LITIGATION SUPPORT TIP OF THE NIGHT

Just as files deleted from the hard drive of a PC can be recovered, so too can data that was saved on an external hard drive be recovered after such a drive is re-formatted. Data will be overwritten as new files are saved to the external hard drive. Formatting a drive only removes the address table or journal entry for files, it does not actually wipe them. Recoverit and EaseUS Data Recovery Wizard are popular tools used to recover data from re-formatted hard drives.

The free trial version of EaseUS will preview lost files that can be recovered, but you need to buy a license to actually begin recovering files. This does however let you know if there's something to recover. EaseUS allows you to target specific folders.

Not all recovery software will also rebuild the file directories on the external hard drive. Compressed files will be particularly difficult to recover.

The Department of Justice's Computer Crime and Intellectual Property Section Criminal Division's manual, Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, advises agents that electronic media does not have to be searched on-site during the execution of a search warrant. It acknowledges the difficulty of searching hidden directories; encrypted data; intentionally mislabeled files; and slack space. The tendency of operating systems to automatically alter data, and the possibility of the remote deletion of relevant data is also discussed. The manual cites several court decisions which have approved removing hard drives and other devices to off-site locations for review.

"Agents are recommended to consider removing hard drives from computers in order to make an image copy on-site. If the entire computer has to be seized, the need to so should specified in the affidavit for the warrant.

As imaging and/or removal is necessary in nearly every computer search warrant case, it is doubtful that failure to include such a statement in the affidavit constitutes a Fourth Amendment violation. Nevertheless, although explicitly required only by the Ninth Circuit, it is a good practice for every search warrant affidavit to explain why it is necessary to image an entire hard drive (or physically seize it) and later examine it for responsive records." (page 78)

Affidavits are not to specify a protocol for the review of hard drive, but simply note that off-site review may be required.

A study posted here, Ya-Ting Chang, Ke-Chun Teng, Yu-Cheng Tso, & Shiuh-Jeng Wang, Jailbroken iPhone Forensics for the Investigations and Controversy to Digital Evidence, Department of Information Management, Central Police University (2015) analyzes whether or not jailbreaking an iPhone alters digital evidence. The study was conducted comparing iTunes logical extraction and the MSAB XRY extraction tool, testing both methods before and after jailbreaking.

Jailbreaking generally makes the extraction of digital evidence easier. The authors conclude that the jailbreaking procedure will not alter digital evidence on an iPhone. iTunes still generates the same number of backup files before and after an iPhone is jailbroken. The jailbreaking process allows wifi and mobile phone data to be accessed which cannot be extracted if an iPhone is not jailbroken. iPhones automatically synchronize and download the most recent 50 emails from servers to which they synch. The emails can only be recovered if an iPhone is jailbroken.