Get in Touch Close Menu

Digital Forensics and Data Recovery


1. What is Digital Forensics?

Digital Forensics, also referred to as Computer Forensics, is the process of identifying, collecting, preserving, and analysing Electronically Stored Information (ESI). This can exist in various forms like email messages, network log files, and digital images. A digital forensic specialist can access this data from computer hard drives, servers, thumb drives, mobile phones, DVD, and any other digital storage media.

Digital Forensics can be used for a number of reasons, for example in investigations looking to determine compliance or litigation, or for investigating timelines in incidents.

2. Which digital media devices can contain digital evidence?

  • Laptops and iPads
  • Computers
  • Smartphones and some cell phones
  • iPods and MP3 music players
  • Hard drives
  • USB drives
  • Digital cameras
  • CD-ROMs and DVDs
  • Back-up tapes
  • On-Line storage
  • Cloud-Based Environments

3. When is it necessary to use digital forensics?

Digital Forensics can be useful when there is:

  • Unauthorised release of corporate information
  • Destructive malware attacks, such as ransomware
  • Theft of trade secrets or intellectual property
  • Violations of policy
  • Internet abuse
  • Workplace misconduct
  • Sexual harassment, deception, or negligence
  • White-collar crime or criminal fraud
  • Industrial espionage
  • Damage assessment and analysis

4. What information can a Digital Forensic examination provide?

  • Deleted, hidden, or encrypted computer files after reformatting or repartitioning a hard drive
  • Passwords for encrypted or password protected files
  • Visited websites
  • Uploaded or downloaded files
  • The time files were deleted or accessed
  • The times and passwords for user login
  • Attempts to hide, destroy, or fabricate evidence
  • Removed texts from final document versions

5. What is the difference between Digital Forensics and data recovery?

Digital Forensics focuses on providing evidence regarding how a computer was used, the files that were accessed, the time of access, and the user’s identity. Through Digital Forensic investigations, it is possible to identify, assemble, analyse and elaborate on vast amounts of digital data useful in court.

Data recovery is a step in the evidence gathering process in a computer forensics investigation whose goal is to recover the files or folders lost in damaged computers, disk drives, media, or operating systems. This process can help with the recovery of “lost” data from storage media.

6. How does the Digital Forensic process work?

A Digital Forensics expert will take the following steps during a typical investigation:

The first thing to determine is the objective and purpose of the investigation.

Next, the investigator will image the data to protect and preserve evidence from alteration, corruption, damage, or malicious software. If the data is tainted, it may be rendered inadmissible in a court of law.

Then, it is important to confront the legal issues connected to the evidence like protecting privilege, navigating the discovery process, or relevant case law.

Finally, after all the relevant files are identified, data analysis is performed. This also takes into account information that could have been deleted or which exists in the slack space, which requires advanced digital forensic tools and techniques.

7. What do I receive after a computer forensics investigation?

Once digital investigations conclude, the forensic science expert should give you a detailed report explaining;

  • The steps taken to acquire and secure the digital evidence
  • The qualifications of the forensic investigator
  • The scope of the investigation
  • The results of the examination
  • The conclusions of the digital forensics expert