How does a computer forensics company recover data?

Most of the time, forensics cases don’t involve physically damaged drives, but rather drives with deleted files or the like. Your forensics company will make a clone of the drive, and then work on that clone for the remainder of the process; this ensures that there is no chance of losing any information from your original drive. Using a large number of programs, the company will analyze key files created by the operating system to reconstruct what a person used the computer to do. They can also undelete files in many situations if the hard drive used Windows formatting, retrieving key pieces of evidence such as emails or Microsoft Office documents. This is because files deleted in Windows aren’t actually destroyed; the operating system merely marks these files as deleted and allows them to be overwritten. Other operating systems, in contrast, may overwrite the files immediately when the user selects them for deletion. Once a file has been overwritten, it is usually irretrievable, but since most users don’t realize what needs to be done to permanently destroy a file, it is fairly common for files deleted in Windows to be retrieved unscathed.

If a file is deleted and overwritten, the operating system will make a note to that effect, and a computer forensics team can find this information for your case. For this reason, even successful deletes can yield positive legal results. It is extremely hard to beat a computer forensics company at their own game.