Forensic Support Services

• Format analysis and conversion of backup tapes and data files.
• Backup restoration: You have backup tapes or files and need the data restored.
• File and data filtering to assist in data preparation.

These are some of the typical reasons for requiring data management service. If you require assistance with your data management project call and speak with our technical advisors on our helpline number or send us your enquiry via our online form

Restoring data from any computer backup tapes that you find can be an essential part of a forensic investigation. With recent backups there is probably information available to help you achieve this, as the backup regime and software that were used to create them may still be in use and identifiable.

Backup tapes from an unknown origin or from a source where no supporting information is available can be problematic. The raw contents of the tapes must be examined to identify what data is present and how it can processed to retrieve the files or data that are stored on them.

Identification of the data from a tape is not always easy. Try, for an example, to restore a DLT cartridge using ARCserve, when the tape was written using TapeWare or some other backup application. ARCserve will tell you that it does not recognise the tape, but it won’t tell you which application was used to write the data to the tape, which version and on which platform. How could it?

The ability to recognise data by its contents is an area where Altirium's Tape Engineers have developed expertise over many years of analysing data and reverse engineering backup and file formats. Once the format has been identified we are then able to provide solutions to restore and extract the files or information you require.

Backup Restoration

Forensic examination of computer data is most often associated with the examination of information within the data stored on hard disk drives. Computer backup tapes, however, present a valuable source of information that has been stored over a protracted period of time. When analysed in context the information retrieved can provide the investigation with a unique picture of file creation, deletion and modification history that is not always available in the snapshot of an evidential image of a computers hard disk.

Tape backups in an archive might represent a snapshot of the data from a system at periods stretching back over months or years. Any attempt to eradicate data from a hard disk might have been successful, but often the data still exists within the system backups on tape.

File and data filtering

Mining the data from hard disks can be time-consuming. Multiply this by the number of backups that require processing and the task can be to costly and prohibitive.

Processing the data from a large number of tapes in a short time requires parallel processing whereby the data from multiple sets of tapes is processed simultaneously. Often the number of tapes can run into the hundreds and it is impracticable to work through them one-at-a-time. With the right systems, even several hundred tapes can be processed within a relatively short time period.

How can data be distilled to only a single copy of any relevant documents prior to a more in depth analysis?

Duplication within a backup archive presents another problem. Documents might exist on each backup meaning that any forensic analysis is going to involve processing the same data multiple times. Eliminating the duplicate data is not always straightforward as files are not static and any particular file might have changed several times.

De-duplication process can be performed such that all files with identical contents are removed to leave only one copy of the unique data for a particular file. Where the de-duplication process cannot remove a file with identical meta-data then files can be renamed and so for any file or document multiple iterations will exist within the resultant data but there is no duplication of file data.