01 April 2010
Use of Backup Tapes in Computer Forensics
Most of us are aware that the hard disk drive of a computer holds the most current information available as well as a variety of other forensically valuable data such as local temporary files and internet history records. So if you have the hard disk drive is there any reason to look at backup data tapes?
With computer forensic work there is often a background investigation conducted meaning that it is preferable that the less people that are involved is the choice to conduct the investigation. Where there is the ability to use data that is from a tape archive it is often a way to carry out an investigation more discretely and does not require that entire systems must be seized. When it is possible to locate data backup tapes this is an option to conduct an investigation or audit with the potential to do so without alerting those being investigated or audited.
With an audit for example the disruption spreads further than that business or person being audited and raises fear in others and being able to covertly carry out the data analysis, prior to any investigative results, reduces any stress or loss of morale of others who are not perhaps directly involved.
Data in local systems comes and goes and can often be replaced, especially where this is the intention of the business or person being investigated. Back up data information provides a snap-shot of a system or systems and therefore provides a historical record. Therefore if there is an attempt to remove information from a local system and that information was previously stored on a back up system then that information will be able to be recovered within the backup data tape.
Those who specialize in this form of investigation will work back through the backup data tapes and can therefore gain a greater insight into any system abuse or illegal behavior that may have taken place. Unless the person who is attempting to erase information has a great knowledge of the system and erasure techniques then the information that is being sought, if it in fact exists, should be located within the backup infrastructure.
Those conducting the investigation of the data must have knowledge of the backup infrastructure itself. There is likely to be a significant amount of information stored within backup tapes so knowledge of how to process this information to reduce the search time requirements is a key factor. This is especially important relating to cost factors as well as man-power and time to conduct any investigation or audit.
As an example, if there are 3000 tapes that require 3 hours each to read completely and you could use 10 systems with 80% operating time this would mean the required time to read the 3000 tapes would be approximately 50 days. This does not take into account the requirement to actually analyze and organize the data itself.
In these cases a pre-scanning system for the specific type of tape and system is required to reduce the actual time for identification of the data on each of the tapes. When this is effectively carried out the time can be reduced from 3 hours per tape down to approximately 15 minutes per tape. That therefore reduces the time period from 50 days to around 4 days for the reading of the data.
The point being that while the data tapes hold the information required a suitable system must be available to sort and categorize the information to eliminate irrelevant data and only leave those investigating the tapes the information that they require to complete a more thorough analysis of the relevant facts.
There are a great many factors in computer forensic analysis and there are no standard systems that will apply to all data tapes. A great understanding of the system and where the data may be stored is generally the first step in the investigation, after retrieval of the data tapes. This information is of course beneficial to those being investigated as well as those who wish to have some investigation completed. There is a great deal of information available about the abilities of computer forensics and if this is something that interests you it is suggested you yourself “dig a little deeper” into your particular angle of computer forensics.
by: Michiel Van Kets