As a digital forensics analyst, what features/capabilities do you think a computer Data Recovery tool must have ?
Looking forward for good responses.Â
Having spent the last 20 odd years creating such programs, I feel the most important feature is good logs. Any forensically sound recovery must be repeatable, ie we must know every sector that was used in the recovered file.
Other useful features could include file signatures and possible file verification.
A recovery program should also have multiple modes of recovery. eg for NTFS, reading the index files, or just scanning the disk for all MFT clusters. Corruptions and failures take many forms, and no single solution will always work.
There must also be blocks to prevent any data being written to the disk/chip that is being recovered. Any tool that claims to repair, or undelete should be shot at dawn.