In most of the cases the deleted data can be restored using different data recovery tools. It is also possible to recover the files without using any kind of recovery tools. The recoverability of the files depends on whether there are write operation are performed on the specific region of the hard drive.
In most of the operating systems, the address of the files are maintained using pointers. Whenever users delete a file, the operating system removes the pointer for that specific file and marks the concerned sectors of the hard drive as an available space to store other files. From the file system’s perspective, the file is no longer present on the hard drive and the sectors that are containing the data of the file are considered free space to the operating system.
The Questionnaire for the Employees
How much time has been spent till the files were deleted?
Are there any read or right operation are completed on the hard drive?
Are the previous version of the files are restored?
Options to Recover
It is possible to recover the file using the data recovery software’s such as Recuva. On the other hand if the files are deleted from a folder we can choose the “Restore previous versions” by right clicking on the folder which will recover the deleted files.
If this process does not work then, we have to go to the control panel, then system protection and have to select the drive from the available options. After selecting the drive we have to click on the option “restore system settings and previous versions of files” and click ok (Jueneman et al., 2015). This will recover all the deleted files from the drive.
Outline of the Investigation Procedure
While investigating a potential fraud case the most important part is maintaining the confidentiality in the workplace so that the evidences are not altered or removed. In order to conduct a fraud investigation, first the investigator needs to obtain proper authorization from the company or the concerned individual (Ko & Zaw, 2015).
From this collected evidence, discovering relevant data, preparing an Order of Volatility of the evidences, blocking the external avenues of alteration of the evidences, and preparing a chain of custody are the main steps in the evidence collection phase (Mart?nez, ?lvarez & Encinas, 2014).
After the investigation team is called by the organization or the individuals, investigators first develops First Response of Procedures (FRP) in order to collect the evidences as much possible.
Data Validation Methods
In any fraud case the hash algorithms are used by the investigators in order to ensure that the collected evidences are not altered; i.e. This algorithm is used by the investigators to check the integrity of the evidence (Schmitt & Jordaan, 2013). This method is mainly a series of message digest algorithms that generates a 128 bit hash code. It processes an arbitrary length of message or data into the fixed length hash code as an output (Schmitt & Jordaan, 2013). The hash value in the imaging phase of the data drive must be same with the result that is obtained in the detailed analysis phase. This hash values changes for any operation done on the disk such as addition, deletion, modification of content in any existing file or exchanging the content of two files in the disk etc. (Bjelland, Franke & ?rnes, 2014).
Bjelland, P. C., Franke, K., & ?rnes, A. (2014). Practical use of Approximate Hash Based Matching in digital investigations. Digital Investigation, 11, S18-S26.
Jueneman, R. R., Linsenbardt, D. J., Young, J. N., Carlisle, W. R., & Tregub, B. G. (2015). U.S. Patent No. 9,049,010. Washington, DC: U.S. Patent and Trademark Office.
Ko, A. C., & Zaw, W. T. (2015). Digital Forensic Investigation of Dropbox Cloud Storage Service. Network Security and Communication Engineering (Ed: Kennis Chan), CRC Press: ?ngiltere, 147-150.
Mart?nez, V. G., ?lvarez, F. H., & Encinas, L. H. (2014, January). State of the art in similarity preserving hashing functions. In Proceedings of the International Conference on Security and Management (SAM) (p. 1). The Steering Committee of The World Congress in Computer Science, Computer Engineering and Applied Computing (WorldComp).
Schmitt, V., & Jordaan, J. (2013). Establishing the Validity of Md5 and Sha-1 Hashing in Digital Forensic Practice in Light of Recent Research Demonstrating Cryptographic Weaknesses in these Algorithms. International Journal of Computer Applications, 68(23).