This book includes a plain text version that is designed for high accessibility. To use this version please follow this link.
/ BACKUP TAPE FORENSICS
evidence existed on a machine at a certain point in time, it was
either negligently or maliciously deleted after that date. Using
tapes from an intermediate period can also provide information
regarding the loss or destruction of data that is unavailable on
a disk image of the current system. This information could help
provide grounds for a negative inference instruction.
Investigators can use backup tapes to find files and docu-
ments that have been deleted, and it is possible to recover
information from log files that have been overwritten on the
current system. These logs contain information about the
history of the system and other resources such as network
systems, users, logs, services, etc. These resources may not
exist any more and their removal may signal illicit or negligent
behaviour; such information could be useful either in the
discovery process or to establish grounds for arguing that
evidence was not properly preserved.
/ Case studies
The practical uses of backup tapes are illustrated by the fol-
lowing two case studies. Both highlight some of the complexi-
ties that can arise during the collection and investigation por-
tion of the digital forensics process when using backup tapes.
backup tape software to restore the information onto a hard
disk. Several third party solutions exist that can handle a vari- Case Study #1
ety of tape formats and are especially useful when the original A company required forensics investigation of an email
tape format is unknown. Nucleus Technologies provides a tape server related to the departure of an employee two years
backup recovery software product that can handle some of the previously. The server had been decommissioned and
most basic formats, such as tar and NTBackup. This solution removed from the company inventory since the events in
has some features that are desirable to an investigator, such question, and a newer server had taken its place. The IT staff
as creating an image of a tape at the time of recovery. Index had performed manual migration for the mailboxes of current
Engines also provides an offline tape recovery solution: it employees during the changeover. However, the company
requires a lease of specialised hardware to attach the tape had retained backup tapes of the original server, several of
library, but has a more robust set of compatible formats and which contained information from the time period in ques-
is geared towards E-Discovery users. Whichever method is tion. Since the backup tapes represented the only potential
utilised, the software should be used to restore the files from evidence from that time period, it was critically important
the backup tape onto a hard disk, which can then be imaged to recover and examine the information on the tapes in the
or directly analysed as part of an investigation. most forensically sound manner possible.
/ Forensic uses of backup tapes
Backup tapes can also Be
Several practical and theoretical uses of backup tapes can
arise during digital forensics investigations. Backup tapes are used to ensure compliance
typically used to retrieve data in the event of server failure or
with evidentiary rules
retirement, and are superior to backup files due to their inher-
ent resistance to tampering or destruction of data. Forensics regarding spoliation
professionals can use backup tapes when a server is too
large for onsite collection, since the tapes can be taken to a The forensic acquisition of these backup tapes presented
forensics lab and their contents restored onto a RAID system a challenge for the investigation team. Since the backup
or other large storage device. tape was of a format the forensics team currently did not
There are more innovative uses of backup tapes during have available, equipment purchases had to be made, and
forensics investigations. Investigators can build a sophis- extensive research was conducted to determine the soundest
ticated timeline of a computer’s history by comparing the forensic methodology for analysing the tapes. Even though
current state of the system to a disk image in order to identify this case featured only one tape, the amount of time needed
signs of tampering. If such nefarious activity did take place, it to research the factors involved was significant due to the
is unlikely that both the system and the backup tapes would presence of unfamiliar technology and the necessity to dupli-
have been modified consistently. cate the information in a forensically acceptable manner.
Backup tapes can also be used to ensure compliance with The team decided to use the dd program to create a bit-for-bit
evidentiary rules regarding spoliation. They can show that while copy of the accessible data on the tape, write it onto a newly
41
DF1_39-42_4th Feature.indd 41 29/10/09 5:23:13 pm
Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52
Produced with Yudu - www.yudu.com