Differences between computer forensics, data recovery and electronic discovery

What is the difference between data recovery, computer forensics and electronic discovery?

All three fields deal with data, especially numeric data. This has to do with zero and one forms of electrons. It’s all about getting information that may be difficult to find and presenting it in a readable way. But even if there is overlap, the skill set requires different tools, different expertise, different working environments, and different methods of observation.

Data recovery usually involves damaged things-whether it is hardware or software. When the computer crashes and the backup cannot be started, if the external hard disk, thumb drive, or memory card becomes unreadable, you may need to restore the data. Often, digital devices that need to recover their data are subject to electronic damage, physical damage, or a combination of both. In this case, hardware repair will be an important part of the data recovery process. This may involve repairing the electronics of the drive or even replacing the read / write head stack in the sealed portion of the disk drive.

If the hardware is intact, the file or partition structure may be damaged. Some data recovery tools will try to repair the partition or file structure, while other tools will look at the damaged file structure and try to pull out the file. Partitions and directories can also be manually rebuilt using a hex editor, but given the size of modern disk drives and the amount of data on them, this is often impractical.

Overall, data recovery is a “macro” process. The end result is often to save a lot of data without paying too much attention to each file. Data recovery jobs are usually single disk drives or other digital media that has damaged hardware or software. There is no specific industry-wide standard for data recovery.

Electronic discovery usually deals with complete hardware and software. The challenges of electronic discovery include “deduplication.” You can search through a large number of existing or backed up emails and documents.

Due to the nature of computers and email, it is likely that there will be many copies of the same document and email (“copy”). Electronic discovery tools are designed to reduce the flood of data that might otherwise be difficult to manage to a manageable size by indexing and deleting duplicates (also known as deduplication).

Electronic discovery usually handles large amounts of data from undamaged hardware, and the procedures are subject to the Federal Civil Procedure Rules (“FRCP”).

Computer forensics has aspects of electronic discovery and data recovery.

In computer forensics, forensic inspectors (CFE) search and pass existing and previously existing or deleted data. When conducting such electronic discovery, forensic experts sometimes deal with damaged hardware, although this is not common. You can use the data recovery program to completely recover deleted files. But CFE usually has to deal with purposeful attempts to hide or destroy data that requires skills outside the data recovery industry.

When processing emails, CFE usually searches the surrounding data in unallocated space-environmental data no longer exists in the form of user-readable files. This may include searching for specific words or phrases in unallocated space (“keyword search”) or email addresses. This may include hacking into Outlook files to find deleted emails. This may include viewing cache or log files, and even checking whether there is data remaining in the Internet history file. Of course, it usually involves searching for the same data in the active file.

The practice is similar when looking for specific documents that support a case or allegation. Keyword search is performed on active or visible documents and environmental data. Keyword search must be carefully designed. under these circumstances, Slinger Foundation v Blair Smith The author found more than one million keyword “hits” on two disk drives.

Finally, computer forensics experts are often required to testify in court or to testify in court. As a result, CFE methods and procedures may be placed under a microscope, and experts may be asked to explain and defend their results and actions. The CFE, who is also an expert witness, may have to defend what is said in text published in court or elsewhere.

Generally, data recovery deals with the data in a disk drive or a system. Data recovery agencies will have their own standards and procedures and be based on credibility rather than certification. Electronic discovery often processes data from a large number of systems or from servers that may contain many user accounts. Electronic discovery methods are based on a mature software and hardware combination, and it is best to plan ahead (although the lack of advance planning is common). Computer forensics may involve one or more systems or devices, may be quite unstable within the scope of the request and the request, often process the lost data, and must be defensible (and defendable) in court.



Source by Steve Burgess