This book includes a plain text version that is designed for high accessibility. To use this version please follow this link.
/ BACKUP TAPE FORENSICS
despite the company’s claims to the contrary. Morgan Stanley
was issued an adverse inference order by the court for failing
to comply with the discovery orders, and was ordered to pay
$1.5 million in damages. Although this decision has since
been reversed, the sanctions relating to the failure to disclose
were not removed.
/ Zubulake v. UBS Warburg
In Zubulake v. UBS Warburg (2003), a wrongful termina-
tion suit that ended in a $29 million verdict for the plaintiff,
information was requested which resided on backup tapes.
However, it was found that those tapes had been deleted
after the lawsuit had been filed. An adverse inference
instruction was given to the jury on the basis that UBS
Warburg had failed to preserve emails that it knew to be
relevant to litigation.
In both of these cases, backup tapes proved to be crucial
evidence on which the verdict hinged. Clearly, the proper and
thorough forensic acquisition and investigation of backup
tape media should not be ignored when performing a digital
forensics investigation.
/ Backup Tape Issues while a staggering variety of software solutions provide differ-
Tape Formats and Hardware Issues ent ways of storing the data on the tape. The most common
There are many magnetic tape formats, each of which requires archive types are the tar and dump formats typically used
different hardware to read. While internal forensics investiga- on Linux systems and Windows’ built-in NTBackup; however,
tors employed by a company may have to accommodate only most vendors providing backup software solutions have their
the tape formats in use by that company, a standalone foren- own proprietary tape formats [5]. This presents significant
sics or data recovery company needs to maintain a collection problems for investigators, especially if the software used
of tape drives to cover, at least, the most commonly encoun- to create the tapes is rare or obsolete. These situations may
tered tapes. The most likely formats include DAT, Exabyte, and require the use of a data recovery company.
DLT, with AIT and LTO types growing in popularity.
Integrated Solutions
a staggering variety of
Solutions to the problems of backup tape forensics will be either
hardware or software related. Hardware considerations for
software solutions provide deploying a backup tape solution in a forensics lab must take
different ways of storing
into account the most common types of tapes that the investiga-
tor is likely to encounter in the field. Several stopgap solutions
the data on the tape
have been developed for the forensic acquisition of backup
tapes, through the use of standard tape management tools, and
Even if a company possesses all of these devices, they occasionally tape recovery software [2]. These tools address the
usually will not read past an End of Data marker on the tape, problem, but require more preparation than would be the case
which can leave unread data on the tape from any previous for a hard drive. Again, the wide range of tapes, archive formats,
backups. Although the SCSI standard specifies a common and backup recovery software complicates the issue.
interface for all of these drives, it lacks the low-level con-
trol commands needed by forensic investigators to make a Recommendations
complete bitstream copy of the tape. Some drives contain Duplication of the backup tape to prevent accidental damage
firmware with a special mode that allows reading past the End or spoliation of evidence is highly recommended when at-
of Data marker. There are currently other proposed solutions tempting to extract information. Safe duplication of tape data
to allow for complete bitstream copies to be created using can be achieved, usually in a single read pass, by using dd on
customized firmware, but most of the research in this area is a Linux machine [2][6]. This program creates a set of tape files
either theoretical or not publicly available. which can then be copied to a duplicate tape. All data recovery
operations should be performed on this duplicate tape to pre-
Archive Types vent unnecessary wear and tear on the original physical media
Beyond the hardware issues, investigators also encounter and to prevent any accidental destruction of evidence.
problems with the large number of backup archive formats Extraction of the files from the tape can be performed in a
in use. Tape hardware only provides a medium for the data, number of ways. It is generally acceptable to use the original
40 Digital / ForensicS
DF1_39-42_4th Feature.indd 40 29/10/09 5:23:12 pm
Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52
Produced with Yudu - www.yudu.com