Forensic Disk Analysis

Digital forensics and data recovery walk hand to hand. Developers of forensic analysis tools implement many of the same algorithms and use most of the same techniques available in the recovery tools. There are, however, certain differences in reasoning and approaches between the two categories of tools even aside of the massive price difference.

Forensic Disk Analysis

Forensic Analysis: the Requirements

Forensic application of data recovery techniques lays certain requirements upon developers. Sometimes the requirements are similar to those observed by the developers of data recovery tools. Sometimes, however, the requirements differ enough to be mentioned.

Read-only operation

In data recovery business, read-only operation is essential to preserve as much original information as possible. During a forensic investigation, ensuring that no single bit is changed on the disk being analyzed is a matter of formal procedure. Information altered during the investigation may not be admissible in the court. For this reason, investigators often use certified write blocking hardware preventing any attempt to write anything onto the disk being analyzed. This level of precaution costs money, and it’s simply not required during an ordinary data recovery job.

Virtual disk images

The use of virtual disk images (bit-precise copies of the entire content of the device) are an optional safety measure in data recovery. Most forensic specialists, however, will make a disk snapshot first, and continue investigation using that captured image. Image formats are also different between data recovery and forensic applications. Most data recovery tools will capture either compressed or uncompressed raw dump, while forensic tools follow industry standards, capturing (and analyzing) images in formats such as Ex01, DD and SMART.

Logging and reporting

During the investigation, forensic specialists have to document their every step. Forensic data recovery tools create extremely thorough reports documenting every little step. Commercial data recovery tools will normally create a brief report outlining which files were recovered, and which ones weren’t. That would not be enough for a court, so forensic tools will also list the exact location (list of physical sectors) of each file obtained with a tool in order to ensure verifiability and repeatability of the process.

Signature-search vs. file carving

Commercial data recovery tools employ a range of content-aware search algorithms implementing one or another variation of common signature search. These technologies allow extracting missing files from hard disk drives with damaged or missing file systems, unreadable, formatted and repartitioned devices. For instance, for *.docx and *.xlsx files, it’s “50 4B”. Further analysis of the file header helps calculate its length. Many forensic tools do the same. Such algorithms have their limitations.

For example, they cannot recover fragmented files (if the corresponding file system record is missing or partition table is damaged). However, certain evidence might just be too valuable to let it slip. For these files, forensic analysts may employ a semi-automatic process called ‘carving’. The carving process attempts to identify the beginning of a file (usually a JPEG or a document), and then re-assemble the file from multiple individual fragments in a process similar to matching pieces of a puzzle. The carving process can be extremely time-consuming and labor-intensive. It does not automate well, so it’s only applied on individual basis.

What is recovered?

Unlike commercial data recovery tools, forensic tools will normally recover what’s considered to be worthy as evidence. This may differ a lot from what is considered valuable to the computer user. For example, forensic investigators are interested in browsing history databases and cache files, Windows registry files, conversation and chat histories maintained by Skype, ICQ and similar applications; page files and hibernation files, as these may contain additional evidence. Pictures and videos to analyze for illegal content, and documents to analyze for sensitive information. As you can see, except for pictures and documents, investigators’ interests correlate very loosely with what an ordinary computer user considers valuable information.

Analysis and reporting

Forensic analysis is all about reporting. Thorough analysis of what’s been discovered on the disk is often a major part of a forensic package. Forensic analysis tools will keep up working well past the point a commercial data recovery tool has left off. Forensic tools will parse history databases, extract and scrutinize chats and conversations; analyze browsing history and re-create suspect’s online behavior. In fact, only a small part of a typical forensic tool is responsible for actually recovering information; the rest is dedicated to analytics. Major forensic tools such as Guidance EnCase, AccessData FTK, Belkasoft Evidence Center, Oxygen Forensic Toolkit and others deliver powerful analytics along with data recovery capabilities.

Any discovery made by the investigator must be properly reported, so the reporting module will wrap up the discoveries, producing a brief yet comprehensive text-based report. Many more features are related to some very specific analysis and reporting.


Forensic disk analysis tools make use of some of the most advanced data recovery algorithms. However, data recovery is not their specialty. An ordinary computer user will be much better served by a commercial data recovery tool, which will extract more information from the disk that’s going to be of value to the user – and not to the investigator.

Author: Michael Miroshnichenko