The short answer is, " Any time the
information recovered is or is likely to become an issue in civil or
This is the core of the difference
between computer forensics and data recovery: Data recovery is a
strictly technical task - all that the client cares about is having
access to the files in question. A computer forensic examination
is an investigation - the examiner's report documenting what was found
and where is every bit as important to the client as the recovered
material. Further, the examiner must be qualified, willing, and prepared to
testify under oath in a court of law as to his or her findings.
Nearly anyone can get into a computer
system and click around, looking at documents, browsing files, and
running applications. He or she may find exactly what they are
looking for; the "smoking gun" that proves or disproves an issue.
A technically savvy person may even be able to recover deleted or hidden
If this is within your skill level and
your only purpose is to confront a person or persons with evidence of
their activities (or lack thereof), this may be sufficient.
However, if there is any chance that the matter may become the subject
of litigation, either civil or criminal, any information so recovered
has little or no value as evidence. It's not evidence until the
judge admits it, and opposing counsel can easily (and, very likely,
successfully) challenge its admission at trial.
To assure admissibility, the court must be
confident that the person recovering the evidence is impartial and that
the proceedures used maintainted the integrity of the evidence.
The recovery process must be documented and replicable. Each step
taken must be in accordance with established best practices such that
another competent examiner can duplicate the results.
The field of computer forensics lies
where information technology and criminal investigation intersect, and
the examiner must be trained in both areas. In-house information
technology professionals, technically proficient as they may be, are
not necessarily competent to undertake computer forensic examinations
unless they have additional training and experience in the
identification and handling of potential evidence. Police
officers, private investigators, and security professionals, competent
as they may be, are not necessarily capable of conducting computer
forensic examinations unless they have additional training and
experience in the mechanics and file system structures of digital
storage devices. The computer forensic examiner must possess both sets of skills.