September 28th, 2004 11:26 PM
How is data recovered exactly?
I am not all too familiar with how computer forensic experts recover data. All I know is this:
1. The box has to be secured so no damage is done to the data
2. All the files including hidden, deleted and encrypted files are copied
My question for you guys are these:
1. Securing the data seems easy enough, but what about data that has been purposefully damaged so evidence can be hidden? Also, can prosecutors add an obstruction of justice charge if the accused was in fact trying to detroy the data? Lastly, say for instance somebody was known to use the Internet for crimes say e-mail and the like, and the accused did get rid of the data, how can prosecutors connect the two?
When trying to hide or destroy information, how does the forensic investigator recover the data from physically damaged disks? Is there always a way to recover it, or does it come to a point where it cannot be recovered? I know this much... overwriting the disk with hex values and the like may not save you because of swap space... but I could be wrong here.
2. When copying files from physically damaged disks, how is this done? Is the information copied from the damaged disk to another disk, and how are you assured all the files will be intact and defense lawyers cannot contest planting of evidence?
How do investigators decrypt encrypted files?
Thanks for the help.