Case Study 2 — The Recovery That Could Not Become a Case

A data-recovery shop took a routine reformatted-drive job and did the technical work well — the files came back. But the job quietly turned into evidence of a crime, and the shop had kept none of the discipline that would have let it cross that line. The embezzlement may have happened; the proof the shop produced was worthless in court. This is the cautionary mirror of Case Study 1, and the chapter's hardest lesson made concrete: you cannot retrofit a chain of custody — you can only have kept one.

Background

A small construction company brought a bookkeeper's external USB drive to a two-person data-recovery shop. The story was ordinary: the drive had been "accidentally reformatted," and the owner needed the accounting files and a few years of documents back. This was a 💾 recovery engagement in every visible respect — no lawyer, no court, no mention of a dispute. The shop quoted a flat fee and got to work the same afternoon.

The technician did the recovery competently and fast, in the way a busy bench does a routine job. The drive was mounted on a Windows workstation; a logical-recovery tool scanned the reformatted volume, rebuilt the directory tree from surviving MFT records, and restored the recoverable files into a folder on the source drive itself to save time. Where the MFT was overwritten, the technician carved unallocated space for documents and spreadsheets. Within a few hours, most of the accounting data and documents were back, and the client was delighted.

What the shop did not do is the whole of this story. There was no forensic image — the tool worked directly on the original drive. There was no write-blocker, so the act of mounting the volume read-write, and of writing recovered files back onto the source, altered the very evidence under examination. No acquisition hash was ever computed, so nothing could later be proven unchanged. No chain-of-custody log was opened. No notes recorded which tool, which version, which options, or in what order. To the shop, all of that was forensic ceremony irrelevant to a recovery job. It was about to become the difference between a case and a non-case.

What happened

During the recovery, the technician noticed what the files contained. Among the restored documents were two parallel sets of accounting records, a folder of invoices that did not match the company's own copies, and deleted bank statements. The owner, shown the results, recognized them immediately as evidence that the bookkeeper had been embezzling — and that the "accidental reformat" had likely been an attempt to destroy the trail. The owner wanted to fire the bookkeeper, sue to recover the money, and refer the matter for prosecution. Overnight, a routine recovery had become the centerpiece of a fraud case.

The shop handed over the recovered files and an invoice, and considered the job done. Months later, the owner's attorney called with a question the shop could not answer: how do we prove these files are what was on the drive, and that nothing was altered?

   WHAT THE RECOVERY JOB LEFT BEHIND (reconstructed for the attorney)
   ─────────────────────────────────────────────────────────────────
   Imaged first?             NO  — tool ran on the ORIGINAL drive
   Write-blocked?            NO  — source mounted read-write
   Acquisition hash?         NONE — nothing to prove "unaltered"
   Recovered files written.. ONTO THE SOURCE DRIVE (overwrote free space)
   Chain of custody?         NONE — informal hand-off, no log
   Method documented?        NO  — tool/version/options/order unrecorded
   ─────────────────────────────────────────────────────────────────
   => Technically successful recovery; evidentiarily indefensible result.

When the matter moved toward litigation, the bookkeeper's side attacked the digital evidence and barely had to work for it. The drive had been mounted read-write and written to during recovery; the recovered "second set of books" carried timestamps from the day of the recovery, not from when the records were authored, because the recovery process itself had created those files. With no acquisition hash, the shop could not show that anything recovered matched the drive's state when it arrived. With no chain of custody, no one could account for who had handled the drive or what had been done to it between the client's office and the recovery bench. With no contemporaneous notes, the technician — testifying from memory months later — could not say which tool version had produced which file, or rule out that carving had stitched fragments together incorrectly.

The defense did not need to prove the bookkeeper innocent. It only needed to show the digital evidence was unreliable, and the shop had handed it every argument. The court gave the recovered files little to no weight. The underlying embezzlement might still be proved through bank records and subpoenaed statements — independent of the shop's work — but the cleanest, most direct evidence, the second set of books on the bookkeeper's own drive, was effectively dead on arrival. The recovery had succeeded and the case had failed.

The analysis

  1. You do not get to choose what you find. A recovery engagement can become a forensic matter without warning — fraud surfaces on a reformatted drive, a ransomware job becomes an insurance dispute, "deleted family photos" turn out to be contraband. Because the pivot is unannounced, the only protection is to run every job with enough baseline discipline that it can survive the transition.

  2. You cannot retrofit a chain of custody. Its credibility comes precisely from being kept as you go — hashes at acquisition, an unbroken custody log, work on a verified copy. None of it can be credibly reconstructed after a dispute begins, because anything created after the challenge is itself suspect. The shop's missing acquisition hash was not a paperwork gap; it was the permanent inability to prove the evidence was ever what it claimed.

  3. Working on the original is the cardinal sin — for recovery and forensics. The original is sacred. Mounting the drive read-write and writing recovered files back onto the source did three kinds of harm at once: it altered evidence, it overwrote unallocated space that might have held more recoverable data, and it manufactured fresh timestamps that made authored records look authored on recovery day. Image-first protects admissibility and the data itself.

  4. The discipline that would have saved the case cost almost nothing. A forensic image, a recorded acquisition hash, a write-blocker, and a one-line custody log would have added minutes to a multi-hour job. That "one extra ounce of discipline" is exactly what the chapter's Recovery-vs-Forensics lens prescribes for every recovery: keep enough of phase 1 and phase 2 that the paperwork already holds up if the job turns into a case.

  5. Recognizing the pivot is professional judgment. The moment the technician saw a second set of books and deleted bank statements, the engagement had changed character. The professional move was to stop, preserve what existed, document it, and advise the client that what began as recovery now needed forensic rigor — image, hash, chain of custody, an examiner who works only on the copy. Missing the pivot, the shop kept treating a case like a chore.

Discussion questions

  1. List the minimum set of practices — most of them free or nearly free — that would have preserved this evidence's value without changing the recovery outcome at all. Why are an acquisition hash and a write-blocker the two that matter most, and why did the shop skip them?

  2. Identify the exact moment the technician should have stopped and pivoted from recovery to forensic handling, then rewrite the next ten minutes as they should have gone — from "these look like two sets of books" to "the original is imaged, hashed, sealed, and I am working only on the copy."

  3. Separate the shop's mistakes into two columns: those that were bad forensics (no image, no hash, no custody) and those that were arguably bad recovery practice too (writing recovered files onto the source). Where do the two disciplines' best practices coincide, and what does that overlap suggest about how a recovery bench should operate by default?

  4. The shop did not cause the embezzlement and did recover the data the client paid for. Argue how much professional responsibility it bears for the evidence being unusable — and whether a recovery shop that accepts drives which may hold evidence has a duty to keep forensic-grade custody even when no one has asked for it.

  5. ⭐ Place this case beside Case Study 1. One examiner kept the lifecycle's underlying disciplines and won at deposition; one shop skipped them and watched the evidence die. Identify the three or four decisions that diverged — image-first vs. work-on-original, hashing vs. none, custody log vs. informal hand-off, contemporaneous notes vs. memory — and argue the chapter's claim in your own words: that the difference between "I found this" and "I can prove I found this and it is unaltered" is decided long before anyone knows a case exists.