Data Recovery is the technique adopted for salvaging data from an inaccessible state which could have arrived due to deletion, corruption, or failure of the storage medium. On an Operating System, the data is saved in the form of “File” (be it documents, music, images, applications, settings etc.) and thus it is normally salvaged from the file into which it is saved.
However, when it comes to recovering data for forensics, there is need to dig a bit deeper and understand that it’s not only the files and the data stored in it matters, but the metadata (dates of creation and modification, file attributes, its versions etc.) holds importance.
Data Deletion:
One of the major concerns when data has to be recovered is its “Overwriting”. When data from a file is deleted, the file system removes the references or pointers to it but the deleted data is still saved on the storage media and thus holds the possibility of recovery. Although, simple deletion might not leave the data unrecoverable, but overwriting can, where new data is written to the block of file. But, when the data of interest is related to the email, the recovery process is handled differently. Every email gets stored in an individual file and every application uses a unique structure to store data on disk and access it. This is the reason why recovery of deleted emails differ for usual documents and between mail applications.
If we talk about how email database gets stored, then it completely depends upon the fact as what type of email program is used: Desktop and Web Mail Clients.
Desktop: This kind of application creates a storage file for every mailbox. For example: There is likely to have single file for every mail folder, say Inbox or for all the mailbox database, a file gets created.
In that case, if messages are deleted from the file, a white space gets created in the file for that emails which hold the chance of recovery. The data in this case is stored on disk and each file stores email data of an account, there is very less possibility that the unallocated space of hard disk will get overwritten soon.
Web Mail: In this case, the emailing service is offered through web browsers. The database is stored on remote computers that are distributed across multiple computers. These computers store mailboxes of millions of users and thus if the data is deleted from such environment, there is possibility of data getting overwritten within less time.
File Corruption:
If the data is corrupt and is inaccessible, it cannot be recovered. However, if the file is corrupt, it is possible to restore its data into a healthy file using specialized algorithms. Recovery can be the requirement due to physical damage to the storage file.
One of the finest techniques used for data recovery is Backups as they help to restore data along with metadata. However, the technology has become quite mature and now a days, there are tools available that scan the files to recover data from them. The tools are developed according to the file structure for extracting data from it.
For example, to recover data from PST file, there is a utility called Inbox Repair Tool provided by Microsoft. It corrects the errors at internal structure level and makes the database file accessible to the end user. This level of recovery results in data loss as the structural elements like tables that cannot be fixed are removed permanently. Also, it performs basic scanning which makes it incapable of handling deeper issues.
On the other hand, there are tools designed by various third party vendors that go to an extreme level to extract data from the file. They perform bit-by-bit scanning so as to extract data from the files.
Message/File Encryption:
#: Encryption at message level generally requires third party certification. In this case, the email is encrypted at the sender’s end and decrypted by the receiver using the key for it. This ensures that the message integrity is retained while it traverses from one end to another.
#: File level encryption are offered as built-in support by client-server environment. For example: The OST file is encrypted by default cannot be opened in any MAPI profile except for the one that created it. Also, viewing contents of the file is restricted to the end user if the MAPI encryption key is does not matches at the client and server end.
Encrypting messages and file although proves helpful in safe data transmission and give a protective layer to the messaging environment. However, their decryption is a necessity in order to study emails and carve out evidences in a presentable form.
Recovering Emails Completely:
An email is made up of various components that collaboratively help in its forensics. Email body, header and its fields, attachments, and its related properties assists in its analysis. The various levels of email forensics include collecting data in a readable form, which means Data Recovery. At initial stage, when the data to be investigated is converted into readable format, it simplifies rest of its forensics.
Data Recovery, although is a wide arena has become a line of requirement for investigators as it help in restoring and filtering emails without damage to its integrity. Tools that are available for email forensics do deploy algorithms for recovery so that all stages of eDiscovery are carried out successfully.
