Forensic Capabilities Expanded for MM/PC
In past articles we have talked about tape forensics and tape technology. As a former tape manufacturing company, we see all types of issues with media at our data centers, and as we expand our capabilities to deal with these conversion issues for clients and find new ways to solve problems we in turn get requests for expanded capabilities...and so it grows. The result is that our development team is kept very busy adding new features and capabilities to our MM/PC tape software package.
There are a couple of forensic ideas that we have been working on that have been driven by client requests. We will soon be releasing the new MM/PC capabilities, and we'd like to share them with you.
Imagine being able to restore only the unique content on each tape. A typical backup tape can contain many duplicated files. It doesn't do any good to simply look at the name of a file to see if it is a duplicate - one has to look at the contents. The way this is done electronically is through a process called hashing which simply put produces a unique value for each file based on the contents (not the name) of the file. Even if one bit changes, the resulting hash value will change. A hash is much like a fingerprint, in terms of uniqueness, and as such the hash value can be used to uniquely identify each file. Companies like EMC rely on hash values for their Content Addressable Storage units like the Centera™.
Ok...enough theory. How does this help you? Our developers have come up with a series of algorithms that ensure that every hash generated on tape is compared at high speed against the previously stored hashes (or file equivalents). If the hash is found then the file can't be unique and therefore is not restored. Thus only unique files regardless of their name are restored. For the Forensics Investigator this means you now have only unique files to look through, and in addition you have hash values for every file recovered from tape.
We are also working on an expanded file selection or exclusion filter. Some tapes contain upwards of 15 million files. Why restore 15 million files when you only want one particular file, or one group of file types (say .edb or .nsf for example)? For a while we have been able to restore files based on this type of criteria, but what if you decide you want to exclude all the system files? Currently there would be dozens of different file types which the current filter can't handle. We are working on a "super-filter" that allows you to specify literally dozens-and-dozens of file types to include or exclude thus ensuring that you retrieve only the content which is of interest to you.
Finally we are working on retrieving files based on content alone; not their names but actually what is inside. Let's say you want to restore all files that make reference to a certain string of characters such as a case name or account number or something along those lines. We are working on a system that will allow you to ONLY retrieve files that meet the search criteria.
So this tells you where we are heading with MM/PC. It is an interesting new direction and should make life a lot easier for those whose job it is to sift through the mountains of data typically restored from each tape. We'd also like to hear from you. If you have an idea for MM/PC that can help make your job a little easier, please contact us today.
This article may be re-published as long as the following resource box is included at the end of the article and as long as you link to the email address and the URL mentioned in the resource box:
Article by eMag Solutions. For more articles on eDiscovery and Data Restoration, subscribe to our e-mail Newsletter by sending a blank email to newsletter@emaglink.com or by going to http://www.emaglink.com.