• About Us
  • Executive Team
  • Careers at eMag
  • Facilities
  • Quality
  • Our Customers
  • About Patriarch
  • WBENC Certified
• Law Firms
  • Electronic Discovery Solutions
  • General Data Services
• Corporations
  • Corporate Counsel
  • Information Technology
  • General Corporate Risk
• Government
• Partners
  • eMag Partner First Program
  • Partner FAQs
  • Become an eMag Partner
• Services
  • Electronic Discovery Preparedness Consulting
  • Data Restoration
  • Data Conversion
  • E-Mail Processing
  • Electronic Discovery Processing
  • Data Recovery
  • Computer Forensics
  • Enterprise Content Management Optimization
  • Departing Employee Data Capture Program
  • Data Culling
  • Other Services
• News & Events
  • Trade Show and Events
  • Newsletters
  • Whitepapers and Legal Resources
  • Education
  • The eMag Blog
  • eMag On Twitter
  • eMag Informational Datasheets
• Contact Us

Return to Home

The eMag Link Monthly Articles

MediaMerge/Tape Management System's Historical Catalog
Hashing and Forensic Applications
Hardware Withdrawal: IBM 3995

MediaMerge/Tape Management System's Historical Catalog

Are you asked to find particular missing files from your backups of Windows and Unix computers? Are you asked to locate older (or original) versions of existing files? When asked what client computer is involved, are you told, "We don't know"? If any of these is the case, then you need the MM/TMS Historical Catalog. It turns any request for specific files in your backups from a days long adventure into a simple search engine lookup.

Doesn't your backup software keep this information? The answer may surprise you. Backup software for Unix and Windows remembers filenames for only a short period of time (probably a few weeks) just to save drive space on the backup server. Are you incredulous? We were, so we did something about it.

With the MediaMerge/Tape Management System's Historical Catalog module, you can keep a complete catalog of the contents of all your backups. We provide a search engine, which allows you to search for files by name or wildcard and date range, from one computer or from any list of computers. You can even find every existing version of the same file. When you then need to access those files, we provide a listing of the media needed to restore them. Please contact us to learn more about MediaMerge/Tape Management System's Historical Catalog.

Back to top

Hashing and Forensic Applications

The hash code of a file is a number (typically 16 or 20 bytes in length) that is unique for just that file. There two standard routines for generating these codes, SHA-1 and MD5, which are universally accepted in the forensic and investigation world. This article will discuss the primary areas where you will encounter these routines.

Obviously a unique number is a digital signature of a file. Once generated it can be shown that at any later date, the file has not been changed intentionally or accidentally (in transmission etc). Thus the whole question of has a file been tampered with can be controlled in a very easy way.

The other main area is in identifying files by their contents. A hash value is generated by just the file contents, while the file name or date of file is not relevant. This can help an investigation in two very different ways. When examining a tape or disk for information, it is often necessary to eliminate by some means a very large number of system files. One may decide to ignore say all .EXE files, or all .DLL files, but in doing so, it is impossible to tell if these files do in fact store user information that could be relevant to an inquiry. What can be ignored are all system files that have not been changed since they were generated, for instance, by Microsoft. A new XP system contains a GB or so of files made up of a very large number of files. By having hash values of all of these original files, it is possible to eliminate these files in the certainty that they have not been changed or added to in any way since released by Microsoft. Data that has been hidden in a file with a standard operating system name, even of the same size and date, will never have the same hash value. To make life a bit easier for users, there are lists of hash values for many standard applications and operating systems on the web. A useful address is http://www.nsrl.nist.gov.

The second useful application for investigations may often be based on the requirement to detect if certain files exist - typically related to pornographic image investigation. If somebody is suspected of downloading files from a certain site then the hash values of the files on their disk or backup tape may be compared with known databases and matches can be made irrespective of file name or location.

MM/PC has had the ability to create hash values as part of the forensic log for over a year now, but a new addition (on V4.05) is the ability to import hash tables in hashkeeper (MD5) format to work with the de-duplication routine to skip restoring standard operating system files from tape. The log will display the files that have been skipped, along with all hash values, in both SHA-1 and MD5 format. The log can be exported so that searching for known hash values may be carried out by user applications. Contact us today to learn more about this new feature for MM/PC.

Back to top

Hardware Withdrawal: IBM 3995

All models and selected features - Replacements available

Effective July 30, 2004, IBM is withdrawing IBM 3995 Models C40, C42, C44, C46, C48, C60, C62, C64, C66, and C68, selected features, and all model conversions. Effective December 31, 2004, IBM is withdrawing IBM 3995 Models C12, C16, C18, C32, C34, C36, and C38, selected features, and all model conversions.

Do you have optical conversion needs? eMag's capability with data conversion is unsurpassed due to our extensive experience of over 25 years in service delivery work and the writing of proprietary software products tackling the reading of a myriad of tape types, and formats. Contact us today to learn more about our conversion/migration services.

Back to top

Product and company names mentioned on this web page may be trademarks or registered trademarks of their perspective companies and are hereby acknowledged.

This article may be re-published as long as the following resource box is included at the end of the article and as long as you link to the email address and the URL mentioned in the resource box:

Article by eMag Solutions. For more articles on eDiscovery and Data Restoration, subscribe to our e-mail Newsletter by sending a blank email to newsletter@emaglink.com or by going to http://www.emaglink.com/.