/ BACKUP TAPE FORENSICS
BACKUP TAPE
FORENSICS
IS HERE TO STAY
Issues and Case Studies
by Gavin W. Manes, James Johnson, Justin Gillespie, Elizabeth Downing, Michael Harvey Avansic
/ INTERMEDIATE
A
lthough magnetic tape storage is often perceived as a rar- / Backup tapes in landmark cases
ity by digital forensics investigators, there are an increas- Backup tapes were the centrepiece of two landmark digital
ing number of situations that require tape recovery and forensics cases in the USA: Coleman v. Morgan Stanley and
analysis. Many companies use tape backup systems to comply Zubulake v. UBS Warburg [3][4], lending credence to their use
with various regulatory and statutory requirements, which brings as digital evidence in court. Both of these cases set prec-
the forensics issues with their acquisition and investigation to the edents for the admission and validity of digital evidence in the
forefront. The ability to perform digital forensics investigations on modern legal landscape.
storage tapes is an important tool in any forensics professional’s
arsenal, and a thorough understanding of the situations and / Coleman vs. Morgan Stanley
techniques where these storage devices will appear can alleviate In Coleman vs. Morgan Stanley, Coleman’s document produc-
some of the inevitable issues. This paper summarises the main tion request specifi ed emails from a certain date range, which
challenges to magnetic tape storage forensics, and includes two according to Morgan Stanley resided on a complex backup
case studies of investigations that required backup tape analysis. system that required signifi cant resources to recover. It was
later discovered that Morgan Stanley had found backup
/ Introduction tapes containing relevant emails, but had not produced them
Since the early 1950s, magnetic tape storage has been a in response to the Court’s Order. Furthermore, it was found
standard backup solution for large data centres due to its low that searching these tapes would have been relatively easy,
cost and the compactness of the medium. However, many view
magnetic tape storage as obsolete and therefore little effort has
been devoted to the forensic acquisition and analysis of backup
tapes. Despite the lack of interest in this area, there are several
situations that require forensics investigators to recover and
analyse data from backup tapes. Data recovery professionals
must also be prepared to handle this class of media: in a 2004
survey conducted by the Yankee Group, over 40% of respon-
dents who had occasion to restore systems from tape, reported
at least one incident where the information was unrecoverable
due to tape failure [1].
Improvement of forensic techniques for backup tapes is
necessary for a variety of reasons. Certain peculiarities of the
magnetic tape format present unique challenges to the inves-
tigator: different types of tapes, proprietary storage formats
and compression algorithms, and the fragility of the magnetic
tape itself can all complicate investigations. The standard
SCSI communication protocol for tape drives precludes low-
level acquisition, and tape drives will generally not read past
an End-of-File marker (regardless of what data lies beyond)
without modifi cation of the drive’s fi rmware.
39
DF1_39-42_4th Feature.indd 39 29/10/09 5:23:12 pm
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52