When data is deleted it is not actually immediately removed from the hard drive. It is just marked as “free space” on the drive, which means the data is available to be overwritten
(PRWEB) March 26, 2014
As CNN's Erin Burnett reported on March 19, 2014, forensic experts with the FBI are examining the homemade flight simulator that belonged to the captain of the missing Malaysia Airlines flight MH370 and a key question will be trying to determine what the captain deleted and whether it's key to the investigation. Oftentimes, forensic investigations hinge on what is on a subject’s hard drive and, more importantly, what has been deleted from the hard drive.
Gary Huestis, Director of Digital Forensics, at E-Investigations gave a brief explanation of what happens when a file is deleted, “When data is deleted it is not actually immediately removed from the hard drive. It is just marked as “free space” on the drive, which means the data is available to be overwritten.” Mr. Huestis went on to explain that “how much of the deleted data is overwritten depends on the size of the hard drive and the usage; deleted data could sit on a hard drive indefinitely or it could be overwritten immediately.”
Since forensic investigations often begin after something “suspicious” happens, the first place investigators at E-Investigations look at is the deleted data on a hard drive, mobile device, iPad or Tablet. Most people think that once a piece of information is deleted that it is gone forever; however, with digital (computer) forensics, deleted data on most forms of digital storage; whether it is on a computer hard drive, USB flash drive, or stored on a mobile device, can be restored and examined in most cases. The accurate recovery of deleted data in any case often rests on how the evidence was initially collected and preserved.
E-Investigations provides the following 5 Best Practices for Digital Evidence Collection to help preserve the integrity of digital evidence, whether it is for a child custody case or large scale intellectual property theft case. These steps, when followed, can help to establish that best practices were used when collecting digital evidence.
- Do not touch the computer unless you are experienced in digital forensics. Thousands of files are altered simply by turning it on.
- Document the location and condition of everything before touching anything. A digital camera can help.
- Record the manufacturer, type and serial number (if possible) and place each item in a separate appropriate collection bag. Loose hard drives should be stored in a static proof bag and wrapped static proof bubble wrap. If possible, mobile devices should be collected in an RF shielding bag (like Paraben’s StrongHold bag) and number each item collected.
- Record the date, time, personnel and purpose for every transfer on a Chain of Custody Form.
- Store evidence in a secured, climate-controlled location, away from other items or personnel that might alter or destroy digital evidence.
Each piece of evidence should be treated as if a case depends on it. E-Investigations highly qualified computer forensic experts are available to help collect evidence or provide guidance on evidence collection 24-hour hours per day and 365 days out of the year.
E-Investigations has the tools and experience to perform logical, physical, file system and password extraction of data from digital devices. By the incorporating the latest hardware and software technologies, E-Investigations has one of the most thorough capabilities for computer and mobile device investigations in the industry – with the ability to image thousands of computers, tablets, mobile phones, smartphones and portable GPS devices, and all major mobile OS: iOS, Android, BlackBerry, Nokia, Symbian, Windows Mobile and Palm.
E-Investigation's Computer Forensic Investigators follow the trail and decipher the information regardless of whether the evidence is digital, such as electronically stored information found on computers, tablets, mobile phones or other devices or if the investigation requires traditional private investigative services. E-Investigations' tools and techniques include surveillance, undercover work and detailed record searches. The final product helps our clients gain a deeper understanding of what has happened or what is occurring. The gained clarity and discovery of truth allows our clients to quickly respond and recover.
Gary Huestis is the Director of Digital Forensics at E-Investigations. Mr. Huestis is an EnCase certified examiner and a licensed private investigator.
Call us toll-free at 877-305-4935