Go to Top

Forensic data recovery & collection: an added complication

Legal Data Collection

Each data recovery job is different and the differences are more extreme when the recovery has a forensic element. In these cases, the main difference is that the media passes through the investigative team to identify the risk areas and required data then the data recovery team can start their work.

During these processes one of the most important things is to ensure that collected metadata remains exactly the same as it was on the servers or machine that it came from.

The process of collecting the data might vary by company or country, but usually the legal department would be responsible for the collection, however, they generally wouldn’t have access to the IT environment. IT would need to help by telling legal where data is stored and then performing the collection

In many forensic cases there are files that may have been deleted. In order to retrieve those, the engineer have to image the server, potentially set up  a copy of the Exchange environment and restore the image so they are not affecting the actual production server. As collections typically include information from several years ago, which means that only backups would contain that information.

There are many software packages that can work with Microsoft Exchange backups (EDBs) to shorten the process,  one of which is Ontrack PowerControls. As always, ensure that the tools that you use keep the metadata intact and if you are not confident performing a collection then call in the experts.

Leave a Reply

Your email address will not be published. Required fields are marked *