Computer forensics, data recovery and electronic discovery differ

What is the difference between data recovery, computer forensics and electronic discovery?

All three fields deal with data, and specifically digital data. These are electrons in the form of zeros and ones. And it’s about taking information that can be hard to find and presenting it in a readable way. But even though they overlap, skill sets require different tools, different specializations, different work environments, and different ways of looking at things.

Data recovery usually involves things that are broken, be it hardware or software. When a computer crashes and won’t restart, when an external hard drive, USB stick or memory card becomes unreadable, data recovery may be required. Frequently, a digital device that needs to recover its data will have electronic damage, physical damage, or a combination of both. If that’s the case, hardware repair will be a big part of the data recovery process. This may involve repairing the drive’s electronics or even replacing the stack of read/write heads inside the sealed portion of the drive.

If the hardware is intact, it is likely that the file or partition structure is damaged. Some data recovery tools will try to repair the partition or file structure, while others will look at the damaged file structure and try to extract the files. Partitions and directories can also be rebuilt manually with a hex editor, but given the size of modern drives and the amount of data they contain, this tends to be impractical.

In general, data recovery is a kind of “macro” process. The end result tends to be a lot of data saved without paying as much attention to individual files. Data recovery jobs are typically individual drives or other digital media that have damaged hardware or software. There are no particular industry-wide accepted standards in data recovery.

Electronic discovery generally deals with hardware and software that is intact. Challenges in e-discovery include “deduplication”. A search can be made through a very large volume of existing or backed up emails and documents.

Due to the nature of computers and email, there are likely to be many identical duplicates (“dupes”) of various documents and emails. Electronic discovery tools are designed to reduce what might otherwise be an unmanageable torrent of data to a manageable size through indexing and deduplication, also known as deduplication.

Electronic discovery often deals with large amounts of data from undamaged hardware, and the procedures are governed by the Federal Rules of Civil Procedure (“FRCP”).

Computer forensics has aspects of both e-discovery and data recovery.

In computer forensics, the forensic examiner (CFE) searches and through existing and previously existing or deleted data. When doing this type of electronic discovery, a forensic expert will sometimes deal with damaged hardware, although this is relatively uncommon. Data recovery procedures can be put into play to recover deleted files intact. But frequently, the CFE must deal with intentional attempts to hide or destroy data that require skills other than those found in the data recovery industry.

When it comes to email, CFE often looks to unallocated space for environmental data, data that no longer exists as a user-readable file. This may include searching for specific words or phrases (“keyword searches”) or email addresses in unallocated space. This may include hacking Outlook files to find deleted emails. This can include searching cache or log files, or even internet history files for data remnants. And of course it often includes a search through active files for the same data.

The practices are similar when looking for specific documents to support a case or allegation. Keyword searches are performed on both active or visible documents and environmental data. Keyword searches must be carefully designed. In one such case, Schlinger Foundation v Blair Smith, the author discovered over a million keyword “hits” on two drives.

Finally, the computer forensic expert is also often called upon to testify as an expert witness in a deposition or in court. As a result, the methods and procedures of the CFE can be put under the microscope and the expert can be called upon to explain and defend its results and actions. An ETC who is also an expert witness may have to defend things said in court or in writings published elsewhere.

Most of the time, data recovery deals with a drive or system data. The data recovery house will have its own standards and procedures and will work on reputation, not certification. Electronic discovery often deals with data from a large number of systems or servers that may contain many user accounts. Electronic discovery methods are based on proven combinations of software and hardware and are best planned well in advance (although lack of advance planning is very common). Computer forensics can deal with one or multiple systems or devices, can be quite fluid in the scope of claims and requests made, often deals with missing data, and must be defensible, and defended, in court.


Leave a Reply

Your email address will not be published. Required fields are marked *