach may be crucial when facts lie beyond the active files, such as what files might have been in place before an employee had the opportunity to start deleting incriminating evidence.

Tools capable of making such images are referred to as investigation tools. These tools are used by trained experts for recovering critical evidence, such as file fragments that might otherwise be lost. Examples of tools used for forensic-imaging include Guidance Software’s Encase and AccessData’s Forensic Toolkit (FTK).

Because a forensic image preserves every bit of the hard drive, such tools in the hands of experts can assure ultimate legal defensibility in litigation. However, this approach can also be far more time-consuming and costly. To begin with, the storage capacity when creating forensic images requires the same drive capacity as the original. A 200GB source drive requires a 200GB target, even if only 25% is used for active files. Software for making forensic images is typically costly. The time required to create an image, later restore the image to a target drive, and then extract relevant files or analyze fragments can also be extensive.

An added risk of creating a forensic image is related to the fact that this approach preserves all the bits on a hard drive. Once imaged, everything on that drive may by result become discoverable, including long-since deleted files and file fragments, even if at the time such fragments would have been outside the scope of a discovery request.

3. Active File Collection
Conversely, files can be copied from one storage device to another in a forensically-sound manner that preserves both the content of the file and its associated operating system metadata, such as create date, last modified date and folder path. When the process assures both legal defensibility and data authenticity, the methodology is considered “forensically sound.”

There are a number of methodologies that can be utilized to preserve both content and metadata in a legally-defensive matter. Entire folders can be copied without changing underlying metadata. In other cases, the metadata of certain container files, such as a .pst file for Outlook or a zipped file, may not be important, since the vital metadata is embedded within the file and able to be extracted during processing. The recommended approach for active file collection is to use technology that is designed to preserve metadata when copying files from one source to another. Microsoft’s Robocopy is an example of a free utility that can be used for such a collection.

When using tools like Robocopy, files are copied from a source repository, such as a PC’s hard drive, to a target repository, such as a removable USB hard drive, while maintaining important metadata. Cost can be substantially less than with forensic imaging, and deployed by a company’s trained IT professionals as opposed to third-party computer forensic experts.

Following is a summary of e-discovery collection processes and the costs, time and risks associated with each:

Collection Process

User Discretion

Active File

Forensic Image


Low risk/exposure matter; non-key players

Most common approach

Malfeasance, HR matters


User selects specific files

Copy all active files (by drive or path)

Create a forensic image of entire drive

Typical Cost




Typical Risk

Inconsistent, not defensible, loss of metadata

Business interruption

Time and expertise required; discoverability

Typical Volume




Figure 1 — Personal Computer Hard Drive Collection Methodologies ©Fios, Inc.

By Brad Harris :

An introduction to Computer Forensics

Saturday, July 7th, 2007

Computer Forensics is the process of investigating electronic devices or computer media for the purpose of discovering and analyzing available, deleted, or “hidden” information that may serve as useful evidence in supporting both claims and defenses of a legal matter as well as it can helpful when data have been accidentally deleted or lost due to hardware failure.

This is a very old technique but now it has changed a lot because of technological advances & modern tools and software’s. which makes Computer Forensics much easier for Computer Forensic Experts  to find & restore more evidence or data, faster and with more accuracy .

Computer forensics is done Using advanced techniques and technologies, a computer forensic expert uses this techniques to discover evidence from a electronic storage device for a possible crime . The data can be from any kind of electronic device like Pen drives , discs, tapes, handhelds, PDAs, memory stick,  Emails, logs, hidden or deleted files  etc….

Most of us think that a deleting a file or history will remove it completely from the hard disk drive. But in realty it only removes the file from the location, but the actual file will still remain on your computer. It is easier to track what has been done on your computer but difficult to say by whom . Although it’s possible to alter or delete the data completely from your storage device . it depends on ones computer forensic experts skills how well he can find and restore the data without any loss or change.

Computer forensics can be used to uncover a fraud , Unauthorized use of a computer, violation company policies, inadequate record keeping etc… by tracking track emails, chat-history, files, tapes, sites people browse or any other form of electronic communications.

Data security is one of the biggest issues the corporate world is facing now, by publishing company’s internet / policies & consequences for violations, signing of compliance documents by employees businesses can initiate monitoring their own computer systems. Making employees aware that forensic software and personnel are available could prevent workers from wrongdoing.

Computer forensic is an growing niche in the law enforcement field. Unlike many jobs in information technology sector chances are that computer forensics services will not be outsourced to other country, because of the confidentiality of the data business will not allow it to travel just to save a little cash.

Solving Crime With Computer Forensics

Saturday, July 7th, 2007

Computer Forensics is the scientific study of computers or computer related data in relation to an investigation by a law enforcement agency for use in a court of law. While this technology may be as old as computers themselves, the advances in technology are constantly revising this science.

In the technological old days, computer forensics was mostly related to data dumps, printing out every keystroke that had been logged on a computer in a series of eight digits, all of them zeroes and ones. Literally cases of paper would be used for the printing of the materials. Systems analysts would then have to convert all of the data into hex and then translate the value into whatever the actual keystroke was. In this way, it was possible to go over all of the data and figure out at what point the computer and the corresponding program crashed. Like computers and technology, Computer forensics has evolved by leaps and bounds since those days of old.

While all computer language still ultimately boils down to ones and zeroes or binary and then hex, the means by which programs are created, run and utilized has changed drastically. This new science has done well to keep up with the task at hand. Now hard drives can be wiped clean. However, without an unconditional format (and in rare cases, even with the unconditional switch) the data can still be retrieved. It takes an expert in computer forensics however. It takes someone who is familiar with the technology of the computer to reconstruct all of the data that has been wiped off of the hard drive.

Computer forensics can be used to track emails, instant messaging and just about any other form of computer related communications. This can be necessary, especially in the world today. Experts have even advanced the technology to the point that they can track data real time, or while it is actually being sent and received. This is a mind-numbing task when you think about the billions of communications going on around the globe at any given time, but the science of computer forensics is constantly advancing every bit as quickly or sometimes even faster than the technology they are responsible for investigating.

It is an interesting aspect of technology that is often overlooked. Computer forensics have been used to solve many crimes and should be considered a viable tool in many ways and the study of this subject is constantly growing along with technology.