Altirium logo

Computer Forensics – don’t ignore the tapes

Much Computer Forensic work is associated with data recovery from hard disk drives, USB pens and other common data storage media. Even the television drama departments appear to believe that data is stored only on this limited range of media, I don’t have a back catalogue to check against but I am pretty certain that on Spooks there has never been an analysis of a DLT or LTO tape cartridge. So what about tape? Probably the largest volume of data stored in the world is on tape, so is it of any value in forensic investigations and litigation work?

The hard disk drive in a computer system contains the most up-to date information along with other forensically valuable information such as internet history and local temporary files, so why should you bother looking at the backup tapes?

Ease of Access

Access to the data from a tape archive is often achieved with far less disruption as the tapes can be handed over without systems being seized and imaged. In some instances it is vital that there is not widespread knowledge that an investigation or system audit is underway so taking the backups from an off-site store might be preferable to locking down the active systems for investigation.

The disruption caused by an audit often spreads further than is ideal. People not under any suspicion end up feeling suspected, so being able to make an assessment of the situation without widespread loss of staff morale can be a very good move. Of course care has to be taken that no action in browsing through data contravenes other rules and that it does not result in widespread knee-jerk disciplinary responses. With the exception of clearly illegal activities it is often better to use any semi-covert system audit to develop policy and to draw a line after which contravention will result in strict action.

Historic Data

Backups are a snap-shot of a system or systems, and this can be invaluable. Data can come and go from local systems, and in some instances a degree of data wiping might be done to cover illegal or undesirable action. But, if a piece of data was in place, and was backed up, then any attempts made to eradicate the evidence will be in vain because the information will be securely stored within the tape archive.

Working back through month end-backups can provide a great opportunity to spot wrongdoing and system abuses. Unless great care has been taken, at some point some information will have been in the road of the backup infrastructure and will be stored ready for examination.

Look before leaping

An understanding of the backup infrastructure is required before embarking upon a investigation through a tape archive as there could be a lot of data to work with. Finding out if it is likely that the data you are after will be somewhere in amongst the tapes is a good start, then prioritising the tapes is the next essential step. That the tape archive provides the benefit of a step-back through snap-shots of the system is a great benefit, but it can mean there is a vast quantity of data, much of it duplicate data or unnecessary system files,  so planning to reduce the time and costs is essential.

Based upon a recent case where there was potentially the need to examine data from between three and four thousand AIT cartridges containing data written using the NetBackup archiving utility (without access to any NetBackup catalog information), the importance of a graduated approach becomes abundantly clear.

3000 tapes that require 3 hours each to read, using 10 systems and with an 80% operating time, would take almost 50 days. That is just the time for reading tapes, factor in time for dealing with the recovered data and organising it for return and you could easily end up doubling the time.

Developing a pre-scanning system for this type of tape reduced the time per tape to identify the data on each tape down to about 15 minutes, so all tapes could be scanned in about 4 days. This allowed the identification of 500 tapes from which data was needed, and eliminated the remainder. The overall time to read all of the data reduced to fewer than 10 days, the result being a faster service with lower costs. So a bit of preparation can pay dividends.

Should tapes always be examined?

There is no hard and fast rule, understanding the systems and where the data could be is the first step. The tape archive might be a great source of data, but if the data you want was never backed up then you could end up throwing away money and time on tape data recovery that is not needed. But, by ignoring those “scary tape things”, you could be missing data that could form a vital part of any computer forensic investigation or audit.

VN:F [1.9.22_1171]
Rating: 10.0/10 (1 vote cast)
Computer Forensics - don't ignore the tapes, 10.0 out of 10 based on 1 rating

Leave a Reply