TABLE OF CONTENTS Before data can be analyzed, it needs to be acquired. This means that the data needs to be duplicated so that the person performing the analysis can work from it without modifying the data. This means using any number of tools to duplicate the data so that an exact sector-by-sector mirror image of the disk is generated. This enables the forensic analyst to view any data that is hidden, fragmented, or deleted. Whether data is being duplicated as part of a computer forensic investigation or to acquire a backup of the data for other purposes, it is important that the original data is not modified or corrupted during the duplication process.
Deleted data can be an issue in any situation dealing with computers. A file may be deleted on purpose or by accident, as a normal process of an application, or as the result of a virus, intrusion, or malicious software. In some cases, an entire partition may be lost, causing everything on a volume to appear unrecoverable. However, this is not necessarily the case. When data is deleted, various tools may be used to recover the data from a hard disk or other storage media. In some cases, the files may be corrupted or damaged in some way, and additional software may be needed to repair the file. As discussed in the following sections, regardless of the cause, there are many ways to recover data.
At the company where you work, there...
