SANS Digital Forensics and Incident Response Blog

Custodians of Digital Evidence

Let's think like a system administrator for a moment....

Here is the scenario:

You're the corporate incident handler/digital forensics person and you've just finished your latest case. The finished forensics report has been handed off to your boss, human resources, and the legal team. You are looking at your raid 5 volume with all of the data the case generated. With 500 gigabyte drives and terabyte drives almost a standard now, the case data might be nearly that big. So you back up your data and tools you used on the case to your DLT tape drive or another hard drive, wipe your drives, and pack the media away for storage.

Now it is four and half years later, legal counsel calls you into their office to tell you that the ex-employee has decided the sue. Not a problem, you've got your all of the case data backed up. It is just a matter of restoring it and providing copies to counsel as required.

But here is the problem, the DLT drive you have been using, doesn't work any more. Or even worse, it was sent the trash heap (recycled) with that old forensics machine you used to use a year ago. Even if you have the DLT drive, is the tape still readable?

I've been a system administrator for over ten years and I have seen some interesting challenges regarding restoring from backups. The first issue is always hardware and the second is media. Usually, the hardware is worn out. In the corporate environment, chances are you are going to borrow a tape drive to do your backups. Doing so, leaves you open to the possibility that one day, that tape drive will not be on site any more as a new backup solution has been put in place without anyone informing you of the switch.

The second issue is media degradation. Most tapes are only good for about six years when stored in good to ideal conditions. The tapes can become brittle and break due to age. Also there is a chance, due to age or malfunction of the tape drive that the tapes stretch out when used, thus destroying that portion of the tape.

Let's say you back everything up to a hard drive, will it still spin up after resting for four and half years?

Another approach would be to use USB flash drives. From my research I have seen life expectancy for up to 10 years, provided writes are kept to a minimum. I have not heard of too many people doing this, mostly due to the size of the flash drives. Plus the drives have not been around that long.

The last type of easily available writable media is CD-R/DVD-R/Blueray. Per NIST, CD-R, DVD-R, and DVD+R should last anywhere from 100 to 200 years if properly stored. I think a realistic number is more likely 30 years simply due to having technology around that can still read the discs. Discs need to be stored in a vertical position, in a case, and in a dry, cool environment.

I have DVDs that are around three plus years old and are still working correctly. At the time I did not pay attention to the type of media I was saving my forensics cases to. At least not with regard to archival quality. Lucky for me, that DVDs are in excellent condition and all the hashes match the saved data.

Also, I have some old CD-Rs from 1996 to 1997 that show no signs of degradation visually and the disc is still readable. While, nothing was backed up for forensics purposes, my data backups are still readable.

The thing to take away here is to pay some attention to your backup solution. Some suggestions:

  1. Find out how long you need to store items
  2. Pick an archival solution that meets the temporal requirements
  3. Use archival quality media. It doesn't hurt to do a little research into brands as to which are good quality and which are not.
  4. Always test your backups after you make them to ensure that data is good.
  5. Store your backups in the environment recommended by manufacture or NIST.
  6. Check your backups every year or every other year to see if there is degradation before it gets to the point where you cannot recover it.

References

CD-R/DVD

HTTP://www.clir.org/pubs/reports/pub121/contents.html

HTTP://nvl.nist.gov/pub/nistpubs/jres/109/5/j95sla.pdf

HTTP://www.itl.nist.gov/iad/894.05/papers/CDandDVDCareandHandlingGuide.pdf

HTTP://www.itl.nist.gov/iad/894.05/publications.html

HTTP://www.optical.com/optical_storage/IEEE_Bluray.pdf

Storage guide lines

HTTP://www.itl.nist.gov/iad/894.05/docs/disccare.html

USB Flash Wear Leveling and Lifespan

HTTP://www.corsair.com/_faq/FAQ_flash_drive_wear_leveling.pdf

3 Comments

Posted April 8, 2010 at 4:06 PM | Permalink | Reply

lcherne

This echoes a great paper by Jeff Rothenberg :
"Digital Information Lasts Forever- Or Five Years, Whichever Comes First"
http://www.amipaperless.com/dps/rothenberg-arma.pdf
It relates in particular to these two points:
2. Pick an archival solution that meets the temporal requirements
5. Store your backups in the environment recommended by manufacture or NIST.
There's an eye towards making sure we are thinking about the future, ensuring s/w requirements are documented, and considering emulation.

Posted April 19, 2010 at 3:39 PM | Permalink | Reply

Greg Kelley

I'd like to see you restore terabyte cases from DVDs or CD!

Posted April 20, 2010 at 7:04 PM | Permalink | Reply

Keven Murphy

Greg,
Actually it is not that bad. My forensics box has 5 22X speed DVD burners. I throw a disc into each and go.
The worst part is waiting for the decompression.
Like everything if you build your system around your needs, it really isn't that bad. The time it takes is almost the same as if I backed up to tape.
Keven