Computer Forensics, Data Recovery and E-Discovery DifferMay 2, 2020
What’s the difference between data recovery, computer forensics and e-discovery?
All three fields deal with data, and specifically digital data. It’s all about electrons in the form of zeroes and ones. And it’s all about taking information that may be hard to find and presenting it in a readable fashion. But even though there is overlap, the skill sets require different tools, different specializations, different work environments, and different ways of looking at things.
Data recovery generally involves things that are broken – whether hardware or software. When a computer crashes and won’t start back up, when an external hard disk, thumb drive, or memory card becomes unreadable, then data recovery may be required. Frequently, a digital device that needs its data recovered will have electronic damage, physical damage, or a combination of the two. If such is the case, hardware repair will be a big part of the data recovery process. This may involve repairing the drive’s electronics, or even replacing the stack of read / write heads inside the sealed portion of the disk drive.
If the hardware is intact, the file or partition structure is likely to be damaged. Some data recovery tools will attempt to repair partition or file structure, while others look into the damaged file structure and attempt to pull files out. Partitions and directories may be rebuilt manually with a hex editor as well, but given the size of modern disk drives and the amount of data on them, this tends to be impractical.
By and large, data recovery is a kind of “macro” process. The end result tends to be a large population of data saved without as much attention to the individual files. Data recovery jobs are often individual disk drives or other digital media that have damaged hardware or software. There are no particular industry-wide accepted standards in data recovery.
Electronic discovery usually deals with hardware and software that is intact. Challenges in e-discovery include “de-duping.” A search may be conducted through a very large volume of existing or backed-up emails and documents.
Due to the nature of computers and of email, there are likely to be very many identical duplicates (“dupes”) of various documents and emails. E-discovery tools are designed to winnow down what might otherwise be an unmanageable torrent of data to a manageable size by indexing and removal of duplicates, also known as de-duping.
E-discovery often deals with large quantities of data from undamaged hardware, and procedures fall under the Federal Rules of Civil Procedure (“FRCP”).
Computer forensics has aspects of both e-discovery and data recovery.
In computer forensics, the forensic examiner (CFE) searches for and through both existing and previously existing, or deleted data. Doing this kind of e-discovery, a forensics expert sometimes deals with damaged hardware, although this is relatively uncommon. Data recovery procedures may be brought into play to recover deleted files intact. But frequently the CFE must deal with purposeful attempts to hide or destroy data that require skills outside those found in the data recovery industry.
When dealing with email, the CFE is often searching unallocated space for ambient data – data that no longer exists as a file readable to the user. This can include searching for specific words or phrases (“keyword searches”) or email addresses in unallocated space. This can include hacking Outlook files to find deleted email. This can include looking into cache or log files, or even into Internet history files for remnants of data. And of course, it often includes a search through active files for the same data.
Practices are similar when looking for specific documents supportive of a case or charge. Keyword searches are performed both on active or visible documents, and on ambient data. Keyword searches must be designed carefully. In one such case, Schlinger Foundation v Blair Smith the author uncovered more than one million keyword “hits” on two disk drives.
Finally, the computer forensics expert is also often called upon to testify as an expert witness in deposition or in court. As a result, the CFE’s methods and procedures may be put under a microscope and the expert may be called upon to explain and defend his or her results and actions. A CFE who is also an expert witness may have to defend things said in court or in writings published elsewhere.
Most often, data recovery deals with one disk drive, or the data from one system. The data recovery house will have its own standards and procedures and works on reputation, not certification. Electronic discovery frequently deals with data from large numbers of systems, or from servers with that may contain many user accounts. E-discovery methods are based on proven software and hardware combinations and are best planned for far in advance (although lack of pre-planning is very common). Computer forensics may deal with one or many systems or devices, may be fairly fluid in the scope of demands and requests made, often deals with missing data, and must be defensible – and defended – in court.