Forensics is the application of science for collecting evidence in civil or criminal cases. The field of forensic data recovery relates to identification and retrieval of digital evidence that can be used by law enforcement agencies to prosecute offenders. It is essential to investigate any crime in which computers have been used to commit an offence or when computers have themselves been the target of an unlawful act.
Collecting digital evidence is a specialised science requiring unique training, skills and tools in the fields of electronics and computers. This is because of the unique nature of such evidence. A large amount of data can fit into a small device like a pen drive, thus making it easy to hide or store or transport from one place to another undetected.
Electronic evidence may be easy to delete or overwrite but it is one of the hardest things to destroy completely and it is almost impossible to totally wipe out one’s footprints in cyberspace. Once created, a digital document resides in various versions and forms, at places which the creator may have no idea about. It is the job of the forensic data recovery specialists to discover these places and retrieve the information in a way that will be upheld in court.
Importance of Digital Forensics
Information technology is fast gaining ground across all sections of society. Computers and Internet connections are now common place. Companies are increasingly getting wired and moving systems online to increase efficiency and reduce cost. Such widespread usage and popularity of computers and connectivity, has ushered in an era of cyber crime.
Criminals today use computers in one way or another to commit crimes, like by storing information on hard drives, sending incriminating emails, unlawful access to company databases or plain financial fraud. Cyber crime is a whole new generation of crime that is easy to commit. It is also borderless and recognises no jurisdiction or political boundaries, making it harder to crack without special forensic skills and training.
Critical evidence for even ordinary crimes like drug deals or murder can be found locked inside computer hard disks or email servers. Computer forensic capabilities and the ability to recover data from storage media like hard drives, CDs, pen drives and so on have become a critical requirement of any police force today. Forensic data capability has become very important in maintaining national security and protecting ordinary citizens from theft and fraud.
Gathering digital evidence and recovering incriminating data from computers become essential in cracking cases related to areas like:
- Computer-aided terrorism
- Dubious financial transactions or money trail
- Industrial espionage and theft of intellectual property
- Online fraud and misappropriation of funds
- Distribution of child pornography
- Internet abuse and cyber-stalking
- Regulatory violations
- Threatening calls or emails
- Sexual harassment at workplace by indecent electronic messages and pictures
- Computer-aided Identity theft
Electronic evidence, like any other evidence, has to confirm to the law of evidence if it has to stand scrutiny in court. All rules related to physical evidence and its collection apply to digital evidence too. Forensic procedures and policies that the police follow for gathering electronic evidence are mostly laid down by the International Association of Computer Investigative Specialists, a worldwide non-profit organisation.
Data recovery is a crucial part of digital forensics. Whenever a crime is committed using a computer, efforts are made by the culprit to wipe off the trail and destroy evidence by deleting or corrupting computer files, formatting the hard disk or physically damaging the storage media. This makes it very difficult for the police to gather evidence as the data becomes inaccessible. The law enforcement agencies also need professional data recovery if the media format is too old or outdated or their number, too large to facilitate collection.
Data recovery mostly deals with hard drives, tape drives, RAID, email servers, relational databases, CDs, DVDs, compact flash disks and even cell phones and Blackberries. The evidence-gathering procedure is non-destructive. A duplicate is made of the drive by carefully scanning the drive surface. All forensic work is done on the clone, leaving the original disk undisturbed to be used as evidence. To maintain evidentiary integrity, a device called “writeblocker” is used that prevents any data from being overwritten or deleted from the hard disk drive.
Once the data is recovered, it is handed over to the investigative officers in the form of a new hard disk, CD-ROM, DVD-ROM or a hard copy. While extracting data, logs are kept of the actions performed and every piece of data found, to ensure the method conforms to the law of evidence and can be admissible in court.