Case Study 2 — The Routine Recovery That Walked Into Court
A small firm asked you to pull files off a departing employee's failing laptop drive — an ordinary Tuesday job. Four months later a subpoena asked you to swear, under oath, that you had not altered a single byte. This is the contrast to the consumer case: the same write-blocked image and hash that protect a scared parent's photos are what let a recovery shop survive becoming a witness — and what destroy the shop that "just plugged it in to take a look."
Background
A twelve-person engineering consultancy called on a Tuesday. A senior engineer had resigned, and on his way out his work laptop — a five-year-old machine with a SATA SSD — had started throwing read errors and would no longer boot. The office manager framed it as pure recovery: "We just need his project files and his email archive moved onto the new hire's machine before Friday. Nothing dramatic." She did not mention — because she did not yet know — that the partners already suspected the engineer had left to start a competing firm, and that within months they would allege he had walked out the door with the company's client list and its proprietary load-calculation spreadsheets. Anchor #2 of this book, the employee who covered their tracks, almost always begins exactly like this: an unremarkable recovery intake that nobody labels "evidence."
You did not know any of that on Tuesday either. What you knew was that you treat every job the same way, and that habit is the entire point of this case.
The recovery — done the boring, defensible way
Intake was routine and logged like everything else: case LEX-2207, the laptop and its drive photographed as received, make/model/serial and capacity recorded, the office manager's authorization signed (the firm owned the device and the data — clear authority), and a custody entry opened. You pulled the SSD, and because it was throwing read errors you treated it as degraded media: a careful, write-blocked imaging pass rather than a naive copy.
LEX-2207 — acquisition log (excerpt)
--------------------------------------------------------------
2026-02-17 09:40 recv from client (M. office mgr) -> intake
2026-02-17 10:05 write blocker inline (Tableau T356789)
2026-02-17 10:11 ddrescue pass 1 -> LEX-2207.img (read-only src)
2026-02-17 14:50 imaging complete; 2 unreadable LBAs logged
2026-02-17 14:58 SHA-256(image) computed + recorded
2026-02-17 15:02 original SSD -> sealed evidence bag, locked cabinet
--------------------------------------------------------------
SHA-256(LEX-2207.img) =
9f2c1ab7e4d5...c8810a (full value in case file)
You worked entirely on the verified image; the original SSD went into a sealed bag in the locked cabinet, untouched — your safety net and, though you did not know it yet, the firm's future evidence. The recovery itself was unremarkable: the file system was intact apart from two unreadable blocks (which clipped one log file, noted in your report), and you carved nothing exotic. You restored the engineer's project folders and his email archive to the new hire's machine, built a SHA-256 delivery manifest, and — per habit — verified that the copy the client received was bit-for-bit identical to what you had recovered. Total bench time was an afternoon. You closed the job, but per your retention policy you kept the verified image and the sealed original through your standard holding window rather than wiping immediately.
The subpoena
Four months later a process server delivered a subpoena. The consultancy had sued the former engineer for misappropriation of trade secrets, his counsel had challenged the integrity of the firm's evidence, and your name was on the recovery. The deposition question, stripped to its essence, was the one every recovery engineer should expect at least once: Can you prove that the data you recovered is the data that was on that drive, unaltered by you?
Because of how Tuesday had gone, the answer was yes, and it was short. You produced the intake photographs and the custody log showing every transfer with a date, a time, and a name. You produced the acquisition log showing the hardware write blocker inline before the first read, the two unreadable LBAs you had documented at the time rather than papered over, and the SHA-256 of the image computed at acquisition. You produced the sealed original SSD, its custody unbroken, and re-hashed it on the record: the hash matched the value you had recorded in February, demonstrating the original had not changed in storage and that your working image was a faithful copy. You did not have to interpret the engineer's conduct — that analysis, the USB-device history and the altered access timestamps and the anti-forensic tool's own leftover artifacts, belonged to a forensic examiner and to later chapters of this book (Chapter 16, Chapter 21, Chapter 30). Your job, and the only thing you testified to, was that the data was acquired soundly and preserved unaltered.
The cautionary contrast writes itself. Picture the shop that took this same Tuesday job and "just plugged the drive in to see what was on it," worked directly on the original because it was faster, kept no custody log because "it's just a recovery," and wiped its copies the day it got paid. Called to the same deposition, that shop cannot prove the data is unaltered, cannot rule out that its own boot of the original changed timestamps, and cannot produce a sealed original to re-hash. Without any bad intent, it has handed opposing counsel a clean argument to exclude the evidence — and exposed itself to accusations it has no way to refute. The two shops did the same recovery. Only one of them is a credible witness.
The analysis
-
Custody on every job is the whole case. Nothing about the Tuesday intake announced itself as legal; the only reason you could testify credibly in June is that you logged, photographed, write-blocked, imaged, and hashed a job nobody called forensic. The discipline is cheap insurance you buy on the boring jobs and cash in on the rare one that turns.
-
The original is sacred — and here, sacred meant sealed. Working on the verified image and sealing the original was good recovery hygiene (the safety net) and, it turned out, the linchpin of admissibility: the sealed drive could be re-hashed on the record to prove it had not changed. A shop that worked on the original had no such anchor.
-
The hash is what turns "I recovered it" into "I can prove it is unaltered." A SHA-256 computed at acquisition and matched again at deposition is the difference between an assertion and a demonstration. This is the chapter's signature Recovery-vs-Forensics lens in its purest form: the same hash that settles a consumer's "a file is missing" dispute is the one that survives cross-examination.
-
Stay in your lane on the stand. You testified to acquisition and integrity — what you did and that it did not alter the data — and not to what the engineer "intended" or whether he stole anything. Interpreting the artifacts is the forensic examiner's role and the legal framework's domain (Chapter 25, Chapter 26). Recognizing the edge of your role is itself professionalism.
-
A recovery shop with good habits is a latent forensic asset. The day a routine job turns legal, the image-first, hash-verified, custody-logged shop can pivot to a forensic posture without having destroyed anything — exactly the payoff the chapter promises. The chain-of-custody rigor that makes this possible is taught for court use in Chapter 14 and templated in Appendix F.
Discussion questions
-
The office manager framed this as "just move his files, nothing dramatic." What, if anything, should you say at intake about how you handle data when there is no indication a job is legal — and how do you justify the custody overhead to a client who only asked for a simple file move?
-
You documented two unreadable LBAs at acquisition rather than quietly ignoring them. Why does recording a limitation at the time strengthen, rather than weaken, your credibility later? Connect this to the book's theme that "the absence of a trace is itself a trace."
-
Suppose you had already securely wiped your working image and returned the original to the client before the subpoena arrived, exactly as a tidy retention policy might dictate. How would that have changed your position at deposition, and how should a retention policy balance secure-destruction duties against the chance a closed job becomes evidence?
-
The cautionary contrast shop acted with no bad intent — it was merely fast and informal. Argue whether "no bad intent" is any defense when sloppy handling causes a client's evidence to be excluded, and what that implies for how you market the difference between your shop and a cheaper, faster one.
-
⭐ Draw the precise line between what you may testify to as the recovery engineer and what requires a qualified forensic examiner. In this case, which specific findings (acquisition method, hash integrity, the two bad LBAs) are squarely yours, and which (USB-device history, timestamp manipulation, the anti-forensic tool's artifacts) are not — and why does staying on the correct side of that line protect both the case and your own credibility?