Not Just a Byproduct, But Often Overlooked
A lot of what we do in digital forensics goes beyond simply investigating a computer or device. Sure, most of the time these services are just part of solving a bigger case or helping our litigation partners. But sometimes clients come to us wanting just a piece of what we typically do, sort of a forensic à la carte.
Three of these lesser-known (but incredibly valuable) services are:
- Data Recovery
- Data Destruction
- Data Authentication
If your business involves data (and whose doesn’t?), chances are one or more of these will come into play at some point. So let’s dig into each.
Data Recovery
It’s More Than Just “Oops, I Deleted It”
Of course, we recover accidentally deleted files. But that’s just the tip of the iceberg.
If there’s potentially useful data anywhere on a device, we’ll pull out all the stops to get it, even if it’s deleted, partially overwritten, or never intentionally “saved.” Why? Because there’s almost always something usable:
- a fragment of a document,
- metadata that proves when and by whom it was accessed,
- or remnants that help reconstruct a bigger story.
These details can break a case wide open, whether it’s showing a disgruntled employee’s secret business plan or recovering an “anonymous” email that turns out not to be so anonymous.
Real world example:
We once had a case involving old 4mm DDS-2 backup tapes found hidden in the drop ceiling of an executive’s office. The systems that originally created those tapes no longer existed. We first sent them out to two separate data recovery companies. Both gave up.
So we brought the tapes back in-house, built a custom system ourselves, and retrieved the data. What did we find? Password-protected Word documents spelling out exactly how the subject planned to siphon company funds into out-of-town accounts under a mistress’s name. In other words, we found what everyone else missed because we treated it like an investigation, not just routine recovery.
And yes, we also handle oddball legacy media like travan tapes, DDS/DAT, Jaz drives, and obscure OnStream backups. (Forgiven if you don’t remember what those are, most people don’t.)
Data Destruction
Cleaning Up the Right Way
Data destruction is often a natural follow-up in our work. Usually it comes up in cases where we’ve found data on an ex-employee’s device that shouldn’t be there. Part of the settlement or agreement might be a permanent deletion of those files.
The most thorough approach?
- Delete the files
- Then wipe over that space with new data so it can’t be recovered
Sometimes the data is so deeply woven into the system that it’s more cost-effective to wipe the entire drive and restore the machine to a factory state. Less work for us (and fewer billable hours), but a happier client in the long run.
We also wipe over our own evidence drives, extracted files, and case indexes when a matter is complete. Neither our clients nor opposing parties want that data sitting around once it’s no longer needed.
Data Authentication
Proving (or Disproving) Where Data Came From
This is another under-the-radar service we provide but one that can be absolutely critical in disputes.
What does it look like?
- Confirming a file or email actually came from a specific machine, account, or individual
- Tracing it back through IP logs, system artifacts, or metadata
We’ve done this in harassment investigations where we proved messages originated from a certain location, or showed that files were sent from a specific employee’s machine.
Sometimes we do the reverse: proving something didn’t come from our client.
- One case involved a photoshopped image wrongly attributed to our client.
- Another centered on a “digitally signed” document that was supposedly created on their computer.
In both, we demonstrated, through missing artifacts and mismatched metadata, that the alleged actions couldn’t have happened on those systems. Think of it like a staged crime scene missing crucial traces of activity.
Bonus: Password Cracking
When It’s Yours, But You Can’t Get In
Every so often we’re called in to crack or bypass passwords on files someone rightfully owns. Sure, there are plenty of cheap or free programs online that claim to do this. But most of them come up short, especially if the password is complex.
We have a far wider arsenal of tools, plus distributed computing (think multiple machines working together) to speed up brute-force attacks. What might take a desktop 3 years could take us hours or even minutes. (If you’ve ever watched a password cracker crawl through combinations at a snail’s pace, you’ll appreciate that difference.)
In Short…
Data recovery, data destruction, and data authentication are services we routinely perform as part of larger investigations. But they’re also critical stand-alone tools when the situation calls for it. Whether you’re tracking down lost data, need to prove ownership (or disprove it), or want to ensure sensitive files are truly gone for good, we’re here to help.
If you ever find yourself wondering what’s possible, just ask. We’re always happy to walk you through the realistic options, with the same straightforward honesty we’d want if the roles were reversed.
About Swailes Computer Forensics
Swailes Computer Forensics provides expert digital forensic services to law firms, corporations, and organizations nationwide. Our work includes investigations into intellectual property theft, employee misconduct, data breaches, and more. With decades of experience and a commitment to integrity and clarity, we help clients uncover critical evidence and take informed action.
If you’re facing a potential case of employee data theft or have concerns about unauthorized activity, contact us for a confidential consultation.