Whilst there are no hard and fast rules pertaining to forensic data recovery, the Association of Chief Police Officers publish guidelines for handling electronic evidence. Similarly the Civil Procedure Rules Part 35 are also clear on how evidence should be managed. One crucial and overriding principle is that evidence is not altered. This is so that a second opinion can be sought if required. To do this it is essential that whenever accessing the digital media a write-blocker is used so ensure the integrity of the data is maintained. In maintaining ‘media integrity’, access must also be limited and a full audit trail of who has taken what actions, including handovers, is kept. When it comes to software, there are many utilities which are ‘forensically approved’. Whilst it is not essential that these are religiously used, there must be good reason to deviate from approved utilities.
In addition to recovered data, a forensic report is normally also required. This will detail the people, process and safeguards that were instrumental in the compilation of the recovery. The report is also likely to provide professional opinion to questions posed by legal teams. Opinions based on the ‘burden of proof’ are critical to the outcome of any claim. Rarely are the findings definitive and more often than not, further questions arise from the initial investigation.