See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/323058776

Data recovery in Forensics

Conference Paper · October 2017

DOI: 10.1109/IC3TSN.2017.8284474

CITATIONS READS
2 6,618

5 authors, including:

Shashank Tomer Nihar Ranjan Roy

GD Goenka University Gurgaon Sharda University
4 PUBLICATIONS 21 CITATIONS 43 PUBLICATIONS 456 CITATIONS

SEE PROFILE SEE PROFILE

All content following this page was uploaded by Shashank Tomer on 19 March 2022.

The user has requested enhancement of the downloaded file.

 Data recovery in Forensics
Shashank Tomer 1, Aviral Apurva2, Pranshu Ranakoti3, Saurav Yadav 4, Nihar Ranjan Roy5
1, 2, 3, 4, 5
School of Engineering, GD Goenka University, Gurgaon, India
shanktomer96@gmail.com, 2aviralapurv@gmail.com, 3r.pranshu@gmail.com, 4raosaurav17@gmail.com,
5
niharranjanroy@gmail.com

Abstract – In today's world, Cyber Security and Forensics are in great B. Data recovery
demand in this data recovery plays an important role. In certain
scenarios, the data storage devices could be destroyed or damaged by Data recovery is the process in which corrupted, lost or
the convict and this is where data recovery comes in to play and recover damaged data is recovered or retrieved from storage devices.
data from these artifacts. This field of data recovery is known to many
This method is used when the data is inaccessible by normal
criminals and they always try to bypass the current recovery techniques
whereas the organizations always tries to discover newer and more means i.e. either the data inside is corrupted or completely
reliable recovery techniques to tackle this situation. This paper formatted, or when the storage device is damaged and the
discusses majorly about data recovery in cyber forensics and the method is used on devices like SD Cards, Hard Disks
procedures of cyber forensics. We also discuss how data can be (Internal and External), SSD Devices, CDs and DVDs, and
recovered in harsh conditions such as burnt HDD, challenges faced by any other storage device [10].
experts and also the conditions where data recovery is not possible are
also described in the paper. There are many firms which offers data recovery at a price
of around $1 per Gigabyte, which means recovering data
Keywords – Data recovery, forensics, preserving, Operating System, etc.
from a 1TB hard drive would cost $1000. If there is an
encrypted Hard Drive, there is an extra $100 fee if the data
I. INTRODUCTION
can be recovered.
In WRGD\¶V data-driven world, everyone knows the
II. COMPUTER FORENSICS
importance of data. As an example, if someone misses
his/her phones contact list, it creates lots of panic. As mobile
A. Computer Forensics
phones and technology have penetrated personal life of every
Computer forensics is the science of collecting, recovering
one, so, in case of crimes, the forensic experts search for
and reporting on digital data in such a way that it can be
evidence on these devices too. Some of the expert criminals
legally accepted as a proof. It is often practiced for stopping
try to destroy the evidence and in some cases may through
a digital fraud and to gather evidence for the investigation. It
the evidence in water, burn it or break it apart. In such
can also be practiced to recover accidentally lost data [5].
scenarios, it becomes very challenging for experts to recover
the data and hence evidence. With respect to android phone
B. Disk Forensics
forensics, in [1] authors have discussed the tools and
Disk forensics is the branch of Computer forensics in which
techniques for recovery.
forensic information is retrieved from storage media devices
like SD Cards, Hard Disks, CDs, etc. The steps involved in
In this paper, we discuss how cyber forensic comes into
Disk Forensics are -
picture in crime scene and for tracing evidences, we also see
1. Identification of the digital evidence i.e. the evidence have
different ways to recover data from all types of damages like
a forensic value.
physical or logical and discuss different recovery techniques.
2. Seizure of the evidence ± to prevent tampering.
3. Authentication the evidence - determining the best
approach to preserve and investigate.
A. What is data?
4. Preservation of the evidence by cloning or imagine.
5. Analysis of the clone or the image so that there would be
Data in technical terms can be defined as a collection of raw
a proof of the original evidence being intact and
facts and figures which do not have a proper meaning. It can
untampered.
be a collection of words or numbers in a text documents, it
6. Reporting of the findings.
may be graphical like an image file, an audio file or even in
7. Documenting - Chain of Custody, etc.
the form of software program. When the data is processed, it
becomes Information, which have a proper meaning. For
Every step in disk forensics will be described in more details
example, in a weather forecast, the raw data is humidity and
below [3] ±
temperature in numbers and when this data is used to get a
report on the weather conditions then it becomes information
1. Identification
[2].
Data can be stored in Hard Disks (magnetic type), SSDs
Identification of storage devices at the scene of crime is the
(mechanical type) and CDs or DVDs (optical) in digital form
very first step in Disk Forensics. Devices like Hard Disks
[11].
with IDE/SATA/SCSI interfaces, CDs, and DVDs, Floppy
Disks, Mobile phones, PDAs, Flashcards, USB or FireWire

978-1-5386-0627-8/17/$31.00 2017
c IEEE 188
devices, etc. These are some of the sources of digital temporary and Internet history files analysis, recovery of
evidence [3]. deleted items and analysis, data carving, and analysis, format
recovery and analysis, partition recovery and analysis, etc.
2. Seizure [3].

Next step is seizing the storage media for digital evidence

6. Reporting
collection. This step is performed at the scene of crime. In
this step, a hash value of the storage media to be seized is Case analysis report should be prepared based on the nature
computed using appropriate cyber forensics tool. Hash value of examination requested by a court or investigation agency.
is a unique signature generated by a mathematical hashing It should contain nature of the case, details of examination
algorithm based on the content of the storage media. After requested, details of material objects and hash values, result
computing the hash value, the storage media is securely of evidence verification, details of analysis conducted and
sealed and taken for further processing [3]. digital evidence collected, observations of the examiner and
conclusion. The reported should be presented in such a way
The fundamental rules of Cyber Forensics says ³1HYHUZRUN that any non-technical person should able to understand the
RQRULJLQDOHYLGHQFH´7RHQVXUHWKLVUXOHDQH[DFWFRS\RI content of the report. This can be done by avoiding complex
the original evidence is to be created for analysis and digital terms or jargons and using simpler language [3].
evidence collection. Acquisition is the process of creating
this exact copy, where original storage media will be write 7. Documentation
protected and bitstream copying is made to ensure complete
data is copied into the destination media. Acquisition of
Documentation is very important in every step of the Cyber
source media is usually done in a Cyber Forensics laboratory
Forensics process. Everything should be appropriately
[3].
documented to make a case admissible in a court of law.
Documentation should be started from the planning of case
3. Authentication
investigation and continue through searching in scene of
Authentication of the evidence is carried out in Cyber crime, seizure of material objects, chain of custody,
Forensics laboratory. Hash values of both source and authentication, and acquisition of evidence, verification and
destination media will be compared to make sure that both analysis of evidence, collection of digital evidence and
the values are same, which ensures that the content of reporting, preservation of material objects and up to the
destination media is an exact copy of the source media [3]. closing of a case [3].

4. Preservation III. BIGGEST RISK

One risk is always present during the process of Data

Electronic evidences are easy to be tampered without any
Recovery and that is the risk for permanently losing the data.
sign of tampering or alteration. So, to avoid this situation, the
However, one must understand it's not about a damaged
original evidence is placed in a secured place afar from any
device in which there is no risk as there is no chance that the
magnetic or radiation sources after the authentication and
data will be successfully recovered. When the data stored on
identification is done. Then, multiple clones or images of the
the drive have become corrupted but however is fully
evidence is created and stored in the appropriate mass
recoverable then, the risk is in determining the measures for
storage hardware like Optical media which is recommended
the data recovery. So, if there is a risk of data loss then it is
due to its reliability, speed, longer lifespan, and reusability
only result of a faulty recovery measure [5].
[3].
a. Data Recovery Measures
5. Verification and analysis.

Verification of evidence before starting analysis is an In computer industry, knowledge of data recovery is a vital
important step in Cyber Forensics process. This is done in component. Almost every major Data Recovery company
Cyber Forensics laboratory before commencing analysis. tried to invent and use various method of recovering every
Hash value of the evidence is computed and compared it with single bits of data to reclaim the sensitive files or to make the
the hash value taken at the time of acquisition. If both the storage device functional again so that the data can be
values are same, there is no change in the content of the accessed normally.
evidence. If both are different, there is some change in the
One of these methods include a "Cleanroom" which is used
content. The result of verification should be properly
in almost every firm to protect the device from small
documented.
particles during the process of manufacturing. These
Analysis is the process of collecting digital evidence from Cleanrooms will avoid any corruption caused by particles in
the content of the storage media depending upon the nature air and is used during the manufacturing of Storage Media,
of the case being examined. This involves searching for Semiconductors, biotech or even larger projects like Military
keywords, picture analysis, timeline analysis, registry equipment and aerospace engineering [6].
analysis, mailbox analysis, database analysis, cookies,

2017 International Conference on Computing and Communication Technologies for Smart Nation (IC3TSN) 189
 some system errors causing bad sectors. Depending to the
b. Physical Damage damaged condition, these bad sectors can be fixed by regular
data recovery software or hardware accordingly. In
If the device is damaged physically then this type of windows, there is inbuilt disk checker tool called chkdsk that
condition is dealt by replacing the damaged parts of the can detect bad sectors and repair the soft ones. Bad sectors
device. Component like PCB are replaced according to the are common in hard disks and are usually repaired easily
model to reclaim circuit functionality. However, this type of without data loss but it's always recommended to take a
repairs should be done by extreme care and with proper tools backup of important files [8].
[6] [16].
2. Dead PCB
c. Logical Damage When there is a dead PCD in a drive, the solutions to deal
with this condition are -
When the device is damaged logically, the physical parts are x Replacing it with a brand new PCB.
functional but the data inside the device is inaccessible by x Using a Donor chip and reader in order to swap the content.
normal means. Logical damage includes corruption of data x If the drive is dead then trying to make it spin might work in
due to accidental format, virus attack (like Ransomware), some cases.
and memory overflow or even due to a power failure leading If there is a physical damage then the repair will include
to the system being unstable, crashing and more data loss. finding the donor board and swapping the content in a
Mostly this condition is dealt by using data recovery cleanroom environment [4].
software although there is no surety that the data will be
recovered successfully [6]. c. Burned Hard Drive Recovery
Almost every business firms stores most of their databases,
resource files, logs, statistical data and other sensitive
IV. DATA RECOVERY TECHNIQUES information in Hard Drives. When there is a disaster like this,
businesses have faced failures and gone bankrupt due to data
a. Disk Imaging loss. While these disasters cannot be handled by human
hands, there is technology which can prevent or at least
Corrupt data can be recovered with the help of particular minimize the effects of these disasters.
software programs, except in cases where the disc is The forensics experts are very well experienced with these
physically damaged. The disk imaging technique makes the disasters and recovering from burnt or fire damaged devices
copy of a disk bit-by-bit. Common steps in a data imaging is possible for them. However, when a Hard Drive is burnt,
process are - there would always be some data loss which, no matter what,
x Independent access to the hard drive in terms of OS cannot be recovered as the hardware might be totally
as defined by its IO configuration. destroyed in the disaster. Moreover, when there is a physical
x The bad sector is read instead of being skipped. damage, there is a chance that the physical damage cause
x While reading the disk, the restarting commands are logical damage to the device like the logical structure. The
overridden. basic process of recovery include opening up the enclosure
So, this technique is useful because it'll restore anything and then cleaning the platters cautiously to prevent further
which is possible to read on the disk along with avoiding the platter damage because of soot or other particles. In the worst
commands that, in case of detection of an error, will restart case, the hard drive components get damaged to that extent
the whole process. However, disk imaging on a physically that they are required to rebuild them completely. After the
defective drive might have a large number of errors and cleaning process, the platters are then placed into another
instability [12]. hard drive which might require some tinkering with the
firmware and BIOS settings because of compatibility issues
b. Hard Drive Recovery and making the drive readable.
When a drive has been burned, then the best choice is to
1. Bad sectors avoid any self-repair and allow experts to handle the matter
The two types of bad sectors are "physical" and "logical" bad because recovery process can be really time-consuming
sectors, or "hard" and "soft" bad sectors. process and require a lot of attention. The experts have the
When there are physical bad sectors in a disk, there is a small experience of identifying intact or recoverable components
amount of data that is defected and that would not respond from the hard drive. Moreover, there are special tools for
to any read or write operation. So, none of the recovery making the process less painful and time efficient like R/W
software can perform regular resets, hard resets, read head changer, replacer for motor, platter exchange tool, etc.
algorithms or even skip sectors. Even if it's connected to a [6].
Computer, this would not be detected because of the bad
sectors. d. Solid State Drive Data Recovery
Soft bad sectors, on the other hand, are caused by software
problems like power failure by which the disc was stopped Usually, when a Solid State Drive fails, most of the issues
during an R/W operation and now that particular sector got are of electronic component getting damaged and there is
defected. Other causes can be virus attacks which causes nothing that we can do to prevent these components going

190 2017 International Conference on Computing and Communication Technologies for Smart Nation (IC3TSN)
bad because with time every electronic component ages and 2. Non-Volatile memory, in which all the data in a storage
fails to function at a point of time. There is no sign or device remains intact when the power supply is stopped.
symptoms that a SSD shows before failing, they just stops One of the example of Non-Volatile memory is ROM, as
working. However, as most Solid Stats Drive uses flash chip the data stored in that will remain there when the PC is
or flash memory, some of their data are easier to be recovered turned OFF, and after startup, it'll be there only. Other
while most of the recovery process is complex and time- examples may include Flash Storage, SD Cards, etc. [20].
consuming because of SSDs being newer storage solution.
To save the data stored in RAM, forensics experts uses tools
When we delete a file from our traditional hard drive, the file
like -
itself is there but the index is removed. In Solid State Drives,
if a file is deleted, a function called TRIM would remove the 1. DumpIT - creates a RAM dump in the location of the
content immediately leaving very less scope for data executable file of the software.
recovery. If the TRIM function is disabled in the OS then it's 2. AccessData FTK - FTK or Forensics Toolkit is an All-In-
possible to recover the data much easily [9]. One toolkit developer by AccessData to perform various
forensics tasks like Imaging, MD5 calculation, disk
e. Memory dumps carving scanning, etc. [13].
Carving is a technique to extract data from a similar blocks
of raw data using file signatures. The snapshots of volatile
VI. CHALLENGES FACED BY FORENSIC EXPERTS
memory can be carved. Carving is generally done cluster,
sector or byte based for a deleted or a corrupted data. a. Use of anti-forensic tools
Memory dump Carving is regularly practiced in digital
forensics which allows investigators to access temporary 1. Anti-Forensics are the real difficulties faced by Forensic
expert. Anti-Forensic is a general term used for counter
short-lived evidences like recently accessed Web pages,
forensic usually done to hamper forensics. Programmers
images, chats etc. If the volume is encrypted via TrueCrypt,
with the help of anti-forensic tools make it impossible for
BitLocker, PGP Disk etc. The volume can be mounted
instantly by extracting binary keys to encrypted containers investigators to retrieve data during an investigation.
[12]. x Changing the information of file's headers with the
File carving is always done on disk image rather than on the help of certain programs fools computer and expert
original disk. Fragmented files can be recovered using as well.
SmartCarving Technique (works upon syntax and semantics
of JPEG). x Programmers take advantage of Slack Space
(unused space of files).They divide files into small
parts and hide them into slack space of other files
making it very difficult for an investigator to
retrieve and reassemble the hidden data.
Once the data is overwritten completely which can be
done easily using several software then it becomes almost
impossible for an expert to recover the data.

b. Cases When Data Is Unrecoverable

There could be cases where even without use of anti-
forensic tools data could be in an unrecoverable position, it
may arise due to [15]:
x Overwriting of the data.
x Randomizing the magnetic domains by
degaussing
x Drive is physically destroyed

Figure 1. Computer Memory Pyramid – Jeff Tyson [14] a. Anthony Verducci states three methods for complete file
destruction -
V. COMPUTER MEMORY 1. Whole drive - in this the whole drive is deleted
In general, there are two category of Memories - permanently but it is still functional.

1. Volatile memory, in which all the data in a storage device 2. File by file - files are destroyed one-by-one only the
is wiped clean after the power supply is stopped. So, to software performing the function remains intact.
remain functional, these devices need a constant power 3. Power tool - destroying the device by making holes in the
supply. One of the example of Volatile memory is RAM, platters, using shredders, etc. making the device completely
LWVWRUHVWKHSURFHVVHV¶GDWD DQG ZKHQWKH3&LVWXUQHG unusable.
off, the data is cleaned and the data is reloaded again on
start-up.

2017 International Conference on Computing and Communication Technologies for Smart Nation (IC3TSN) 191
 In a computer, the storage device have a part of free space [10] ' 'ULYHV ³+DUG 'ULYH &LUFXLW %RDUG 5HSODFHPHQW´ -XO\
and a part where files have occupied space. When a file is 2017. [Online]. Available: http://www.donordrives.com/pcb-
deleted, the content of the file is kept but the file is removed replacement-guide.
from the index indicating that particular memory block as [11] +'5& ³+DUG 'LVN 'DWD 5HFRYHU\´ -XO\  >2QOLQH@
unused or as free space. So, when the computer is used, there Available: http://www.hdrconline.com/hard-disk-data-
is equal chance that the computer will either use the occupied recovery-services.php.
data by modifying the metadata or will overwrite the old [12] MiniTool, ³%HVW ZD\V IRU 66' 'DWD UHFRYHU\´ -XO\ 
deleted files from the unused space. Some culprits with low [Online]. Available:
level of expertise might just use the delete command to https://www.powerdatarecovery.com/hard-drive-
remove the evidences (files) which can easily be recovered recovery/ssd-data-recovery.html.
during forensics. However, the expert ones uses destruction [13] %HONDVRIW ³&DUYLQJ DQG /LYH 5$0 DQDO\VLV´ -XO\ 
techniques by replacing the whole drive's data with 0s with [Online]. Available:
specialized software making it unrecoverable. Other ways to https://belkasoft.com/bec/en/Carving.asp.
destroy the files is Sanitization, in which previously deleted [14] TheyDiffer³9RODWLOHYV1RQ-9RODWLOHPHPRU\´-XO\
files are deleted permanently to get some free space thus [Online]. Available: https://theydiffer.com/difference-
between-volatile-and-non-volatile-memory/.
giving it the name, Sanitization i.e. getting rid of unused
files. However, the sanitization techniques can also be used [15] Anmol bansal, Aastha Agrawa, Mahipal Singh Sankhla, Dr.
by the attackers or culprits to destroy evidence. 5DMHHY.XPDU³&omputer Forensic Investigation on Hard
'ULYH'DWD5HFRYHU\´IOSR Journal of Computer
Engineering, pp. 39-40, 2017.
VII. CONCLUSION
In this paper, we have discussed the scenarios where data [16] %3'HVKSDQGH³7KH$GYDQFHG:D\2I'DWD5HFRYHU\´
International Journal Of Computer Science And
recovery might be needed along with what are the ways to Applications, 2013.
recover data. We also discussed the ever-increasing
challenges in data recovery, scenarios where data recovery
might be impossible because of usage of anti-forensic tools
as well as through other means. We have also discussed
certain tools that can be useful in data recovery.

REFERENCES

[1] 1 5 5R\ $ . .KDQQD DQG / $QHMD ³$QGURLG SKRQH
IRUHQVLF 7RROV DQG WHFKQLTXHV´ LQ 2016 International
Conference on Computing, Communication and Automation
(ICCCA), Noida, 2016.
[2] 05RXVH³:KDWLV'DWD´-XO\>2QOLQH@$YDLODEOH
http://searchdatamanagement.techtarget.com/definition/data.
[3] Recover-&RPSXWHU'DWD³'DWDrecovery softwares and Tools
WRUHFRYHU&RPSXWHUGDWD´-XO\>2QOLQH@$YDLODEOH
http://www.recover-computerdata.com/.
[4] )RHQFVLF&RQWURO ³$Q ,QWURGXFWLRQ WR FRPSXWHU IRUHQVLFV´
July 2017. [Online]. Available:
https://forensiccontrol.com/resources/beginners-guide-
computer-forensics/.
[5] &\EHU)RUHQVLFV ³&\EHUIRUHQVLFV´ -XO\  >2QOLQH@
Available: http://www.cyberforensics.in.
[6] ' $VWHU ³5LVNV RI 0HGLD 'DPDJH´ -XO\  >2QOLQH@
Available: http://www.data-aster.com/riskOfMediaDamage-
Q15.html.
[7] *HW'DWD³'DWD5HFRYHU\7HFKQLTXHV´-XO\>2QOLQH@
Available: http://www.recovermyfiles.com/data-recovery-
techniques.php.
[8] $ 6KLURERNRY ³'LVN ,PDJLQJ $ 9LWDO 6WHS LQ 'DWD
5HFRYHU\´ -XO\  >2QOLQH@ $YDLODEOH
http://www.deepspar.com/wp.html.
[9] &+RIIPDQ³%DG6HFWRUV([SODLQHG´-XO\>2QOLQH@
Available: https://www.howtogeek.com/173463/bad-
sectors-explained-why-hard-drives-get-bad-sectors-and-
what-you-can-do-about-it/.

192 2017 International Conference on Computing and Communication Technologies for Smart Nation (IC3TSN)

View publication stats