In This Chapter

The recovery of data has taken place since computer users first uttered those immortal words: "Uh-oh." You use the same concepts and techniques that everyone uses to recover deleted files and reconstruct damaged files. The same basic functions are used by forensic investigators — except that you benefit from hashing and write blockers.

To extract data from computers, you must thoroughly understand the basic principles of how and where data can be stored in a computer. The forensic science of using the proper procedure to extract data applies after you know where the data may reside. To put it simply, you may have a hard time forensically extracting data if you don't know where it is!

This process may sound like plain common sense and seem easy to do, but remember that quite a number of operating systems now exist, as well as specialized hardware, with their own way of handling data. The mobile computing industry is on the extreme end, and the regular computer world is somewhere in the middle with only a dozen or so different operating systems. The good news for you is that if you understand the basic concepts of the most popular operating systems, most variants don't stray far from their original design. As a bonus, the majority of operating systems now in use are based on three popular products that cover more than 90 percent of the work in the computer forensic ...