Home Deep Knowledge of Evidence Recovery

Deep Knowledge of Evidence Recovery

About Evidence Recovery & Its Four Major Stages

Digital evidence is basically an information or data of value for an investigation, which can be stored, received or transmitted through an electronic device. The important thing that an investigator needs to do is, recognize and seize important digital evidence properly. As nowadays, the cybercrimes are increasing day by day so, it is important to have knowledge of digital forensic tool. However, the most common targets of digital forensic are instant messengers, email, file exchange software, social networking sites, online games, etc. Now, to resolves all such crimes a there is a need to have a deep knowledge of evidence recovery.

All types of digital evidence are acquired, as electronic devices are seized and secured for analysis because digital evidence are:

  • Hidden form such as DNA or fingerprints
  • Can easily change, tampered, damaged or destroyed easily
  • They may be time sensitive

Here, we have divided all sources of digital evidence in two major categories i.e. mobile devices and stand-alone computers or devices. There are different evidence-gathering process, tools and concerns, and different types of crimes corresponding to these areas to add themselves to one device or the other.

Two Major Categories of Evidence Recovery

Standalone Computer Systems:

As everybody knows,computer crimes are growing day by day and becomes a major problem in both the public and the private sector. However, a single computer system always contains evidence of cybercrimes carried out on the web. It can also be possible that criminal use is stored in the computer itself like extortion, copyright infringement, pornography, counterfeiting, etc. Digital evidence is located on the computer’s hard drive and peripheral equipment, including removable media such as thumb drives and CD-ROM discs. That’s why digital forensic is important in this field.

Mobile devices:

There is various type of mobile devices are available such as using radio transmission, cell phones. Wireless technology can easily be expanded, which includes mobile devices, for example, tablet, smartphones and hand-held video games. Nowadays, mobile phones are easily used to take images and movies, send and receive instant messages, to use a web browser and much more. Therefore, it is also one of the leading categories of cybercrimes, which is growing day by day. Hence, can be used as an important evidence from the digital forensic point of view.

Four Different Levels to Perform Evidence Recovery

In order to have deep knowledge of evidence recovery, a user needs to understand the four major stages of evidence recovery discussed below:

  • Evidence Identification

The first or initial step of evidence recovery is identifying the evidence. Here, an investigator go to the crime site and tries to identify the all possible evidence related to crime such as laptop, hard disk, LED, pen drive, mobile phones, etc. In this, they also maintain the list of all the evidence that was collected from the crime site. A detailed description of each evidence is also maintained along with the date and time at which evidence is collected. collection.

  • Data Collection

The second major steps of evidence recovery is the acquisition of digital evidence. It begins when data, information and/or physical items are collected in previous steps for examination point of view. Here, all the evidence are examined in isolation first to prevent unauthorized access to prevent any changes in evidence. Here, an image or copy of each digital evidence is created with the help of Guidance Tableau. After finishing imaging process, all the evidence are again stored back at secure place. All type of further examination is performed by the investigators is on that particular copy of evidence rather on original evidence.

  • Examination or Investigation

At this point of time, an investigators or analyst is selected to properly examine the evidence. There are some tools like EnCase Forensic Tool, FTK, MX, etc., available that are used to properly examine the evidence or for digital forensic in mobile devices and standalone computers fields. The analyst at this point can examined each and every evidence very carefully and identify if there are any hidden areas, permanently deleted files or partially deleted files.

  • Reporting

After completing all the steps mentioned above, investigator and forensic are responsible for creating complete and precise documentation of all the analysis done by them. Moreover, they conclude the document also and present as a complete report of investigation.

Different Types of Digital Evidence

There are different types of digital evidence, which are important and need to be covered from forensic point of view.

  • Address books and contact lists
  • Databases
  • Backups to various programs
  • Browser history
  • Audio files and voice recordings
  • Calendars
  • Compressed archives (ZIP, RAR, etc.)
  • Temporary files
  • Documents
  • Email messages, attachments
  • Log files
  • Hidden and system files
  • Events
  • Page files, printer spooler files
  • Pictures, images, digital photos
  • Videos


Cybercrimes are increasing rapidly day by day, which can be resolved by Cyber Security & digital forensic only. Now, to overcome all aspects of cybercrimes there is need to understand the type of digital evidence and how examination is done. Therefore, it becomes the necessity of investigator to have a deep knowledge of evidence recovery. What all are the stages included in evidence recovery.