Data Recovery With Forensic Technology: What It Can and Can’t Do

Data Recovery With Forensic Technology: What It Can and Can’t Do

November 15

Forensic recovery is the next evolution of data recovery. It goes beyond restoring from backups and other standard methods to bring files thought to be dead back from the digital graveyard. This advanced approach is aiding law enforcement in criminal investigations, while helping organizations add another layer of reliability to their backup plans. Fire up the CSI theme because we’re about to delve into how this trend is blazing new trails in the world of disaster recovery.

The Case of the Lost Files

Being quick on the mouse trigger at times, I’m personally elated to know that files aren’t necessarily gone after being deleted and emptied in the recycle bin. What you’re really doing in this case is deleting the location of those files, which merely hides them from the operating system. Emptying the bin frees up disk space and removes the pointer details from the file directory, but the files themselves still lurk. Unless that data has been physically removed from the hard drive, those files can be recovered with forensic recovery – even when the entire drive has been formatted and seemingly wiped clean.

Forensic recovery helps IT specialists recover data that has been accidentally deleted, intentionally erased, or damaged through corruption. There are quite a few tools to choose from, but most function by penetrating deep within the system and exhaustively examining the raw data on the drive. Where these tools tend to separate themselves is the depth of their recovery abilities. For example, some forensic applications are trained to comb through traditional operating systems like Windows, Linux, and Mac OS X, while others can also recover from mobile devices, flash drives, and various other external storage mediums.

Data Scrubbing Equals Forensics Failure

Whether it’s a hacker masking their IP address or a real-world villain wiping their prints from the murder weapon, there are a few things that can be done to circumvent criminal investigations. The same is true in data recovery. In the case of forensic recovery, the one suspect it just can’t seem to track down is the elusive piece of thoroughly scrubbed data. Whereas deleting files only erases them on the surface, scrubbing permanently removes them from the hard drive. This method doesn’t just benefit criminals. It also comes in handy for organizations that want to be sure that passwords, social security numbers, and other sensitive information isn’t exposed to the wrong parties.

There are generally two ways to scrub data clean. You can use so-called data destruction software like the open-source DBAN, which wipes your entire drive, or apps like FreeEraser, a Windows-based tool that permanently destroys individual files and folders. The second option involves using a device called a “degausser”. In degaussing, data is destroyed directly at the source – the magnetic field in the hard drive that stores information. The best of these machines are capable of permanently erasing data on multiple hard drives in as little as an hour. This type of device can cost tens of thousands of dollars, which is why degaussing is typically viewed as an enterprise solution.

A reliable forensic recovery tool can be a nice complement to your existing data recovery plan. But like the shrewd TV investigators who miraculously solve crimes week in and week out, it needs tangible evidence in order to perform efficiently. As long as you ensure that traces of your data remain available by simply deleting rather than scrubbing, you can potentially benefit from adopting a forensic mentality.

Photo Credit: Vince Alongi via Compfight cc