Data Recovery vs. Computer Forensics | Ontrack blog

Differences between the data recovery specialist and the computer forensics professions

There are big differences between the data recovery specialist and the computer forensics professions, but there are many things in common. Both look for data that cannot be retrieved because of an accident or by a person's own initiative.

The data recovery specialist receives a storage medium from the client (in the case of larger RAID units, they may need to work via the internet or directly on-site) with the request to recover lost data. The first step is to do an analysis to find out the likelihood of recovering data.  Along with a detailed diagnostic report, the specialist provides a complete list of recoverable files with their status.

If the customer gives the green light, the actual data recovery can be started. Depending on what triggered the data loss and what storage media is involved, the way how the information will be recovered differs. If it's possible to eliminate hardware damage by switching the affected component, bringing the storage medium back to life is relatively straightforward. Professional data recovery experts not only have a large stock of popular controllers and read/write heads, they also have excellent contacts with the manufacturers.

SSDs can be problematic – HDDs, too

However, with SSDs, it's not always easy to succeed with hardware replacement from the same series, since the manufacturers have used different hardware for this storage medium in the same series. If an HDD needs to be opened to access the storage disks, this must be done in the cleanroom. No small amount of dust should settle on the plates, otherwise this tiny piece of material would get between the rapidly spinning disc and the read/write head, which would definitely scratch a tiny bit over it and destroy data. For comparison: If the read/write head were an Airbus, it would race at full speed at a height of one meter above the ground. A speck of dust would have the dimensions of a boulder.

Handling lots of programs and tools

A data recovery expert needs to be able to handle a lot of programs and, in part, self developed tools. That's because even on the software side, a lot can be wrong, which has to be straightened: Whether it's corrupted metadata or false low-level information needed for basic disk operation. It becomes a problem with an SSD with encrypting controller. If the necessary key is missing here, the data recovery specialist is usually not in a position to save data.

 

Read also: How to Handle a Corrupted Hard Drive

 

Normally, the data recovery specialist is in the more comfortable position, in contrast to computer forensics.  Computer forensics clients are highly cooperative and provides access to all data. When it comes to a crime, that's usually not the case.  Sometimes hacker methods must be used to open access to the storage medium. And in addition to the methods of the data recovery specialist, who is ultimately not interested in the content of the data saved, the forensic scientist must conduct a structured investigation, documenting evidence that enables the court to determine what has happened on an IT system - and who is responsible for it. For example, an IT forensics report might include information on the identity or identification of the offender, the period and extent of the crime, and information on the motivation and execution of the crime.

University and college computer forensics courses

In many European countries and oversees, there are already a lot of universities and colleges which either offer many courses of computer forensics or even a whole semester long education as part of the IT department of the educational institution. Even though it is a highly technical role, beginners in this field are at least expected to have a bachelor's degree in Computer Science or Engineering, with a solid focus on Cyber Security, Digital Forensics, or a related field. However, some of the experts who are now working in this field come out of law enforcement and have already had contact with cyber crime.

Read also: A Quick Guide to Understanding Media Corruption

In court cases, a forensic expert must be able to act as a reviewer, which includes being able to clearly describe their work. However, the law is usually not involved by help-seeking companies. As a rule, the security requirements of the IT department are checked and consequently improved.

Changing career to chief forensic experts

Today's chief forensic experts have come into this field mostly as a career change from their original profession. Many have hunted hackers while still being a student - a task they were not able to get away from.  As a cyber-forensic, you have to think around multiple corners, you have to be able to discover patterns in huge amounts of code and be creative.  As one security expert succinctly says, "We need artists."

 

Load more comments