What is the difference between data recovery, computer forensics, and e-discovery?
Data recovery, computer forensics, and e-discovery. These three areas are related to data and especially digital data. It’s all about electrons in the form of zero and one. And it’s all about taking information that may be hard to find and presenting it in an easy-to-read way. But despite the overlap. Skills require different tools. Different specializations, different work environments, and different perspectives.
Data recovery generally involves things being damaged – either hardware or software. When the computer crashes and cannot restart, when an external hard disk, thumb drive, or memory card cannot be read. Data recovery may be required. Often, digital devices whose data needs to be recovered will suffer electronic damage, physical damage, or a combination of both. If so, hardware repairs will be a big part of the data recovery process. This may involve repairing the drive’s electronics. or even replace the stack of read/write heads inside a closed part of the disk drive.
If the hardware is intact, the file structure or partition will most likely be damaged. Some data recovery tools will try to improve partitions or file structures. While others look into the damaged file structure and try to pull the file out. Partitions and directories can be manually rebuilt with a hex editor as well. But given the size of modern disk drives and the amount of data in them, this tends to be impractical.
In general, data recovery is a kind of “macro” process. The end result tends to be a large population of data stored without much attention to individual files. Data recovery work is often an individual disk drive or other digital media that has damaged hardware or software. No particular standard is accepted across the industry in data recovery.
Electronic inventions are usually concerned with intact hardware and software. Challenges in e-discovery include “de-duping.” Searches can be done through a large number of emails and documents that exist or are backed up.
Due to the nature of computers and emails, there are most likely many identical duplicates (“fraudsters”) of various documents and emails. The E-discovery tool is designed to filter out what may be an unmanageable data stream to manageable sizes by indexing and removing duplicates, also known as de-duping.
E-discovery often deals with large amounts of data from undamaged hardware. The procedure is under the Federal Rules of Civil Procedure (“FRCP”).
Computer forensics has aspects of e-discovery and data recovery.
In computer forensics, forensic examiners (CFEs) search for and through existing and existing data, or that are deleted. Doing this kind of e-discovery, a forensic expert sometimes handles faulty hardware, although this is relatively rare. Data recovery procedures can be performed to recover deleted files in their entirety. But often CFE has to deal with deliberate efforts. To hide or destroy data that requires skills beyond those found in the data recovery industry.
When dealing with email, CFEs often look for unfilled space for ambient data — data that no longer exists as a user-readable file. This can include searching for a specific word or phrase (“keyword search”) or an email address in an unfilled space. This can include hacking Outlook files to find deleted emails. Look into caches or log files, or even Internet history files for remnants of data. And of course, it often includes searches through active files for the same data.
Aspects of e-discovery
The practice is similar when looking for specific documents that support a case or indictment. Keyword searches do both on active or visible documents, and on ambient data. Keyword searches should be carefully designed. In one such case, the Schlinger v Blair Smith Foundation author found more than a million keywords “hits” on two disk drives.
Lastly, computer forensic experts are also often called upon to testify as expert witnesses in depositions or in court. As a result, CFE methods and procedures can be viewed under a microscope and experts may be asked to explain and maintain their results and actions. CFEs who are also expert witnesses may have to defend things said in court or in writings published elsewhere.
Most often, data recovery relates to a single disk drive or data from a single system. A data recovery house will have its own standards and procedures and work on a reputational basis, not certification. Electronic discovery often relates to data from a large number of systems, or from servers that may contain multiple user accounts. The E-discovery method is based on a proven and best-planned combination of software and hardware well in advance (although a lack of pre-planning is very common). Computer forensics can handle one or many systems or devices, may be fairly smooth within the scope of demands and requests made, often dealing with lost data, and should be able to be defended – and defended – in court.