An Uncertain Process for the Uninitiated Examiner!

In every case, pursuing electronic discovery within a forensically sound process is driven by best practices convention as well as unique particulars of the case at hand, but now it may also be equally driven by the condition of the data remaining on the nonfunctional drive. At the start of the process, this condition cannot yet be understood. Inititives to protect evidence must be held of first importance, and extraction of information must always be held subservient to this first mandate.

Diagnosis

The first step requires the drive to be serviced within a "Class-100 cleanroom" facility of a properly equipped laboratory. This permits safe breach of the drive seal to allow expert assessment of the condition of the hard drive’s enclosed data storage media (the recording surfaces on the disk platters), particularly its ability to maintain magnetic impressions. Destruction of disk drive media is the most common cause and result of drive failure. Any preexisting damage has already impacted directly the physical condition of data stored on this drive. A diagnostic evaluation must be performed to characterize this potential or actual damage.

In essence, servicing a hard disk drive in the cleanroom requires disassembly of this high-tech, high precision electromechanical device. Such action should never be undertaken by anyone except a technician or engineer with extensive training and preferably years of experience in the distinct, narrowly defined field of hard drive technology. The knowledge referred to here has absolutely nothing to do with software data recovery tools, forensic technique, or even computer science. The hard disk drive is a hardware device, and the person in the cleanroom must know exactly, all the myriad details of how the thing works and how it is designed and built.

The diagnostic evaluation may be thought of as a damage report. It should address issues pertaining to the detectability of magnetic impressions recorded in the drive's media, a prognosis for the state of the data and file system if extraction were to be undertaken, and of ultimate importance: the recoverability of the data. Because it is not always possible to resolve all of these issues by means of diagnostic evaluation alone, the experience of the examiner chosen is of serious consequential importance.

Data Extraction

Assuming it is possible to do so, the second step for imaging a failed drive is to perform the actual data extraction from the disk platters inside the device. It is important in legal terms to recognize that the process of extraction may increase an already damaged condition of the drive’s media and consequently the data recorded on it. It is possible that even though a given piece of data is successfully extracted once, some particular portion of the original source information can become impaired or physically degraded by the extraction process itself, thus precluding a fully successful or identical extraction at a later time. In other words, data extraction from damaged recording medium may not be repeatable. It’s not unwarranted to note further, there are forensic experts in the field who do not understand this rather esoteric reality about hard disk drive operation, but it is nevertheless an objective fact. Further affirmation for this claim is briefly touched on in the EnCase^® User Manual by Guidance Software*. Once extraction is completed, the only reliable and potentially most complete copy of evidence would then be the newly imaged copy produced first during this stage.

Given the possibility unrepeatable extraction, we are necessarily talking about a potential for changes taking place with the original evidence. This is yet another important point — as any change can, of course, open a door to legal challenge of the evidence. Nonetheless, using the best of conventional technology, it is inherent to the data extraction process that alteration cannot be certified against. Alterations, if they do occur, will not likely change the meaning of any information; the potential is for permanent loss only of usually very small amounts of information. The only caveat to the foregoing sentence would be a change in meaning that conceivably could take place by means of missing letters or words. While any competent forensic examiner, given a properly functioning hard disk drive can prove that no alteration has occurred when producing a forensic image, after a hard drive has failed, the proof cannot be truthfully assured and must be sacrificed. If a challenge on this ground is made, the examiner’s competence in the area of physical hard drive operation, in addition to practical experience with this particular extraction phenomenon, will be likely be the most important factor in any adjudication about the validity of evidence found.

As sound forensic practices recognize that any discovery activity on a hard drive may cause changes in the evidence under investigation, the extracted image copy must be certifiably protected from any alteration of its contents. Proper implementation of the imaging process then, requires an intimate knowledge of hardware data storage equipment technologies, an expert understanding of how data structures are recorded by such devices, in addition to practised familiarity with special knowledge demanded by any forensic case where the suspect hard disk has become nonfunctional.

* EnCase User Manual, rev. 3.18 p. 228.
v. 2