The Computer Forensics FAQ
What is computer forensics?
A classical definition is: "Computer forensics is the scientific examination and analysis of data held on, or retrieved from, computer storage media in such a way that the information can be used as evidence in a court of law"
So what is data recovery?
Again, a classical definition is that data recovery is the process of retrieving the data from damaged disk drives, media, computers, peripherals or operating systems or recovering lost or deleted data from media
Can deleted files be restored?
If they have not been completely overwritten, yes. If partly overwritten, maybe. If the file was fragmented before it was deleted, recovery may be even more difficult.
What is hashing and how I can use it in forensics?
Cryptographic hashes are a family of mathmatical functions that reduce an input down to a small, fixed size output. They can be used to fingerprint known good or bad files and then compare those fingerprints against unknown files. Any new files that match the known good files can be eliminated from further analysis. Any files that match the known bad files, well, should be noted and investigated! See the section on hash algorithms
and hashing programs for more information.
What can computer forensics (ok, data recovery) actually recover?
Often, forensics are invoked to recover: hidden files; damaged or corrupted files; deleted files; password protected files; encrypted files; email and web mail correspondence; evidence of web browsing; internet chat data;