January 20, 2017 by

Rene Novoa on Data Recovery and Forensic Investigations

Since joining Drivesavers in 2001, Rene has performed data recovery on thousands of storage devices plagued with mechanical failures, physical damage and logical corruption. Over the past 5 years, he has focused his efforts on emerging technology while developing proprietary forensic processes for failed devices. As senior manager of the forensic eDiscovery department Mr. Novoa manages high level client relationships and continues to work in the lab performing forensic examinations and managing eDiscovery workflow projects.

Rene Novoa has given presentations and lectures on wearable devices, emerging technology, overcoming forensic challenges at various events including HTCIA chapters, National Cyber-Crimes conference, and for a WiE Chapter (Women of eDiscovery). Rene also has testified in a capital murder case in the state Texas. He currently is the Vice President of the North Bay HTCIA chapter.

 

LIFARS: Tell us some background on you and how you got where you are today.

Rene: I am the Senior Manager of eDiscovery and Digital Forensics at DriveSavers. I’ve been with the company for over sixteen years. When I started, I was performing data recovery from camera cards. From there, I worked my way up to recovering data from hard drives. There is no school for data recovery, so I learned in the field.

We began to notice that a lot of customers were having data recovered that was related to various legal issues, and that many law firms were searching for data for investigations. Responding to this need, we started developing technology to create forensic images for investigators. Soon, several of our customers requested full investigations. To fill this demand for our customers, DriveSavers developed a forensic division that is separate from, but works with, data recovery.

Over the next six years, our forensic division grew naturally as the market need increased. In particular, I focused on investigations into physically failed devices, as this is what DriveSavers specializes in. At the same time, we continued assisting other institutions and forensic firms with their investigations.

 

LIFARS: Could you tell us what are the common cases of data loss and the process of data recovery?

Rene: As devices get larger in capacity and smaller in physical size, there are more mechanical issues, such as head crashes in HDDs or solder and connection issues in SSD and flash devices. We also see devices damaged by natural disasters, such as hurricanes, floods and fires. 

What we’re seeing most now are mobile devices. Smartphones are small and they are always in our hands or on our person. We can all be clumsy at times, and accidents do happen, which is why we often receive phones that have been in the toilet, run through the laundry, dropped off buildings, run over and just about any other kind of damage you can think of.

Every device that comes to DriveSavers begins with an evaluation to see what needs to happen in order to recover the data it holds. Sometimes a device can go straight to direct imaging, but about 85% need to go to our Cleanroom. DriveSavers has an extremely advanced Certified ISO Class 5 Cleanroom where we can inspect a device at the physical layer without risking contaminate damage. We have engineers who work to repair devices just  to get them running enough so that the information can be transferred from the damaged device to a working one. From there, we perform data recovery on the working drive. Everything that comes to DriveSavers gets imaged and backed up.

 

LIFARS: As a digital forensics expert, could you give our viewers some tips on ways to prevent data loss and what to do after the data loss?

Rene: Triple redundancy is definitely best. That means, having two backup copies of your irreplaceable data in two separate places in addition to the working copy that you actually use. It’s also very important to check your backups and verify that your devices are working, and that the files are there and functional. There is nothing worse than backing up your data and not doing it correctly. We see a lot of cases where people had external devices connected to their computers for backup, but the backup devices failed or something went wrong with the backup process without the users’ knowledge. Then, when their primary devices failed, they didn’t have the data where they thought they did. Always have multiple backups and verify them.

Another good tip is, if you hear any odd noise from your device, it shuts down unexpectedly or for any reason you think there is something wrong, stop using the device and turn it off right away. Do not try rebooting or any other method because you might just make things worse. If you are not absolutely certain about what has happened or how to handle it, seek help from a professional. Don’t try DIY tricks like putting your drive in the freezer or your wet phone in a bag of rice. They often make the situation worse. 

 

LIFARS: What are the most important things companies should check before they choose a digital forensics team/company?

Rene: Security, integrity and process are the most important things. You don’t want confidential data leaked to the public or stolen by hackers, so a digital forensics company should have strict security protocols in place. In a legal or criminal case, you need to be sure that your digital evidence is recovered in a legally defensible, repeatable process or at the very least explainable. After all, if you lose that data, or if the recovered data is inadmissible, you may lose the case. The result could be a financial loss or, in a criminal case, even the loss of freedom. Cases can be determined by the process or the lack thereof regardless of the facts.

Start with simply checking the integrity of the company. Does it do background checks on employees? Can it show you security certifications like SOC 2 Type II? How long have they been in business? What is the defined forensic process used by this company? Where is the company located? What certifications do the individuals have who are working on your device or data? Are they familiar with chain of custody?

 

LIFARS: In my understanding, your company offers services to cloud service providers. Could you tell us the research and investigations you’ve conducted?

Rene: We don’t specifically conduct investigations on cloud services, but I have seen some cases related to cloud providers. After all, data in the cloud is still stored on storage devices somewhere, and those drives can fail. In fact, every drive will eventually fail, no matter what type of drive it is. For this reason, even cloud providers sometimes face problems where they need data recovery. I’ve dealt with a small cloud provider where everything was running perfectly in a secure room, but then a fire sprinkler malfunctioned and flooded the room. It was one of those things where it’s impossible to foresee the problem. It didn’t take down the whole business, but it did take down an entire server. Lucky for them, we were able to step in and save the day.

Connect with Rene on LinkedIn.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Former Rutgers Student Pleads Guilty to Creating Mirai Botnet

A former Rutgers university student is among three men who pleaded guilty to creating the dreaded...

Read more arrow_forward

Hackers Invade Safety System of Critical Infrastructure Facility

Hackers, presumed to work for a nation-state, recently hacked a safety system belonging to a...

Read more arrow_forward

New Ransomware ‘Spider’ Threatens Wipeout in 96 Hours

A new strain of ransomware discovered by security researchers encrypts files and gives victims a...

Read more arrow_forward