SANS Digital Forensics and Incident Response Blog: Tag - backups

Custodians of Digital Evidence

Let's think like a system administrator for a moment....

Here is the scenario:

You're the corporate incident handler/digital forensics person and you've just finished your latest case. The finished forensics report has been handed off to your boss, human resources, and the legal team. You are looking at your raid 5 volume with all of the data the case generated. With 500 gigabyte drives and terabyte drives almost a standard now, the case data might be nearly that big. So you back up your data and tools you used on the case to your DLT tape drive or another hard drive, wipe your drives, and pack the media away for storage.

Now it is four and half years later, legal counsel calls you into their office to tell you that the ex-employee has decided the sue. Not a problem, you've got your all of the case data backed up. It is just a matter of restoring it and providing copies to counsel as required.

But here is the problem, the DLT drive you have been using,

... Continue reading Custodians of Digital Evidence