All three fields deal with data, specifically digital data and in each case the objective is to extract information that may be hard to find and present it in a readable fashion. But even though there is overlap, the skill sets require different tools, different specialism’s, different work environments and different ways of interpreting the data.
Data Recovery
Data recovery normally involves damaged or broken hardware or software. For example when a computer crashes and cannot be restarted or when an external hard disk, USB pen drive or memory card becomes unreadable, data recovery may be required. When a digital device needs to have its data recovered it will tend to have electronic damage, physical damage or a combination of the two. If this is the case, hardware repair will be the main part of the data recovery process. It may involve repairing the drive’s electronics or replacing the stack of read write heads inside the sealed portion of the disk drive.
If however the hardware is intact, the file or partition structure is likely to be damaged. There are data recovery tools that will attempt to repair the partition or file structure, while other tools look into the damaged file structure and attempt to extract the files contained within.
With data recovery the end result tends to be a large population of data saved without as much attention to the individual files. Data recovery jobs are often individual disk drives or other digital media that have damaged hardware or software. It is important to remember that for data recovery there is currently no particular industry-wide accepted standards. More Information
E-disclosure
Electronic disclosure (often referred to as e-disclosure or e-discovery) would usually involve large quantities of data from hardware and software that is intact. A search may be conducted through a very large volume of live or backed-up emails and documents, these emails and documents stored in electronic format along with their metadata must then under CPR part 31, in civil cases, or Police Criminal Evidence Act (1984) in criminal cases be disclosed.
Challenges in e-disclosure include “de-duping.” Due to the nature of computers and of emails, there are likely to be very many identical duplicates (“dupes”) of various documents and emails. E-disclosure tools are designed to winnow down what might otherwise be an unmanageable torrent of data to a manageable size by the indexing and removal of duplicates, also known as de-duping.More Information
Computer Forensics
Computer forensics has aspects of both e-disclosure and data recovery.
In computer forensics, the forensic examiner is required to work from an image of the original material i.e. a forensic copy of a hard drive, using the forensic copy they will carry out searches for and through both live and deleted data. With this kind of e-disclosure a forensics expert may sometimes deal with damaged hardware, although this is relatively uncommon. Data recovery procedures may be brought into play to recover deleted files intact. But frequently the computer forensic examiner must deal with purposeful attempts by a user to hide or destroy data that require skills outside those found in the data recovery industry.
For example when dealing with emails, the computer forensic examiner is often searching unallocated space for deleted data – data that no longer exists as a file readable to the user. This can include searching for specific words or phrases (“keyword searches”) or email addresses in unallocated space. This can include hacking Outlook files to find deleted emails. This can include looking into cache or log files, or even into Internet history files for remnants of data. And of course, it often includes a search through live files for the same data. Practices are similar when looking for specific documents or user activity supportive of a case or charge. Keyword searches are performed both on live or visible documents and on deleted data.
Finally, the computer forensic examiner is also often called upon to testify as an expert witness in court. As a result, the computer forensic examiner must adhere to the Association of Chief Police Officers (ACPO) Good Practice Guide for Computer Based Electronic Evidence. The examiners methods and procedures may be put under a microscope and the expert may be called upon to explain and defend his or her results and actions. A computer forensic examiner who is also an expert witness may also have to defend things said in court or in writings published elsewhere. More Information
Summary
Most often, data recovery deals with one disk drive or the data from one system. The data recovery company will have its own standards and procedures and will tend to work on reputation, not certification. Electronic disclosure frequently deals with data from large numbers of systems or from servers that may contain many user accounts. E-disclosure methods are based on proven software and hardware combinations and are best planned for far in advance (although lack of pre-planning is very common). Computer forensics may deal with one or many systems or devices, may be fairly fluid in the scope of demands and requests made, often dealing with missing data, and must be able to be replicated so that it may be questioned in court.
Athena Forensics
Computer Forensic Experts
