How the FBI Recovers Evidence From Computer Hard Drive

How the FBI Recovers Evidence From Computer Hard Drive
Page content

Remember how on last week’s CSI the investigators decrypted the suspect’s hard drive and caught him red-handed? That was computer forensics, even though it was a little different from reality. In reality, how the FBI recovers evidence from computer, hard drive, or other electronic data storage systems is both simpler and more complex. This article will explain basic computer forensics techniques and how they’re used by law enforcement agencies like the FBI.

Image Credit: ©simonok at

How Does Computer Forensics Differ From Other Forensics?

Computer forensics is a branch of forensics, and is the use of investigative and analytical techniques to find digital evidence of criminal wrongdoing. Computer forensics differs from other forensics, such as DNA analysis or crime scene evidence gathering in that it’s focused on narrowing the amount of data available. At a crime scene, investigators are taught to collect every scrap of potential evidence. When dealing with a hard drive, computer forensics experts are taught techniques to filter the vast quantities of data the average hard drive holds.

How the FBI Recovers Evidence From Computer Hard Drive Storage

How the FBI recovers evidence from computer hard drive storage is usually simpler than one might think. The FBI keeps mum about these sorts of statistics, but agents have come forth to point out that most criminals aren’t bright enough to know how to hide their computer activities at all. Hard drives are most commonly unprotected, those with passwords often have easy-to-guess passwords, encryption usage by users is rare, and erased files and reformatted drives still contain the evidence, just hidden, yet easily recovered.

As a newer discipline in the area of evidence collection, procedures aren’t yet entirely standardized. However, computer forensics experts with the FBI’s Regional Computer Forensics Laboratories (RCFLs) use a 4-step process to: identify, collect, preserve, and analyze data from computer hard drives. Before anything is done, the hard drive is imaged, or copied in its entirety, at the sector level, and the copy is what is worked on. Then the FBI narrows down which data may represent evidence to recover and goes about recovering it, using data recovery tools where necessary. For instance, in nearly all types of criminal investigation, the FBI recommends analyzing Internet activity logs, but IRC chat logs are recommended only in the case of computer hacking evidence investigations.

The Need to Recover Evidence With Computer Forensics Continues to Grow

As hard drives grow bigger, each year so too does the amount of data analyzed by the FBI and its RCFLs. In 2008, RCFLs looked at over 1,700 terabytes of data including evidence on 17,500 hard drives. Law enforcement has several software tools available to make computer forensics easier, many of them open source, which helps in analyzing the ever-increasing quantities of data.

While computer forensics is a young science, it’s quickly proven its mettle, being pivotal in solving serial homicides, domestic terrorism cases, kidnapping, identity theft, and more. By using basic computer forensics techniques, which is how the FBI recovers evidence from computer hard drive and other electronic data storage systems, law enforcement adds another tool to its investigative arsenal.