Data Recovery vs Computer Forensics | Ontrack Blog

Wednesday, 14 March 2018 by Michael Nuncic


What sets the data recovery expert apart from the computer forensics expert?

There are big differences between the profession of the data recovery specialist and the profession of computer forensics - but they also have many things in common. Both are looking for data that can not be retrieved anymore because of an accident or by a persons own initiative.

What does a data rescuer do?

The data rescuer receives a storage medium from the client (in the case of larger RAID units, they may need to work via the internet or directly on site) with the request to recover lost data. The first step is to do an analysis to find out about the opportunities for a successful data recovery. After this step, it can be said if the data can be recovered at all and at what price. A detailed diagnostic report provides a complete list of recoverable files with their status.

Recovery is never the same twice

If the customer gives the green light, the actual data recovery can be started. Depending on what triggered the data loss and what storage media is involved, the way how the information will be recovered differs. If it is possible to eliminate hardware damage by switching the affected component, bringing the storage medium back to life is relatively straightforward. Professional data recovery experts not only have a large stock of popular controllers and read/write heads, they also have excellent contacts with the manufacturers, which is shown by the fact that a possibly still existing manufacturer's warranty does not extinguish.

SSDs can be problematic – HDDs, too

How is SSD different?

With SSDs, however, it is not always easy to succeed with hardware replacement from the same series, since the manufacturers have used different hardware for this storage medium in the same series. If a HDD needs to be opened to access the storage disks, this must be done in the clean room. No small amount of dust should settle on the platters, otherwise, this tiny piece of material would get between the rapidly spinning disc and the read/write head, which would definitely scratch a tiny bit over it and destroy data there. For comparison: If the read/write head were an Airbus, it would race at full speed at a height of one meter above the ground. A speck of dust would have the dimensions of a large boulder.

Data recovery expert requirements

A data recovery expert needs to be able to handle a lot of programs and in part, self-developed-tools. That's because even on the software side, a lot can be wrong, which has to be straightened. Be it corrupted metadata, or false low-level information needed for basic disk operation. Or a problem with an SSD with an encrypting controller. If the necessary key is missing here, the DR professional isn't usually in a position to recover data.

Computer forensics differs

Normally, the data rescuer is in the comfortable position - in contrast to computer forensics -  his client is highly cooperative and provides all access data. When it comes to a crime, that's usually not the case. Here, too, sometimes hacker methods must be used to gain access to the storage medium. In addition to the methods of the data rescuer who is ultimately not interested in the content of the data saved, the forensic scientist must conduct a structured investigation, documenting evidence that enables the court to determine what has happened on an IT system as well as who is responsible for it. For example, an IT forensics report might include information on the identity or identification of the offender, the period and extent of the crime and information on the motivation and execution of the crime.

How to become a cyber forensics expert?

In many European countries and overseas there are already a lot of universities and colleges which either offer courses on computer forensics or even a semester-long education in this field, as part of the IT department of the educational institution. Even though it is a highly technical role, beginners in this field are at least expected to have a bachelor´s degree in Computer Science or Engineering with a solid focus on Cyber Security, Digital Forensics or a related field. However, some of the experts who are now working in this field, come out of law enforcement (police officer etc.) and had already contact with cybercrime.

When the law gets involved

In court cases, a forensic expert must be able to act as a reviewer, which includes being able to clearly describe his work. However, the law is usually not involved by help-seeking companies. As a rule, first, the security requirements of the IT department are checked and consequently improved.

Falling into forensics

Today's chief forensic experts have come into this field mostly as a career changer from their original profession. Many have hunted hackers while still being a student; a task they were not able to get away from. As a cyber-forensic, you have to think around multiple corners, you have to be able to discover patterns in huge amounts of code and be creative. A security expert says therefore succinctly about it: "We need artists."



Load more comments

New code