[Q] What is computer forensics?
[A] Computer forensics is the process of examining data to reveal illicit activity or recover lost information. A computer forensics investigation includes the response to and evaluation of a potential computer crime in addition to gathering evidence and maintaining a chain of custody.
[Q] What is data recovery?
[A] Data recovery is the process of retrieving the data from damaged disk drives, media, computers, peripherals, operating systems or recovering lost or deleted data from media.
[Q] Can deleted files be restored?
[A] Yes, if they have not been completely overwritten. If they have been partly overwritten, the answer is maybe. Special utilities can help in this regard.
[Q] What can computer forensics/data recovery actually recover?
[A] Often, forensics are invoked to recover the following: hidden files, damaged or corrupted files, deleted files, password protected files, encrypted files, e-mail correspondence, evidence of web browsing and internet chat data.
[Q] Can I recover my data if I reformat my hard drive?
[A] In most cases we are able to fully recover data from drives which have been reformatted as well those which have had an Operating System re-installed.
[Q] How is digital evidence processed?
[A] Most digital evidence is processed utilizing the following approach:
Assessment: Computer forensic examiners assess digital evidence thoroughly with respect to the scope of the case to determine the course of action to take.
Acquisition: Digital evidence, by its very nature, is fragile and can be altered, damaged, or destroyed by improper handling or examination. Examination is best conducted on a copy of the original evidence. The original evidence should be acquired in a manner that protects and preserves the integrity of the evidence.
Examination: The purpose of the examination process is to extract and analyze digital evidence. Extraction refers to the recovery of data from its media. Analysis refers to the interpretation of the recovered data and putting it in a logical and useful format.
Documenting and reporting: Actions and observations should be documented throughout the forensic processing of evidence, in part to establish a chain of custody and to ensure that processes for obtaining digital evidence are defensible. This will conclude with the preparation of a written report of the findings.