ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.
Forensic Recovery of Evidence Device
Forensic Data Recovery
With the advance in science and technology and popularity of computer, it is more and more difficult for the forensic data recovery to get useful evidence from the suspect who have been getting higher skill and abundant experience. These evidence may not just be deleted, formatted, encrypted. Even more the storage medium may be destroyed deliberately. In order to get more evidence we will have to conquer plenty of difficulties and dangers. As a example, Hard disk is the core carrier of all important information. In some sense,hard disk is a very precise micro-computer. Only with the normal running of the micro-computer, can we access to the OS, such as windows, MAC, Liunx; finally can we probablely use each recovery software to extract and analyse data.
The first step: Extract, analys and find data based on complete and stable hard disk. There are many software in the market, such as some famous one, Encase, X-Ways, FinalForensic, F-Response and so on. They are very good at data retrieval, analysis, auto-report and data archiving.With the development of science they will be more professional. But for the malfunctioning hard disk such as those have serious bad track, bad firmware, bad MBR, or that is unable to normally recognize by OS and appear a different name in the BIOS, such as Athens etc. Almost all software that is based on OS to extract and analyze can only gaze at the “disk” and sign when facing these kind of harddisk problem.
Second step: fully and effectively recover data from instable and defective hard disk As everyone knows, it is not advisable to recover and analyze data on instable or defective hard disks. We cannot get data from those disks since not only head will be easily damaged, but also very likely to damage platter, further more it may cause the second time damage, even completed destroyed and result the data irrecoverable. The most sensible and common approach is to image the data into a stable media, and then proceed to recover and analyze data.
Step 3: access and analyze data from hard drives which can not be recognized by BIOS. The reasons why computer can not been recognized by BIOS are generally being divided into two types: 1. Physical damage. To solve this kind of problems, we have to change the component, such as head exchange, PCBA. 2. Firmware damage. This frequently happened. We also call it cruupted firmware. For example, if certain model of the firmware has been damaged, then the hard drive may not be able to been recognized by BIOS. So we have to make the Hard Disk restoration firstly.