One of the Best data recovery in Durham


Digital forensics and investigation lay emphasis on the collection and the recovery of digital media as evidence data recovery in Durham by the use of digital forensic tools. With the proliferation of digital devices, the way crime is conducted around the world has changed.

Digital forensic and investigation arises out of the need to have a response mechanism for the increased number of computer and network based crimes committed annually. 

Framework for digital forensic analysis and investigation 

The main objective of digital forensic analysis and investigation is to obtain sufficient appropriate evidence that can support an argument in a court of law or similar justice system. Digital forensic investigations consist of three steps; 

· Acquisitions or Imaging, 

· Analysis, and 

· Reporting or Documentation 

Acquisitions or Imaging 

This involves saving the state of digital devices for subsequent analysis. 

Both the allocated and unallocated compartments of a memory device, for example; a hard disk, are copied and labelled as the image for an investigation.

The use of Forensic tools is applied at this phase to copy all information from the suspect device and on to a trusted device. 

Care should be taken at this phase to ensure that data on the suspect digital device is modified as little as possible and that all data is copied from the suspect device. 


At this phase, identification of evidence is made using different methodologies. 

Efforts are made to recover deleted files and extract registry information, for example; list user accounts, or attached memory sticks. Attempts are also made to relate evidence and incident at this phase. 

Mainly, you are looking at three major categories of evidence, including; 

· Inculpatory evidence to support the theory you have developed, 

· Exculpatory evidence to contradict the theory you have developed, and 

· Evidence of tampering that will show that the system has been interfered with to avoid identification. This could involve; examining file or directory contents and recovering deleted contents. 


After evidence collection, you analyze data to reconstruct suspect actions reach conclusions. If an investigation is completed, it is upon the investigator to present his data or information, normally, this is done in the form of a written report. 

Digital evidence in Forensic analysis and investigation 

Probative information or data stored in digital form is used as trail in a court case or judicial process. Evidence can play a key role in wide range of crimes, including; distributed denial of service, and child pornography stored in digital devices.

When handling evidence, you should make use of tools that prevent data modification: this is due to the susceptibility of digital data to; modification, duplication, restoration and/or destruction. 

Digital evidence should address, at the very least, the following aspects of communication; 

· Who did? 

· What did? 

· When did? 

· How did? 

Forensic tools 

You will use Forensic tools to determine the security flaws in the digital system and use this against the person who used them. All digital evidence is analyzed so as to determine stored data. The main aim of Forensic tools is as listed below; 

· File recovery based on file headers and footers 

· Key word searches 

· Recovering internet history 

· Ascertaining date or time stamp details 

· Creating forensic quality media 

· Locating deleted and/or old partitions 

Digital Devices Analysis 

Digital forensics can either be dead or live analysis. These identify whether the system is boot or not at the time of analysis. 

When the system is boot, this is then known as a live system and subsequently, analysis at this time is referred to as live analysis. The reverse is known as dead analysis.

A dead analysis forensic system may lose data or information due to the shutdown of a digital device or the removal of the plug.

This will majorly not have a huge effect on device analysis since in forensic analysis, the collection of volatile information is more important, such as; a process phase or system hardware information.