What is the difference between data recovery, computer forensics, and electronic discovery?

All three fields deal with data, and specifically with digital data. These are electrons in the form of zeros and ones. And it’s about taking information that can be difficult to find and presenting it legibly. But even though there is an overlap, skill sets require different tools, different specializations, different work environments, and different ways of looking at things.

Data recovery generally involves things that are corrupted, be it hardware or software. When a computer crashes and backup won’t start, when an external hard drive, flash drive, or memory card becomes unreadable, data recovery may be required. Often times, a digital device that needs to recover your data will have electronic damage, physical damage, or a combination of both. If that’s the case, hardware repair will be an important part of the data recovery process. This may involve repairing the electronics in the drive or even replacing the stack of read / write heads inside the sealed portion of the disk drive.

If the hardware is intact, the file or partition structure is likely to be damaged. Some data recovery tools will try to repair the partition or file structure, while others look at the damaged file structure and try to extract the files. Partitions and directories can also be rebuilt manually with a hex editor, but given the size of modern disk drives and the amount of data they contain, this tends to be impractical.

In general, data recovery is a kind of “macro” process. The end result tends to be a large population of saved data without as much attention to individual files. Data recovery jobs are typically individual disk drives or other digital media that have corrupted hardware or software. There are no particular industry-wide accepted standards for data recovery.

Electronic discovery generally deals with hardware and software that are intact. Challenges in electronic discovery include “eliminating duplication.” A search can be performed through a large volume of existing or supported emails and documents.

Due to the nature of computers and email, there are likely to be many identical duplicates (“hoaxes”) of various documents and emails. Electronic discovery tools are designed to reduce what might otherwise be an unmanageable torrent of data to a manageable size through indexing and deduplication, also known as deduplication.

Electronic discovery often deals with large amounts of healthy hardware data and procedures are governed by the Federal Rules of Civil Procedure (“FRCP”).

Computer forensics has both electronic discovery and data recovery aspects.

In computer forensics, the forensic examiner (CFE) searches and through existing and previously existing or deleted data. When doing this type of electronic discovery, a forensic expert sometimes deals with damaged hardware, although this is relatively rare. Data recovery procedures can be put into play to get deleted files back intact. But frequently, the CFE must deal with intentional attempts to hide or destroy data that require skills other than those found in the data recovery industry.

When it comes to email, the CFE often searches unallocated space for environmental data, data that no longer exists as user-readable files. This can include searching for specific words or phrases (“keyword searches”) or email addresses in unallocated space. This can include hacking Outlook files to find deleted emails. This can include searching cache or log files, or even internet history files for remnants of data. And of course it often includes a search through active archives for the same data.

The practices are similar when looking for specific documents to support a case or charge. Keyword searches are performed on both active or visible documents and environmental data. Keyword searches must be designed with care. In one such case, the Schlinger Foundation v. Blair Smith, the author discovered more than a million keyword “hits” on two disk drives.

Finally, the computer forensic expert is also often called upon to testify as an expert witness at the deposition or in court. As a result, CFE’s methods and procedures can be put under a microscope and the expert called in to explain and defend their results and actions. A CFE who is also an expert witness may have to defend what is said in court or in writings published elsewhere.

Very often, data recovery deals with a disk drive or data on a system. The data recovery house will have its own standards and procedures and works on reputation, not certification. Electronic discovery frequently deals with data from a large number of systems or servers that may contain many user accounts. Electronic discovery methods are based on proven hardware and software combinations and are best planned well in advance (although a lack of advance planning is very common). Computer forensics can deal with one or more systems or devices, it can be quite fluid in the scope of lawsuits and requests made, it often deals with missing data, and it must be defensible – and defended – in court.

EZ