The use of computer forensics is the process of recovering deleted or hidden digital data on computer systems. It involves both the digital and physical reconstruction of damaged data.
There is a standard process used in data forensics. This is acquisition, examination, analysis, and reporting. A variety of techniques are used during this process. The recovery of deleted files is possible using tools to recover or “carve out” data that has been removed from the system by a user. When most files are deleted by an operating system, the data is not actually permanently removed from the hard drive by merely hidden by the file system. The files are normally able to be retrieved as long as newer data has not been written on top of it. Depending upon how extensively the storage medium was used after deletion of the files, retrieval of the files is possible in either full or partially fragmented states.
File Carving
The file system that makes up the organizational structure of an operating system holds metadata that defines the characteristics of the actual files contained upon a system. This includes information of folders or directories and the physical location of the file upon the hard disk. In the absence of this metadata, it is extremely difficult to recover the individual files. The process of recovering files without metadata is called file carving.
File carving reconstructs metadata, like the headers and footers that describe the contents of a file. Since the process is a complicated task, forensics software enables many permutations of possibilities to be investigated. File carving algorithms built into data forensics software use statistical processes to find errors within the system and recover files from within it.
Reconstructing Physical Media
In some cases, the files needed for recovery are on some form of storage medium that has been destroyed or damaged. An important part of data forensics is the ability to reconstruct these hard drives or solid state drives and recover the data within them. Physical repair of a hard drive might be required. Often when subjected to physical trauma, a hard drive read/write head will be broken by striking the platter (the circular disk data is stored upon). In solid state cases where the circuit board has been damaged, sometimes the flash memory must be uninstalled and soldered into a new board in order to read the data.
Working on sensitive hard drives has the risk of permanently damaging the data if dust lodges between the read/write head and the platter. Doing this properly requires disassembly & reconstruction within a professional clean room.
Data forensics is an invaluable service that assists in the recovery of inaccessible data, and remains a specialized service due to the complex hardware and software procedures in addition to the reconstruction of data with advanced algorithms. Although you might at first think all data is lost and cannot be recovered, there might still be hope: the techniques employed in data carving have recovered many files from extreme situations.