General discussion


law enforcement method to retrieve data

By iceberg442 ·
How do they retrieve virtually all data from a hard drive as i have seen and heard of many times in the media to investigate crime, etc. Does it require special hardware, software?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by setantapc In reply to law enforcement method to ...

Are you talking about after a drive has been "wiped" by the bad guys ??

If a drive overwrite application hasn't been used, then the OS just puts a marker at the start of the file saying "This is now Junk". Any drive salvage application can then find this file and figure out what the missing bit should be and "rebuild it" as long as the drive hasn't had scandisk run on it.

This is actually a little simpler than it sounds but you get the idea...

Collapse -

by BFilmFan In reply to law enforcement method to ...
Collapse -

by JEPott In reply to law enforcement method to ...

It's actually easier than you think... Both answers above give good info on this. The only way to truly wipe the data from your drive is to totally destroy it. Of course, if you are not doing anything wrong then you will not have to worry about this...

Collapse -

by TheChas In reply to law enforcement method to ...

Most of the time, they confiscate the computer and the files are intact.

They just need to get past any user or folder passwords and then look through the drive.

There are many places where Windows stores information on how you are using your PC.

If the user has wiped the drive, or is using a strong data encryption method, the task is tougher, but not impossible.


Collapse -

by HAL 9000 Moderator In reply to law enforcement method to ...

Well as everyone has offered some very good advice here I'll just add in the bit about a dead or wiped drive. These are dismantled and the platters coated with a jelly like substance allowed to dry and then placed in a special machine where it is possible to read every layer of data that has ever been stored on the HDD, this is horrendously expensive to do and is only done by Government agencies so it really is not something that you need to worry about.

If you are looking for the real Legal recovery for Police or other action this is always done by a department authorised by the police who by this time have seized the hardware and then pass it onto their computer crimes division to preserve the "Chain of Evidence" so that there is no chance of the evidence recovered not being able to be used in any Cort Action that may arise. If someone attempts to recover data and then pass it onto the Police or whoever there is no "Chain of Evidence" so you are actually not helping them one little bit but actually you may find yourself in the position of being charged with an offence of interfering with a Police enquire or something similar. About all the Police or whoever could do with any data that you recovered would be to then start an investigation of the person/s who you feel responsible for doing something wrong.


Collapse -

by wlbowers In reply to law enforcement method to ...

There is hardware and software that can retrieve information from media that would scare you.

The hardware is called an extractor. They remove the disk from the drive and install them on it.

The machine will read one track for hours to recover one byte of data.

For drives that aren't almost destroyed, and have just been erased, there is software that will read the Whatever data is on a track and allow the operator to view it in their format of choice.

They have equipment that can actually read ghost images from memory.

It requires deep pockets and lots of time.


Related Discussions

Related Forums