This book includes a plain text version that is designed for high accessibility. To use this version please follow this link.
/ BACKUP TAPE FORENSICS
purchased tape of the exact same type, and then perform contained relevant data. Although these costs and challenges
recovery operations on the cloned tape. As a result, an extra may seem like disadvantages to the investigators, there were
two weeks of preparation time was added to the investigation. also two important advantages. First, they were able to collect
Even when an investigation team is prepared for dealing with the information from the collection site in a very timely man-
tapes it can be a time consuming operation to perform recovery. ner. Second, they were able to compare the different states of
the server over the time frame from which they had collected
Case Study #2 information. Therefore they could accurately compare the
The second case study involved a large, mission-critical e-mail state of a user’s mailbox or personal files from different peri-
and file server that was to be collected from a company on ods of time, which assisted in reconstructing the events of the
the opposing side of a lawsuit. This situation is often called time period in question.
a “hostile” collection, and makes it even more important
than usual that forensic acquisition occur without unplanned / Conclusion
business interruptions. In this case the terms of the collection Tape backup systems are an important component of any case
agreement stipulated that the forensics team was limited to involving corporate lawsuits. Indeed, the involvement of tape
a single day of access to make a “live image” of the machine. backup systems in civil litigation is increasing, which brings all
Due to the size of the server, it quickly became clear that even of the issues with their acquisition and investigation to the fore-
with a file-system level acquisition of active files, the imaging front. Many of the same problems encountered by investigators
process could not be completed during the allotted time. for the past few years still exist, since little research has been
devoted to this area. Therefore, forensics companies should be
Tape baCkup SySTemS are an
prepared to handle digital information from backup tapes, since
so much can hinge on a company’s ability to retrieve informa-
imporTanT ComponenT of any tion from them. Future work in this area includes the creation of
CaSe involving CorporaTe
a vendor-neutral tool to retrieve data from the large variety of
tapes in corporate use. In the meantime, digital forensics inves-
lawSuiTS tigators should familiarise themselves with the potential issues,
techniques, and available solutions regarding backup tape
However, during discussion of alternatives with the com- forensics in order to be most effective to their customers. /
pany’s IT team, investigators discovered that backup tapes
for the server were available. Indeed, the tapes would provide RefeRences
information from the server that was more likely to provide [1] Gruener, J. and Balaouras, s. (2004). Reexamining Tape Media
relevant information, since it was from a time closer to the Reliability: What customers should Know. Retrieved October 14,
events in question. Therefore, the investigator decided that 2008, from ftp://ftp.compaq.com/pub/products/storageworks/
the backup tapes offered an appealing alternative to tradi- ecn-11396-consulting.pdf
tional acquisition. [2] nikkel, B. (2005). forensic Acquisition and Analysis of Magnetic
With the lawyers’ approval, the investigation team collected Tapes. Digital Investigation, 2(1), 8-18.
a set of eight backup tapes from the company. These included [3] coleman (Parent) Holdings, Inc. v. Morgan stanley & co., Inc.,
multiple sets of incremental backups from before and after the 2005 WL 679071 (fla. cir. ct. Mar. 1, 2005)
date in question, providing a healthy time frame for investiga- [4] Zubulake v. UBs Warburg LLc, 217 f.R.D. 309 (s.D.n.Y. 2003).
tors to examine. [5] Mccallister, Michael. sUse Linux 10 Unleashed: Unleashed,
Due to the large number of tapes acquired from the com- sams Publishing, 2006.
pany, the size of each tape, and the perceived complexity [6] Watters, Paul. solaris 10: The complete Reference, McGraw-Hill
of analysing a set of incremental backups, an external data Professional, 2005.
recovery company was employed to restore each tape to hard
disk (at a substantial cost). Once this had been done, the
hard disks provided by the data recovery company were im-
/ Lead Author Bio
aged and analysed. Initial analysis of the hard disks revealed
Gavin W. Manes Ph.D. received his Doctorate in computer
several large file-based backups, which forensic software was
science from the University of Tulsa where he specialized
unable to process. So the files were exported and the software
in information assurance research. He went on to perform
used to create the backups was determined. Each individual research and teach courses in digital forensics and
file was then processed and extracted onto disk, after which it
telecommunications security at the Institute for Information
security at the University of Tulsa. He is currently the
was imaged and processed using forensic tools.
founder and ceO of Avansic, a provider of digital forensics
By employing the external data recovery company, the
and electronic discovery services. He is well published in
forensic company incurred large additional costs. However,
the fields of digital forensics and information security, and
these may have been no greater than the alternative costs of
has presented a number of related topics at conferences and
symposia across the country. He also serves as an expert
new equipment and processing the incremental backup tape
witness through courtroom testimony, depositions, and
format. Additionally, they encountered more file-based back-
consultation with legal professionals
ups and spent extra time processing those files, in case any
42 Digital / ForensicS
DF1_39-42_4th Feature.indd 42 29/10/09 5:23:13 pm
Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52
Produced with Yudu - www.yudu.com