The hard disk drive in a computer system contains the most up-to date information along with other forensically valuable information such as internet history and local temporary files, so why should you bother looking at the backup tapes?

Ease of Access

Access to the data from a tape archive is often achieved with far less disruption as the tapes can be handed over without systems being seized and imaged. In some instances it is vital that there is not widespread knowledge that an investigation or system audit is underway so taking the backups from an off-site store might be preferable to locking down the active systems for investigation.

The disruption caused by an audit often spreads further than is ideal. People not under any suspicion end up feeling suspected, so being able to make an assessment of the situation without widespread loss of staff morale can be a very good move. Of course care has to be taken that no action in browsing through data contravenes other rules and that it does not result in widespread knee-jerk disciplinary responses. With the exception of clearly illegal activities it is often better to use any semi-covert system audit to develop policy and to draw a line after which contravention will result in strict action.

Historic Data

Backups are a snap-shot of a system or systems, and this can be invaluable. Data can come and go from local systems, and in some instances a degree of data wiping might be done to cover illegal or undesirable action. But, if a piece of data was in place, and was backed up, then any attempts made to eradicate the evidence will be in vain because the information will be securely stored within the tape archive.

Working back through month end-backups can provide a great opportunity to spot wrongdoing and system abuses. Unless great care has been taken, at some point some information will have been in the road of the backup infrastructure and will be stored ready for examination.

Look before leaping

An understanding of the backup infrastructure is required before embarking upon a investigation through a tape archive as there could be a lot of data to work with. Finding out if it is likely that the data you are after will be somewhere in amongst the tapes is a good start, then prioritising the tapes is the next essential step. That the tape archive provides the benefit of a step-back through snap-shots of the system is a great benefit, but it can mean there is a vast quantity of data, much of it duplicate data or unnecessary system files,  so planning to reduce the time and costs is essential.

Based upon a recent case where there was potentially the need to examine data from between three and four thousand AIT cartridges containing data written using the NetBackup archiving utility (without access to any NetBackup catalog information), the importance of a graduated approach becomes abundantly clear.

3000 tapes that require 3 hours each to read, using 10 systems and with an 80% operating time, would take almost 50 days. That is just the time for reading tapes, factor in time for dealing with the recovered data and organising it for return and you could easily end up doubling the time.

Developing a pre-scanning system for this type of tape reduced the time per tape to identify the data on each tape down to about 15 minutes, so all tapes could be scanned in about 4 days. This allowed the identification of 500 tapes from which data was needed, and eliminated the remainder. The overall time to read all of the data reduced to fewer than 10 days, the result being a faster service with lower costs. So a bit of preparation can pay dividends.

Should tapes always be examined?

There is no hard and fast rule, understanding the systems and where the data could be is the first step. The tape archive might be a great source of data, but if the data you want was never backed up then you could end up throwing away money and time on tape data recovery that is not needed. But, by ignoring those “scary tape things”, you could be missing data that could form a vital part of any computer forensic investigation or audit.

What seems clear is that whilst information storage has undergone a massive technological development, the care of information has been neglected to a shocking extent.

In one case 18,000 staff payroll records on disks were “placed in a post tray” but never arrived. In another an unknown number of records relating to children and their families were on a notebook that was stolen from a car outside a staff member’s home. It is scary enough that those records were on a notebook (it is not mentioned whether any encryption was in effect), that the notebook was left outside in a car, but what really is damning of the system is that the number of records is unknown.

Our data recovery group recently undertook a data security test for a company (not part of the NHS) as a risk assessment exercise following a data loss, when they wanted to demonstrate that if a backup tape was stolen it could not be of any value. Three days later we invited them to observe how we had full access to their applications and data, to the point that we could have acted as a backup operation for their main office. Whilst this did require considerable technical skill and ability in Computer Forensics and data awareness it very clearly highlighted the potential risk. Subsequently the company implemented a straightforward data encryption process into their backup strategy and the potential for the problem was significantly reduced.

The temptation is to condemn the persons who commit the act immediately leading to the problem, “what idiot left the laptop…”, but often these are well intentioned and hard working professional persons who are struggling under increasing case-loads and just trying to do the best that they can. Accountability needs to be at the top of the system, action needs to be in advance of a problem not “in the light of these incidents we are tightening procedures”.

Secure internet access is available from almost anywhere for remote access. Encryption software is available at zero cost that will protect against any random attempt at accessing data. Data can be managed so that it is known who has what records and that they only have what they need. It is all pretty simple stuff yet data security seems to be an issue that our political “masters” care little about or just do not understand.

Fear of a national identity database is probably based upon many misconceptions, but also one proven underlying principle which is that we cannot trust the people who want to store our data to keep it secure and free from abuse.