Use of Backup Tapes in Computer Forensics by:Michiel Van Kets

The field of Computer Forensic work is very closely associated with data recovery from data storage media such as USB pens and hard disk drives

. However there is a lot of information that is not stored on a data disk but is in fact stored on data tapes. In fact throughout the world the largest amount of data is stored on data tapes. Therefore is this kind of information and its storage facility any use to those in the computer forensic field?

Most of us are aware that the hard disk drive of a computer holds the most current information available as well as a variety of other forensically valuable data such as local temporary files and internet history records. So if you have the hard disk drive is there any reason to look at backup data tapes?

With computer forensic work there is often a background investigation conducted meaning that it is preferable that the less people that are involved is the choice to conduct the investigation. Where there is the ability to use data that is from a tape archive it is often a way to carry out an investigation more discretely and does not require that entire systems must be seized. When it is possible to locate data backup tapes this is an option to conduct an investigation or audit with the potential to do so without alerting those being investigated or audited.

With an audit for example the disruption spreads further than that business or person being audited and raises fear in others and being able to covertly carry out the data analysis, prior to any investigative results, reduces any stress or loss of morale of others who are not perhaps directly involved.

Data in local systems comes and goes and can often be replaced, especially where this is the intention of the business or person being investigated. Back up data information provides a snap-shot of a system or systems and therefore provides a historical record. Therefore if there is an attempt to remove information from a local system and that information was previously stored on a back up system then that information will be able to be recovered within the backup data tape.

Those who specialize in this form of investigation will work back through the backup data tapes and can therefore gain a greater insight into any system abuse or illegal behavior that may have taken place. Unless the person who is attempting to erase information has a great knowledge of the system and erasure techniques then the information that is being sought, if it in fact exists, should be located within the backup infrastructure.

Those conducting the investigation of the data must have knowledge of the backup infrastructure itself. There is likely to be a significant amount of information stored within backup tapes so knowledge of how to process this information to reduce the search time requirements is a key factor. This is especially important relating to cost factors as well as man-power and time to conduct any investigation or audit.

As an example, if there are 3000 tapes that require 3 hours each to read completely and you could use 10 systems with 80% operating time this would mean the required time to read the 3000 tapes would be approximately 50 days. This does not take into account the requirement to actually analyze and organize the data itself.

In these cases a pre-scanning system for the specific type of tape and system is required to reduce the actual time for identification of the data on each of the tapes. When this is effectively carried out the time can be reduced from 3 hours per tape down to approximately 15 minutes per tape. That therefore reduces the time period from 50 days to around 4 days for the reading of the data.

The point being that while the data tapes hold the information required a suitable system must be available to sort and categorize the information to eliminate irrelevant data and only leave those investigating the tapes the information that they require to complete a more thorough analysis of the relevant facts.

There are a great many factors in computer forensic analysis and there are no standard systems that will apply to all data tapes. A great understanding of the system and where the data may be stored is generally the first step in the investigation, after retrieval of the data tapes. This information is of course beneficial to those being investigated as well as those who wish to have some investigation completed. There is a great deal of information available about the abilities of computer forensics and if this is something that interests you it is suggested you yourself "dig a little deeper" into your particular angle of computer forensics.

About the author

Michiel Van Kets writes articles for Altirium, http://www.altirium.com/ an expert computer forensics company in the UK. Call today for discreet consultation on a range of computer forensic service, http://www.altirium.com/altirium/services/computer-forensics.html whether for individuals or major corporations. Give your on-going litigation an edge by using evidence retrieved from forensic computing methods.

POST COMMENT

Steps To Modify Popular Themes On Windows XP by:Steffen Anderson Tips And Technical Support To Increase Internet Speed by:Mical Clark Atlanta Laptop Repair by:Steven Yaniz Create High Quality Notes and Orchestra Materials with Music Notation Software by:Dmitriy Golovanov Find Out How Web 2.0 Marketing Can Help Your Business by:Lucia Muster VoIP Phone Service For The New Era Of Communication by:Dennis Smith Collection System by:Sue McCrossin A Vote For The Brother MFC 9840CDW Printer And Brother MFC 9840CDW Toner Cartridges Is A Vote For Efficiency by:Ben Pate The Multi-Use Samsung ML 2151N Printer And Samsung ML 2151N toner cartridge Duo by:Ben Pate Brother MFC 7220 Replacement Toner by:Ben Pate The Three-In-One Brother DCP 9045CDN Printer Is What Your Office Needs by:Ben Pate If You Have To Have A Hard Working Printer To Upgrade Your Business - The IBM InfoPrint 1372 Is For You by:Ben Pate Want To Know Of The Classic IBM InfoPrint Printer by:Ben Pate