Get in Touch Close Menu

Digital Forensics and Data Recovery

Recovering data and retrieving evidence from damaged and protected devices is a specialist skill. Often in the case of an incident or critical system compromise, this needs to be achieved on a tight deadline and in compliance with specific parameters to ensure business continuity and guarantee resilience.

The Sapphire forensic team has two
decades of experience working with the full range of public and private bodies.

Helping organisations recover and
analyse data on everything from
malicious attacks to insider threats
since 1996, the team combines swift
response times with a proven
methodology.

In-depth: Retrieve data from the full range of damaged systems, including those where it has been forcibly deleted, including tape, hard drives, DVD, RAID arrays, mobile devices and more.

Compliant: The Sapphire forensic team was one of the first to be ISO 27001 certified, and our response procedures help organisations comply with required standards such as Mandatory Requirement 37 of the Security Policy Framework

Learn: As well as running a series of open educational courses, Sapphire also delivers tailored Forensic Awareness courses bespoke to each organisation.

FREQUENTLY ASKED QUESTIONS (FAQS)

1. What is Digital Forensics?

Digital Forensics, also referred to as Computer Forensics, is the process of identifying, collecting, preserving, and analysing Electronically Stored Information (ESI). This can exist in various forms like email messages, network log files, and digital images. A digital forensic specialist can access this data from computer hard drives, servers, thumb drives, mobile phones, DVD, and any other digital storage media.

Digital Forensics can be used for a number of reasons, for example in investigations looking to determine compliance or litigation, or for investigating timelines in incidents.

2. Which digital media devices can contain digital evidence?

  • Laptops and iPads
  • Computers
  • Smartphones and some cell phones
  • iPods and MP3 music players
  • Hard drives
  • USB drives
  • Digital cameras
  • CD-ROMs and DVDs
  • Back-up tapes
  • On-Line storage
  • Cloud-Based Environments

3. When is it necessary to use digital forensics?

Digital Forensics can be useful when there is:

  • Unauthorised release of corporate information
  • Destructive malware attacks, such as ransomware
  • Theft of trade secrets or intellectual property
  • Violations of policy
  • Internet abuse
  • Workplace misconduct
  • Sexual harassment, deception, or negligence
  • White-collar crime or criminal fraud
  • Industrial espionage
  • Damage assessment and analysis

4. What information can a Digital Forensic examination provide?

  • Deleted, hidden, or encrypted computer files after reformatting or repartitioning a hard drive
  • Passwords for encrypted or password protected files
  • Visited websites
  • Uploaded or downloaded files
  • The time files were deleted or accessed
  • The times and passwords for user login
  • Attempts to hide, destroy, or fabricate evidence
  • Removed texts from final document versions

5. What is the difference between Digital Forensics and data recovery?

Digital Forensics focuses on providing evidence regarding how a computer was used, the files that were accessed, the time of access, and the user’s identity. Through Digital Forensic investigations, it is possible to identify, assemble, analyse and elaborate on vast amounts of digital data useful in court.

Data recovery is a step in the evidence gathering process in a computer forensics investigation whose goal is to recover the files or folders lost in damaged computers, disk drives, media, or operating systems. This process can help with the recovery of “lost” data from storage media.

6. How does the Digital Forensic process work?

A Digital Forensics expert will take the following steps during a typical investigation:

The first thing to determine is the objective and purpose of the investigation.

Next, the investigator will image the data to protect and preserve evidence from alteration, corruption, damage, or malicious software. If the data is tainted, it may be rendered inadmissible in a court of law.

Then, it is important to confront the legal issues connected to the evidence like protecting privilege, navigating the discovery process, or relevant case law.

Finally, after all the relevant files are identified, data analysis is performed. This also takes into account information that could have been deleted or which exists in the slack space, which requires advanced digital forensic tools and techniques.

7. What do I receive after a computer forensics investigation?

Once digital investigations conclude, the forensic science expert should give you a detailed report explaining;

  • The steps taken to acquire and secure the digital evidence
  • The qualifications of the forensic investigator
  • The scope of the investigation
  • The results of the examination
  • The conclusions of the digital forensics expert