Good forensic practice
There are many areas of forensic investigation that do require considerable care. If a good working disk is being investigated there will be many standards to follow. CnW Recovery concentrates on disks that have failed, either logically or physically. The following suggestions may assist in producing a valid report that could stand up in court. CnW Recovery does not claim full knowledge of court procedures so this is just advice given in good faith.
Security of data
Many disk recovery routines can be run by placing the disk in a USB caddy and reading it. For most non critical jobs this is fine but one must always be aware that when a PC recognises a disk, it will often write a file, or modify a file. It is possible that a critical sector could be overwritten or modified. The only solution to this potential problem is a physical write protect device. These do exist for standard drives and will prevent any changing of the disk contents.
Another solution to this problem is to use a hardware disk duplicator. This will preserve the original disk, but there is still the danger that the clone disk will be modified when the PC mounts it.
The first stage of any investigation is to make a known good copy of the drive. For a working disk this is OK, but for a partially failed disk it is harder to make a copy that is known to be good and will stand up in court.
Hashing is creating a digital signature for each file copied. If the signature of the file is the same when tested in court, then it has not been changed in any way. The standard hashing routine is MD5 and is extremely secure. However, there have been academic attacks on it, and there are examples of different files with the same hash value. This is not a trival process, but to avoid any issues other hash values can be used. For safety, the best compromise is probably SHA-224 or SHA-256. The later has been added to CnW software.
Logs and reporting
A very important element of CnW software is a system of comprehensive logs, and the ability to produce a summary of the disk being investigated, The logs store details of every file recovered, along with important details such as date and locations of each part of a fragmented file. The XML report (Forensic option only) is intended to provide a basis for a full report on the disk. It will summarize details such as disk imaging, and also analyze file signatures to help indicate disks with many files that have been renamed.
The XML reporting is generated from multiple job sequences. Often a recovery, and analysis is done in several stages - maybe over a a few days. All these logs can then be brought together to produce a single report.