| What's the difference between data recovery, | | | | and data recovery. |
| computer forensics and e-discovery? | | | | In computer forensics, the forensic examiner (CFE) |
| All three fields deal with data, and specifically digital | | | | searches for and through both existing and previously |
| data. It's all about electrons in the form of zeroes and | | | | existing, or deleted data. Doing this kind of e-discovery, |
| ones. And it's all about taking information that may be | | | | a forensics expert sometimes deals with damaged |
| hard to find and presenting it in a readable fashion. But | | | | hardware, although this is relatively uncommon. Data |
| even though there is overlap, the skill sets require | | | | recovery procedures may be brought into play to |
| different tools, different specializations, different work | | | | recover deleted files intact. But frequently the CFE |
| environments, and different ways of looking at things. | | | | must deal with purposeful attempts to hide or destroy |
| Data recovery generally involves things that are | | | | data that require skills outside those found in the data |
| broken - whether hardware or software. When a | | | | recovery industry. |
| computer crashes and won't start back up, when an | | | | When dealing with email, the CFE is often searching |
| external hard disk, thumb drive, or memory card | | | | unallocated space for ambient data - data that no |
| becomes unreadable, then data recovery may be | | | | longer exists as a file readable to the user. This can |
| required. Frequently, a digital device that needs its data | | | | include searching for specific words or phrases |
| recovered will have electronic damage, physical | | | | ("keyword searches") or email addresses in |
| damage, or a combination of the two. If such is the | | | | unallocated space. This can include hacking Outlook |
| case, hardware repair will be a big part of the data | | | | files to find deleted email. This can include looking into |
| recovery process. This may involve repairing the | | | | cache or log files, or even into Internet history files for |
| drive's electronics, or even replacing the stack of read | | | | remnants of data. And of course, it often includes a |
| write heads inside the sealed portion of the disk drive. | | | | search through active files for the same data. |
| If the hardware is intact, the file or partition structure is | | | | Practices are similar when looking for specific |
| likely to be damaged. Some data recovery tools will | | | | documents supportive of a case or charge. Keyword |
| attempt to repair partition or file structure, while others | | | | searches are performed both on active or visible |
| look into the damaged file structure and attempt to pull | | | | documents, and on ambient data. Keyword searches |
| files out. Partitions and directories may be rebuilt | | | | must be designed carefully. In one such case, The |
| manually with a hex editor as well, but given the size | | | | Schlinger Foundation v Blair Smith, et al the author, |
| of modern disk drives and the amount of data on | | | | computer forensics expert Steve Burgess uncovered |
| them, this tends to be impractical. | | | | more than one million keyword "hits" on two disk |
| By and large, data recovery is a kind of "macro" | | | | drives. |
| process. The end result tends to be a large population | | | | Finally, the computer forensics expert is also often |
| of data saved without as much attention to the | | | | called upon to testify as an expert witness in |
| individual files. Data recovery jobs are often individual | | | | deposition or in court. As a result, the CFE's methods |
| disk drives or other digital media that have damaged | | | | and procedures may be put under a microscope and |
| hardware or software. There are no particular | | | | the expert may be called upon to explain and defend |
| industry-wide accepted standards in data recovery. | | | | his or her results and actions. A CFE who is also an |
| Electronic discovery usually deals with hardware and | | | | expert witness may have to defend things said in |
| software that is intact. Challenges in e-discovery | | | | court or in writings published elsewhere. |
| include "de-duping." A search may be conducted | | | | Most often, data recovery deals with one disk drive, or |
| through a very large volume of existing or backed-up | | | | the data from one system. The data recovery house |
| emails and documents. | | | | will have its own standards and procedures and works |
| Due to the nature of computers and of email, there | | | | on reputation, not certification. Electronic discovery |
| are likely to be very many identical duplicates ("dupes") | | | | frequently deals with data from large numbers of |
| of various documents and emails. E-discovery tools | | | | systems, or from servers with that may contain many |
| are designed to winnow down what might otherwise | | | | user accounts. E-discovery methods are based on |
| be an unmanageable torrent of data to a manageable | | | | proven software and hardware combinations and are |
| size by indexing and removal of duplicates, also known | | | | best planned for far in advance (although lack of |
| as de-duping. | | | | pre-planning is very common). Computer forensics |
| E-discovery often deals with large quantities of data | | | | may deal with one or many systems or devices, may |
| from undamaged hardware, and procedures fall under | | | | be fairly fluid in the scope of demands and requests |
| the Federal Rules of Civil Procedure ("FRCP"). | | | | made, often deals with missing data, and must be |
| Computer forensics has aspects of both e-discovery | | | | defensible - and defended - in court. |