forensics = looking at data on a media device(s), usually in an investigation
data recovery = looking for data on a media device(s), for a customer
http://forensics.wikia.com/wiki/
http://www.forensicswiki.org/wiki/
For standard Windows-based IT data recovery from NTFS (deleted files, formatted drives), I recommend PC Inspector [FREE]
http://www.pcinspector.de/Sites/file_recovery/info.htm?language=1
For undoing rm *, I haven't found any tools. Many people recommend remapping the rm command to something like "mv file to trashbin" and only su can actually rm
Forensics can not be done from Windows without cutting the IDE cable to "read only", but even that's not great in a legal sense.
For real forensics, there is only one: dd (and it's updated variants, dcfldd and ddrescue)
http://www.forensicswiki.org/wiki/Dcfldd
http://www.linuxquestions.org/questions/linux-newbie-8/learn-the-dd-command-362506/
http://ubuntuforums.org/archive/index.php/t-1033712.html
Access the media in question from a LiveCD (but NOT Ubuntu since it may mount automatically). Knoppix doesn't automount, and Helix is standard.
http://forensics.wikia.com/wiki/Helix_LiveCD
sudo mount /dev/sda /where/you/want/to/mount -o readonly
Also useful for backup of copy-protected DVD/CDs. For example, the Microsoft Flight Sim disks have copy protection.
VERY SLOW:
$ dcfldd if=/dev/dvd/ of=fs2004.iso conv=sync,noerror
$ ddrescue -A -b 2048 /dev/dvd1 fs2004.iso
be sure to overwrite your old drives
$ dd if=/dev/zero of=/dev/sda bs=4k conv=notrunc
To eliminate free space deleted files,
$ dd if=/dev/urandom of=/home/usernamehere/filename.data