June 1st of this year my partner Alan Delgado and I were asked to speak at the Whatcom County Bar Association CLE on Computer Forensics. We certainly appreciated the opportunity to share with them the basics. When asked to speak to a group I usually ask several questions, one of which is:”Do you know the difference between Computer Forensics, Data Recovery and E-Discovery?” I wasn’t too surprised at the results. Only one person in the room raised their hand. So for the record.
The three fields work with digital data. It's all in the form of zeroes and ones. It's taking information that may be hard to find and presenting it in a clear and concise manner. There are some common characteristics; the skill sets require different tools, different specializations, different work environments, and different ways of viewing the results.
Data Recovery normally involves broken hardware or software. When a computer crashes, or an external hard disk, thumb drive, or memory card becomes unreadable, then data recovery might be required. Normally a digital device that requires data recovered will have electronic damage, physical damage, or a combination of the two.
E-Discovery or electronic discovery typically deals with hardware and software that is undamaged. Due to the nature of computers and of email, there are likely to be very many identical duplicates ("dupes") of various documents and emails. The largest challenge for e-discovery is "de-duping." Searches often are conducted through a very large volume of existing or backed-up emails and documents.
E-discovery tools are designed to reduce the data to a manageable size by indexing and removal of duplicates. E-discovery is mainly software driven.
Computer Forensics has components of both e-discovery and data recovery. The forensic examiner (CSFA) searches through both active (existing) archival (data that has been backed up and stored) latent (previously existing, or deleted data). Performing this type of discovery, a forensics expert may need to work with damaged hardware although uncommon. More frequently the forensic examiner encounters purposeful attempts to hide or destroy data.
The computer forensics expert is also often called upon to testify as an expert witness in deposition or in court. The computer forensics expert’s methods and procedures may be scrutinized. The expert often is called upon to explain and defend his or her results and actions.
Great post. Computer forensics helps in acquiring digital evidence from PC and issues a report during an investigation.
ReplyDeleteFTI makes a pretty solid eDiscovey software, in case you need a resource.
ReplyDeletei really like this article please keep it up.
ReplyDeletedata recovery lahore