Are you sure that you use the best recovery tool?

I’ve been working as a digital forensics expert for 18 years. For such a long time my coworkers and I have done lots of cases. What have I seen? Working on almost any forensic investigation we are using data recovery software. Some analysts are using just forensic suites, such as X-Ways, Encase or Belkasoft, while the others are using special data recovery utilities, such as R-Studio or GetData Recover My Files.

Let me remind, we are digital forensics experts. Any missed file could contain data relevant to the case. So, how to choose the best data recovery tool? During data recovery from hard drives we usually get similar results from different tools. But when we start recovering data from non-standard devices, for example, mobile devices’ physical dumps, the results are quite different. To choose the best tool I used the following approach: I extracted a physical dump from Samsung GT-I9300 and performed data recovery with three different tools. What did I get? Three sets of different files! Every set contained files relevant to the case, but no one contained all the relevant files. Then I added a Windows Phone dump and Nokia dump (the phone with it’s own file system).

So, that’s all I would like to say about choosing the best recovery tool. But, I have one more question: just imagine, you have a data source with only one JPG file. How many files should the best tool recover?
Just think about it…
I think, the best tool must recover at least three files:
1. The JPG file itself.
2. The file’s thumbnail from its header.
3. The image from quantization tables.
Do you know any utilities capable of recovering these three files? I don’t.

Leave a Reply

Your email address will not be published. Required fields are marked *