Altirium logo

How do you restore Tivoli TSM data for forensic examination purposes

Tivoli Storage Manager (“TSM”) provides a sophisticated heterogeneous data storage environment within which large volumes of data can be held. These might include email backups, user documents and SQL database, in fact all of the information that might be just a little bit useful in a computer forensic investigation or a tape data discovery exercise.

So, you are an investigator who has been handed a case containing 25 LTO4 cartridges from a TSM archive, now what?

Unlike relatively straightforward backup applications such as BackupExec or ARCserve you cannot simple buy a TSM installation DVD and install it on your Windows Workstation and start examining the tapes. Though even with other applications the access to data from Exchange and other agent backups is not easy without re-creating the originating infrastructure. Even if you had the experience and patience to set up a Tivoli system there is no method for importing foreign tapes.

Like the proverbial London bus, you don’t see one for ages and then two come along at once. In less then a week, one set of TSM tapes arrived as part of a forensic examination, and another for data recovery as the tapes had expired and the customer needed their Notes data restored.

Within the TSM heterogeneous infrastructure, data from many different sources can exist. In these cases the data was a mixture of Windows files, UNIX files and Notes mail database files. Using TSM was not an option, but we did find a TSM salvage utility that was available on one of the Tivioli forums. Unfortunately the writer had not seen data of the flavours we were attempting to recover so the program could not handle it. We decided the the only viable option was to create our own software for the purpose.

This was by no means a straightforward task, TSM data is encapsulated in multiple layers of data buffers each of which requires that its key structures are identified and then a process written to peel it away. Eventually, however, after much huffing and late night working we arrived at the data and were able to extract files, one customer had their email back and the other had evidence that might otherwise have not been available to them.

Tapes represent a valuable source of historical data for external investigations, and for when historical data is required under the regulatory regimes that rule over business areas such as banking. Yet there is a problem with tapes having expired, or being provided by a third party for examination the situation can arise where all of the data are present and correct on good condition well-recorded tapes, but there is not way to recover it.

Having spent the past 26 years of my life working out data from platforms as diverse as Honeywell 2000, VMS, ICL1900 and UNIX systems tackling TSM tape data recovery should have been a walk in the park but it still took us quite a while, and a lot of stress, but ultimately the results were good for all concerned.

VN:F [1.9.22_1171]
Rating: 10.0/10 (1 vote cast)
How do you restore Tivoli TSM data for forensic examination purposes, 10.0 out of 10 based on 1 rating

One Response to “How do you restore Tivoli TSM data for forensic examination purposes”

  • David Sandlin says:

    Thanks for the article. This is a great reminder that we have to be ready for anything in the field of computer forensics. Data exists in a variety of formats, some obsolete and some new and ever-changing.

    The fact that it was a TSM archive and not just a backup probably added even more complexity to the recovery. TSM is not the only vendor who is making recovery from backup media more difficult. Every enterprise storage management system seems to have their own way of managing backups and archives. The situation becomes even more challenging with the implementation of compression and hierarchical management schemes to more efficiently utilize media. Backup media will continue to be a challenge and the computer forensic community needs to be ready to deal with it.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)

Leave a Reply