Case Study 2 — The Recovery That Couldn't Be Proven

A two-person data-recovery shop did exactly what it was good at — got the files back, fast — on a drive that turned out to be evidence in a lawsuit. Every byte they recovered was probably genuine. None of it could be proven genuine, because the recovery mindset is built for speed of restoration, not for a courtroom. This is the mirror of Case Study 1: not a tool that was wrong, but the right tools used for the wrong standard of proof.

Background

Pixel & Platter Recovery was a respected little shop. For a decade its two technicians had pulled photos off drowned phones and resurrected the kind of irreplaceable family archive this book calls anchor case #1 — the accidentally reformatted drive of wedding photos. They were genuinely good at recovery, and their instincts were tuned for it: work fast, get the maximum number of files back, hand them to a grateful client, move on. For a grieving customer who needs ten years of photos, those instincts are exactly right.

Then a small marketing agency called with a different kind of job. The agency had fired a senior designer it suspected of deleting client files and walking off with campaign assets on his way out. It handed Pixel & Platter the designer's returned work laptop and asked them to "recover whatever he deleted so we can see what he took." The agency did not say the word litigation. The shop did not ask. To them it was a recovery job like any other, and they treated it like one.

That single unasked question — is this recovery, or is this forensics? — is the decisive branch the chapter warns beginners skip. Skipping it set everything else in motion.

What happened

The technician did what worked on a thousand recovery jobs. He pulled the 2.5-inch SATA drive, connected it to his Windows workstation through an ordinary USB-to-SATA adapter — no write-blocker — and let Windows mount the NTFS volume read-write so he could browse it. He installed a consumer undelete utility to the same machine, pointed it at the source drive, recovered several hundred deleted files into a folder, copied them to a USB stick, and emailed the agency: "Recovered 412 deleted files, see attached drive. Done."

It was fast, it was complete, and it destroyed the evidentiary value of the work.

   WHAT THE "RECOVERY JOB" ACTUALLY DID TO THE EVIDENCE
   ---------------------------------------------------------------------
   - No write-blocker; NTFS mounted READ-WRITE
       -> Windows updated $STANDARD_INFORMATION access times,
          wrote to $LogFile and $UsnJrnl, touched $MFT
   - OS auto-created \System Volume Information, a new restore point,
       and thumbnail/search artifacts ON THE SOURCE
   - Consumer tool run live against the ORIGINAL (not a copy/image)
   - NO acquisition hash taken at intake
       -> cannot prove the drive is unchanged from the day it arrived
   - One unvalidated tool; no second-tool confirmation
   - No chain-of-custody record beyond two emails
   ---------------------------------------------------------------------

None of this was malice or even incompetence at recovery. The bytes the tool pulled back were, in all likelihood, the designer's real deleted files. But the shop had quietly traded away every property that makes a finding survive a courtroom. The original was no longer sacred — it had been mounted read-write and written to by the operating system before anything was copied. There was no acquisition hash, so there was no way to show the drive was in the same state as when it arrived. There was no image, so the analysis had been done on the irreplaceable original itself. And there was no second tool, no validation record, and no chain of custody.

Six months later, the matter became a lawsuit. The agency's attorney was delighted to have "recovered evidence of theft" — until opposing counsel's expert got the file.

The expert's report was short and devastating. The deleted files' own MFT timestamps had been altered after the date the laptop was returned, because the volume had been mounted read-write — so the defense could argue the "evidence" was created or modified by the recovery process, not by the designer. There was no acquisition hash, so the agency could not prove the drive had not been tampered with between intake and analysis. The recovery had been performed on the original rather than a verified image, violating the most basic principle of both disciplines. And a single consumer tool, with no validation record and no independent confirmation, had produced the file list — "a tool I cannot test, used once, on the original evidence, by an examiner who did not preserve it."

   THE MOTION TO EXCLUDE  -- each attack ran into a missing safeguard
   ---------------------------------------------------------------------
   "Timestamps were altered by the examination"   -> no write-blocker
   "You can't prove the drive is unchanged"        -> no intake hash
   "You worked on the original, not a copy"         -> no image
   "The finding rests on one unvalidated tool"      -> no 2nd tool/CFTT
   "There is no chain of custody"                   -> two emails
   ---------------------------------------------------------------------
   Result: the recovered evidence was largely excluded.

The court excluded most of the recovered material. The files were probably authentic — but "probably authentic and unprovable" is, in litigation, indistinguishable from useless. The agency lost its strongest evidence, Pixel & Platter lost a referral source and nearly faced a malpractice claim, and the designer's alleged conduct went unproven not because it did not happen but because the people investigating it answered the wrong question with the right tools.

The analysis

  1. The decisive branch is "recovery or forensics?" — and it must be asked at intake. A grieving client's photos (anchor #1) call for the fastest reliable recovery; evidence headed for court (the pattern of anchor #2) calls for write-blocking, hashing, working on a verified image, dual-tool verification, and chain of custody. Same disk, two standards of proof. The shop never asked which standard applied, so it applied the wrong one — and you cannot retrofit forensic soundness after the original has been altered.

  2. Recovery tooling and forensic discipline are not the same thing. The consumer undelete tool was not "bad"; it was built to restore bytes quickly, which it did. What was missing was the ceremony around it — the write-blocker, the image, the hash, the second tool, the custody log — that converts "I got the files back" into "I can prove these files came from this drive, unaltered." The chapter's signature lens applies exactly: recovery asks can I get it back?; forensics asks can I get it back and prove it is unaltered and where it came from?

  3. The original is sacred, and a write-blocker is how you keep it that way. Mounting NTFS read-write let Windows update access times and journals on the source before anything was preserved, handing the defense its best argument: that the "evidence" was changed by the very act of examining it. A hardware write-blocker and an image-first workflow would have frozen the drive's state at intake and let all analysis happen on a copy.

  4. A hash you never took is a proof you can never give. With no acquisition hash, the shop could not demonstrate that the drive was unchanged from the day it arrived. Hashing at intake costs minutes and is the foundation of every later "this is unaltered" claim. Its absence was not a paperwork gap; it was the removal of the evidence's spine.

  5. One unvalidated tool, used once, is a lead — never a court-ready fact. Even setting aside the preservation failures, the finding rested on a single consumer utility with no validation record and no independent confirmation. The chapter's rule is the cure the shop skipped: validate the function against known data, and confirm any load-bearing result with a second, independent tool and a matching hash — the very discipline that made Case Study 1 defensible.

Discussion questions

  1. The shop's instincts were correct for anchor case #1 (a client's lost photos) and catastrophic for this matter. Identify precisely what changed about the job — not the tools — and explain why the same workflow can be excellent practice in one context and malpractice in the other.

  2. List the changes that would have preserved this case, in order, and estimate the added time for each: ask the intake question, attach a write-blocker, image the drive, hash at acquisition, work on the copy, confirm with a second tool, keep a custody log. Why are these "minutes, not money," and what does that imply about the real reason they were skipped?

  3. The recovered files were probably authentic. Argue why "probably authentic and unprovable" is, for a court, no better than fabricated — and connect this to the chapter's claim that reproducibility is admissibility.

  4. Pixel & Platter never claimed to be a forensics firm. Where does the professional responsibility lie when a recovery shop accepts work that turns out to be evidence: with the client for not saying "litigation," or with the shop for not asking? What one sentence at intake would have protected both?

  5. ⭐ Put this case beside Case Study 1. In one, an examiner stopped over a single conflicting timestamp and built an unshakable finding; in the other, a shop moved fast and lost everything that mattered. Both had capable tools. Argue the chapter's thesis in your own words — that the tool does not testify, you do — and identify the three or four specific decisions (the intake question, write-blocking, an acquisition hash, dual-tool verification, chain of custody) that diverged between the two outcomes. Is the gap between them a gap in tools, or a gap in discipline?