Any time we access a hard drive there is a very small chance that we could corrupt it or that it might fail entirely.  If one is conducting an investigation of a technically savvy perpetrator this risk could be amplified by booby traps.  How defensible the damage would be in court would depend on how reasonably it could have been expected/avoided and how severe it was.  One might even be able to argue that it was simply unavoidable since the hard drive access was necessary to retrieving data, so long as one could document that one took every reasonable precaution.

Some modern hard drives have Mean Times Between Failure of many hundreds of thousands of hours (Garret, 2006).  But since this is a statistical measure across an entire family of devices it doesn't mean much about the specific hard drive we might be working with, nor does it reflect what sort of environmental conditions that drive may have endured.  If a criminal were aware that an investigation was underway they might sabotage the environmental or electronic environment of the drive.  This is another good reason to progress through assessment of worth, identification or seizure, preservation and recovery (Casey, 2004, 4.2) in an organized and timely fashion.

I have occasionally seen hard drive corruption at a byte level.  This could be difficult to ascertain or explain in court.  But even stranger problems are documented (Quirke, 2002) so it is a fact we need to understand and be prepared for.  Getting an image and taking checksums/hashes of the original and the copy are very valuable.  But if the source is damaged or fails entirely in this process one may need to escalate through clean room recovery even unto electron microscopy if the case is serious enough (Wikipedia, 2010).  

I don't see how we can avoid the risks associated with recovering the data, but by carefully documenting our motivation, the chain of custody and our procedures (Carrier, 2006) we maximize the chances of making any destruction defensible.


Carrier, B.D. (2006) A Hypothesis Based Approach to Digital Forensic Investigations [Online].  Available from: (Accessed: 13 June, 2010)


Casey, E. (2004) Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet, 2d Edition.  London: Academic Press


Garret, B. (2006) 'What's up with MTBF', Computer World [Online].  Available from: (Accessed: 13 June, 2010)


Quirke, C. (2002) Hard Drive Data Corruption [Online].  Available from: (Accessed: 13 June, 2010)


Wikipedia (2010) Data Recovery [Online].  Available from:  (Accessed: 13 June, 2010)