Within digital forensics tools, a certain amount of data recovery features are built into them. However, it cannot contain every data recovery capability, and digital forensics is not the same as data recovery.
So how do you choose Digital Forensics over Data Recovery?
This article will cover all the differences and intended uses for each method.
- 1. Admissibility in a Court of Law
- 2. Changes to the Data / Files
- 3. Angle of Focus
- 4. Methodology used
- 5. Hardware & Software Tools used
- 6. Specialized Learning & Courses
- 7. Seeking Professional Help
What is the difference between Digital Forensics and Data Recovery?
Here are the seven (7) key differences between them.
1. Admissibility in a Court of Law
This is probably the most important difference between the two.
When you use digital forensics methodology and tools to extract data from electronic devices, the data can become useful digital evidence for criminal investigation cases and even corporate crime investigations, e.g. checks into employee misconduct, data leaks, etc.
If you want to introduce digital evidence in court, use digital forensics methodology and tools.
For data recovery, this is used frequently by those who really need to find back lost files, e.g. old photo memories. In-depth file reconstruction can be performed and requires time to restore back.
If you want to recover important files that have been deleted, overwritten or lost, use the data recovery method.
2. Changes to the Data / Files
In terms of their content and metadata, file changes when they get copied, opened, printed or edited.
Digital forensics preserves the integrity of the data extracted from the device. This means all the files in the device are intact, and there is no contamination made to these files. Therefore, no changes, including metadata changes, are introduced.
Files remain the same as the last time it was used.
Data recovery will make changes to the files since they had to be copied and data craved to uncover previously deleted content or versions.
The act of data carving will also overwrite certain portions of the disk space, thus making changes to the disk-allocated or unallocated space.
3. Angle of Focus
In digital forensics, one tends to be more interested in system & app artefacts such as the computer’s login date/time, the list of websites one visits, the last edit date of the document, and the timeline of all events on the device, etc. These findings can incriminate vs exculpate someone.
In data recovery, one will be more interested in recovering deleted, overwritten, hidden and lost files. Often, the technique of data carving will be used to “carve” out the lost file from the disk partition. However, this process usually takes a long time and can take a few days, depending on the storage capacity and size of the hard drive.
4. Methodology used
This refers to the difference in steps and processes involved in achieving the output.
The methodology used in digital forensics involves the four (4) steps shown in the table below.
|Steps||Digital Forensic Stage/s||Comments|
|1||Collection||The proper seizure procedure of devices to prevent physical damage and file contamination|
|2||Preservation||The forensic process of acquiring (imaging) a forensic image of the device|
|3||Analysis||The examination stage to uncover any inculpatory or exculpatory digital evidence using digital forensic tools|
|4||Presentation||Explaining the forensic findings, typically presented in a court of law when used by law enforcement agencies|
For data recovery, there are four (4) phases, namely;
- Phase 1: Repairing the hard drive
- Phase 2: Imaging the hard drive
- Phase 3: Logical recovery of the files, partitions, Master Boot Record and filesystem structures
- Phase 4: Repair damaged files
5. Hardware & Software Tools used
There are differences in both the hardware and software used.
Digital forensics uses physical write-blockers to ensure the imaging of the data is always in read-only mode. This prevents any accidental writing to the device. The software used is different as well.
The software used is also different. For example, mobile forensics uses software like Cellebrite UFED and Oxygen Forensic tools, while cloud forensics uses software like Magnet AXIOM.
Data recovery uses hard drive diagnosis equipment to check disk health and attempt disk repair. Examples of software tools used are; Recuva for Android devices, Dr Fone for iOS devices and PhotoRec for mass storage devices like memory cards and USB flash drives.
6. Specialized Learning & Courses
In digital forensics, you need to learn how to use commercial forensics tools, either through employment or open-source forensics tools like Autopsy or SIFT Workstation.
Besides learning about file systems (e.g. NTFS, FAT, Android) and operating systems (e.g. macOS, Windows), you can expect to get hands-on on dismantling computer parts, especially taking out hard drives from laptops.
For data recovery, you need to learn the internal mechanisms of hard disk operations and the newer solid-state drives (SSDs). You can expect some hands-on in dismantling computer parts as well.
7. Seeking Professional Help
Although digital forensics is mainly a law enforcement capability for criminal offences, there are more and more private sector companies performing digital forensics for the public. Digital evidence can now be used in civil cases, matrimony cases, etc.
You can easily look for a digital forensics company online. In addition, the big four (4) accounting firms also have their own in-house digital forensics team.
Data recovery companies, on the other hand, are plenty to choose from. Choose someone who can differentiate between digital forensics and data recovery and be honest in their pricing and waiting time.
If your hard drive is spoilt and undetectable, expect to pay a higher price due to disk repair procedures.
Can digital forensics recover deleted, overwritten and lost files?
Using digital forensics tools, there are some data recovery features in it.
Depending on the seriousness of overwritten data, it is sometimes possible to reconstruct back a part of the file. For example, an image JPEG file can be partially reconstructed if certain portions of its data are intact and not overwritten.
On the other hand, this cannot apply to file types like PDF, where the whole data needs to be intact before reconstruction can happen.
Therefore, if a file is deleted but not yet overwritten by other files, there is a high chance of recovery.
Can encryption be detected using digital forensics or data recovery methods?
Encryption can be detected using digital forensics tools, such as OpenText EnCase. These encrypted files/folders will be flagged as encrypted compound files. The correct password will still be needed to unzip, mount or decrypt it.
Data recovery methods cannot detect the presence of encryption files or folders.
Can you permanently delete data so that digital forensics and data recovery methods cannot recover it back?
Yes, this is possible. Take, for instance, using a typical hard disk drive or a USB flash drive. You can use a command line or Minitool Partition Wizard to zero out your disk once.