Difference between revisions of "Forensic Recovery of Evidence Device"

From ForensicsWiki
Jump to: navigation, search
(The changes made to this web page have nothing to do with the Digital Intelligence product)
 
(One intermediate revision by one other user not shown)
Line 1: Line 1:
== Forensic Data Recovery ==
+
{{Expand}}
 
+
With the advance in science and technology and popularity of computer, it is more and more difficult for the forensic data recovery to get useful evidence from the suspect who have been getting higher skill and abundant experience. These evidence may not just be deleted, formatted, encrypted. Even more the storage medium may be destroyed deliberately. In order to get more evidence we will have to conquer plenty of difficulties and dangers.
+
As a example, Hard disk is the core carrier of all important information. In some sense,hard disk is a very precise micro-computer. Only with the normal running of the micro-computer, can we access to the OS, such as windows, MAC, Liunx; finally can we probablely use each recovery software to extract and analyse data.
+
 
+
'''The first step: Extract, analys and find data based on complete and stable hard disk.'''
+
There are many software in the market, such as some famous one, Encase, X-Ways, FinalForensic, F-Response and so on. They are very good at data retrieval, analysis, auto-report and data archiving.With the development of science they will be more professional. But for the malfunctioning hard disk such as those have serious bad track, bad [[firmware]], bad MBR, or that is unable to normally recognize by OS and appear a different name in the BIOS, such as Athens etc. Almost all software that is based on OS to extract and analyze can only gaze at the “disk” and sign when facing these kind of harddisk problem.
+
 
+
'''Second step: fully and effectively recover data from instable and defective hard disk'''
+
As everyone knows, it is not advisable to recover and analyze data on instable or defective hard disks. We cannot get data from those disks since not only head will be easily damaged, but also very likely to damage platter, further more it may cause the second time damage, even completed destroyed and result the data irrecoverable. The most sensible and common approach is to image the data into a stable media, and then proceed to recover and analyze data.
+
 
+
'''Step 3: access and analyze data from hard drives which can not be recognized by BIOS.'''
+
The reasons why computer can not been recognized by BIOS are generally being divided into two types: 1. Physical damage. To solve this kind of problems, we have to change the component, such as '''head exchange''', PCBA.  2. Firmware damage. This frequently happened. For example, if certain model of the firmware has been damaged, then the hard drive may not be able to been recognized by BIOS. So we have to make the Hard Disk restoration firstly.
+
 
+
 
+
 
+
 
+
  
 
== External Links ==
 
== External Links ==
[http://www.salvationdata.com/data-recovery-equipment/hd-hpe-pro.htm Head Replacement(Exchange)]
 
  
 
[http://www.digitalintelligence.com/products/fred/ Official website]
 
[http://www.digitalintelligence.com/products/fred/ Official website]

Latest revision as of 06:10, 24 July 2009

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

External Links

Official website