So much of Computer Forensic work is associated with data recovery from hard disk drives, USB pens and other common data storage media. Even on the television data is generally seen only to be stored on a limited range of media. So what about tape? Probably the largest volume of data stored in the world is on tape, so it is of any value in forensic investigations and litigation work?
The hard disk drive in a computer system contains the most up-to date information along with other forensically valuable information such as internet history and local temporary files.
So why bother looking at the backup tapes?
Ease of Access
Access to the data from a tape archive is often achieved with far less disruption as the tapes can be handed over without systems being seized and imaged. In some instances it is vital that there is not widespread knowledge that an investigation or system audit is underway so taking the backups from an off-site store might be preferable to locking down the active systems for investigation.
The disruption caused by an audit often spreads further than is ideal. People not under any suspicion end up feeling suspected, so being able to make an assessment of the situation without widespread loss of staff morale can be a very good move. Of course care has to be taken that no action in browsing through data contravenes about other rules and that it does not result in widespread knee-jerk actions. With the exception of clearly illegal activities it is often better to use any semi-covert system audit to develop policy and to draw a line after which contravention will result in action.
Backups are a snap-shot of a system or systems, and this can be invaluable. Data can come and go from local systems, and in some instances a degree of data wiping might be done to cover tracks, but if a piece of data was in a place, and gets backed up, then whatever attempts are made to get rid of evidence it will be securely stored within the backup archive.
Working back through month end-backups can give a greater chance to spot wrongdoing and system abuses, unless great care has been taken at some point some information will have been in the road of the backup infrastructure and will be found.
Look before leaping
Understanding of the backup infrastructure is required before embarking upon a trawl through a tape archive as there could be a lot of data to trawl through. Finding out if it is remotely likely that the data you are after will be somewhere in amongst the tapes is a good start, then prioritising the tapes is the next essential step. That the tape archive provides the benefit of a step-back through snap-shots of the system is a great benefit, but it can mean there is a vast quantity of data so planning to reduce the time and costs is essential.
Based upon a recent case where there was potentially the need to examine data from between three and four thousand AIT cartridges containing data written using the NetBackup archiving utility, the importance of a graduated approach becomes abundantly clear.
3000 tapes that require 3 hours each to read, using 10 systems and with an 80% operating time, would take almost 50 days. That is just the time for reading tapes, factor in time for dealing with the recovered data and organizing it for return and you could end up doubling the time.
Developing a pre-scanning system for this type of tape reduced the time per tape to identify the data on each tape down to about 15 minutes, so all tapes could be scanned in about 4 days. This allowed the identification of 500 tapes from which data was needed, and eliminated the remainder. The overall time to read all of the data reduced to fewer than 10 days, the result being a faster service with lower costs. So a bit of preparation can pay dividends.
Recovery from Tape a good idea?
There is no hard and fast rule, understanding the systems and where the data could be is the first step. The tape archive might be a great source of data, but if the data you want was never backed up then you could end up throwing away money and time. But, by ignoring those “scary tape things”, you could be missing data that could form a vital part of any investigation or audit.