The eMag Link Monthly Articles
December Edition
View previous articles
Backup Tapes and Forensic Investigation
End of the Road for Two Prominent Tape Drives (Will you Need a Solution?)
Backup Tapes and Forensic Investigation
In any forensic investigation it is normally impossible to have too much information. Backup tapes can be a very valuable source of such information to go along with hard disk images and paper documentation.
A very large number of backup tapes from small office system and networks are complete backups, and so they give a picture of all the files that existed on a certain day. Without an extremely high level of computer skill, it can also be accepted the contents of a tape cannot be tampered with. The backup will contain all the files at the time of backup. This will include files that have since been deleted, and the backup will not include files that have possibly been added at a later date and made to look older.
Most evidence collection is based on what was written, or created at a certain time, or sometimes it may be important to prove that a transaction took place on a certain date or something was known about a defined point in time. Thus existence and dates of files is very important.
On most operating systems, including Windows, three important dates are stored. The file creation date, the date modified, and the date last accessed. The modified date is the easiest to understand and is the date shown when one does a DIR or displays files in Explorer. It is the date that a file was last changed. One can be led to believe that the creation date will always be the oldest date but this is not true. If a file is moved from the C: drive to the D: drive, the modified date is unchanged, but the creation date is updated - as this is the date the file was created on the D: drive. The access date is when a file was last viewed. However, several events can change this access date including performing a 'properties' on a file to determine the creation date.
If a hard disk is seized for forensic investigation, it can be extremely easy to accidentally change these dates described above. If a tape is restored to a new hard disk, then depending on the backup program again the dates may be changed. Fortunately though, most back up programs do record the dates and so it is possible to scan the tape and extract the information. MM/PC has a special scan mode that will perform a 'dummy read' of the tape and extract the creation, modified and accessed dates for all the files. It will also work for most popular backup formats such as NT Backup (Verias etc) ArcServe, Legato and an ever-growing number of logical formats. The resulting log file will show the original file names, the above dates, and also the file size and often backup date and volume name. The report can be produced in a .csv (comma delimited) format and so can be imported into programs such as Access for further forensic analysis of the files on a tape. Obviously working this way there is no danger of accidentally modifying a date. A modern DLT can hold over 100GB, and the scan will give the file information without the need to restore the files onto the hard disk.
MM/PC has several other tools that can be useful in a forensic investigation of a tape. It can be set to restore named files, for instance all .xls files, and or .mdb files. It can also be used to restore files that were changed on a certain date or range of dates. Working with the Record Reformatter, it can be used to extract records with unique keys or details from certain dates. One could for instance discover (from the relevant databases) all sales of size 8 shoes on November 15th (if one wanted such information!). This is the solution to the classic problem of finding a needle in a haystack.
End of the Road for Two Prominent Tape Drives (Will you Need a Solution?)
As of December 27, 2002 IBM is withdrawing its 3570 Magstar® MP Tape Subsystem including all models, associated model conversions, machine upgrades, and field-installed features. In addition DDS (DAT) manufacturers, HP, Sony and Seagate, have announced they would not develop the next generation product, the DDS-5.
So what does this mean for you?
In the case of the 3570 or DDS, maintenance on these drives will only be offered temporarily. At some
point this will require a migration to a different tape drive as well as a media conversion service to
migrate your data without disrupting your daily operations. For example you may consider the LTO tape
drive which will provide you with powerful benefits such as seamless data interchange and unprecedented
levels of scalability, reliability and performance as well as faster paced innovation, lower prices, and
true multi-vendor compatibility.
How can eMag help you?
In addition to offering the hardware and media for any tape technology, eMag can assist you with the
migration of your data. eMag offers either a media conversion service
or software at one of our worldwide service centers or
we can perform the service at your facility depending on your needs.
This article may be re-published as long as the following resource box is included at the end of the article and as long as you link to the email address and the URL mentioned in the resource box:
Article by eMag Solutions. For more articles on eDiscovery and Data Restoration, subscribe to our e-mail Newsletter by sending a blank email to newsletter@emaglink.com or by going to http://www.emaglink.com.