Module 5: Data Recovery and

Evidence Collection
Course: Cybersecurity and Digital
Forensics, SYMCA
 Introduction to Data Recovery
• • Definition: Process of retrieving inaccessible,
lost, or corrupted data.
• • Essential in investigations or recovering
business/personal data.
• • Examples:
• - Accidentally deleted files.
• - Recovery from corrupted hard drives or
SSDs after system crashes.
 Data Backup and Recovery
• • Backup: Strategy to prevent data loss via
regular copies of data.
• • Types: Full, Incremental, and Differential.
• • Recovery Process:
• - Local Backup: Restoring from external
drives.
• - Cloud Backup: Recovery using services like
Google Drive or AWS.
• • Example: Recovery after a ransomware
attack using cloud backups.
 Role of Backup in Data Recovery
• • Importance: Ensures data availability after
accidents or attacks.
• • 3-2-1 Backup Rule:
• - 3 copies, 2 local on different devices, 1
offsite copy.
• • Example: Financial institutions using
multiple backup strategies.
 Data Recovery Solutions
• • Software-based Solutions:
• - Recuva: For deleted files.
• - EaseUS, Stellar: For complex tasks like
damaged partitions.
• • Physical Recovery: For damaged hard drives,
requires cleanrooms.
• • Example: Recovery from flood-damaged
servers.
Hiding and Recovering Hidden Data
• • Steganography: Hiding data within images,
audio, or video.
• • Recovery: Using forensic tools like Autopsy,
Sleuth Kit.
• • Example: Law enforcement uncovering
messages hidden in images.
 Introduction to Digital Evidence
• • Digital Evidence: Any digital data used in
court cases.
• • Examples: Emails, logs, documents,
metadata, and multimedia.
 Rules of Evidence
• • Admissibility: Relevant and authentic
evidence is required.
• • Integrity: Use of hash algorithms like MD5 or
SHA-256 to prove data has not been altered.
• • Example: Email hashes proving authenticity
in court.
 Types of Digital Evidence
• • Volatile Evidence: Resides in RAM, lost when
system powers off.
• • Non-volatile Evidence: Stored on hard drives
and remains after shutdown.
• • Example: Logs from company servers used in
breach investigation.
 Characteristics of Digital Evidence
• • Easily Modifiable and Fragile.
• • Requires specialized tools for proper
handling.
• • Example: Forensic expert using a write-
blocker during investigation.
 Collection Steps
• • Securing the Scene, Identification of devices.
• • Forensic Imaging: Bit-by-bit copy of storage
media.
• • Example: Copying suspect’s smartphone
while preserving original data.
 Collecting and Archiving
• • Write-blockers prevent changes during
evidence collection.
• • Proper labeling and archiving to ensure
secure handling.
• • Example: Forensic team collects and archives
evidence from a laptop.
 Evidence Handling Procedures
• • Tools: EnCase, FTK for imaging and analyzing
digital evidence.
• • Legal Compliance: Adhering to regulations
like GDPR.
• • Example: Using FTK Imager to extract data
while preserving integrity.
 Challenges in Collection and
Handling
• • Encryption and large data volumes make it
difficult to access evidence.
• • Example: Investigating encrypted emails
from a suspect’s laptop.
 Preservation of Digital Evidence
• • Hashing (MD5, SHA-256) ensures evidence
remains unaltered.
• • Best Practices: Use of write-blockers, secure
storage.
• • Example: Hash values calculated to verify
integrity in court.
 Conclusion
• • Data recovery and evidence collection are
crucial in digital forensics.
• • Proper tools and handling ensure evidence is
admissible in court.