The Relationship between Data Recovery and Computer Forensics

March 3rd, 2009

Data Recovery & Computer ForensicsData Recovery is a process of recovering the data from hardware or software components after various data disasters. Data access becomes void after some disaster and special data recovery techniques are usually needed to access this lost data again.

Computer forensics, also called cyber forensics, is the application of computer investigation and analysis techniques to gather evidence suitable for presentation in a court of law. The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computer and who was responsible for it. A computer can be the target of the crime, it can be the instrument of the crime, or it can serve as an evidence repository storing valuable information about the crime. Moreover the hard disk is the core carrier of all important information. In some sense, hard disk is a very precise micro-computer. Only with the normal running of the micro-computer, can we access to the OS,

Data recovery can be a vital aspect of Forensic Examinations since some drives may be corrupt and impossible to image.

The reasons which cause the hard drives corruption/impossible to image:

1. Logical Malfunctions:
• Accidental Disk Format
• File Deletion
• Partition loss or corruption
• Lost or Missing files and folders
• Re-formatted or re-partitioned drive

2. Physically Malfunctions:
• PCBA malfunction
• Motor/bearing failure
• Parking element failure
• Platter surface scratch
• Head Problem
• FW problem

How to using data recovery skills & tools to assist computer forensics work?

1. To the Logical Disk Crash problems: there are many famous computer forensics software in the market, such as Encase, X-Ways, FinalForensic, F-Response and so on. They are very good at data retrieval, analysis, auto-report and data archiving. With the development of science they will be more professional.

2. To the Physically Bad Hard Disk problems:

PCBA malfunction: You just need to find an identical donor hard drive which has the same model number, at least first 3 digits of Serial Number and PCBA version number, the best the motor number. And then swap the PCBA by using professional tools, such as ACE: PC-3000; SalvationDATA: HD Doctor Suite, etc.

Motor/bearing failure: You can exchange the platters and head stack to the hard drive which has good motor/bearing by using the professional tools. In my opinion the HD HPE PRO is the best choice. You also need to find the identical donor hard drive.

Parking element failure: Exchange the failed head stack with a donor hard drive by using HD HPE PRO.

Platter surface scratch: Bad sectors are a common problem we faced during traditional imaging. It will cause system death, HD irresponsive, even directly destroyed during image process. To the problem, you should use the disk imaging tools, such as: ACE: UDMA DE; SalvitonDATA: Data Compass; DeepSpar: Disk imaging, etc. These tools can help you retrieve the data from partially damaged bad sectors.

Head Problem: The head stack is totally damaged: You should swap the head stack with a donor hard drive by using HD HPE PRO.

FW problem: ACE: PC-3000; SalvationDATA: HD Doctor Suite can help you repair the damaged firmware or the firmware module disorder.

