|
|||||||||||||||||
|
 |
Backup Tape Forensics is Here to Stay
11-10-2009, Digital Forensics Magazine - Gavin W. Manes, et al. 
Although magnetic tape storage is often perceived as a rarity by digital forensics investigators, there are an increasing number of situations that require tape recovery and analysis. Many companies use tape backup systems to comply with various regulatory and statutory requirements, which brings the forensics issues with their acquisition and investigation to the
forefront. The ability to perform digital forensics investigations on storage tapes is an important tool in any forensics professional’s arsenal, and a thorough understanding of the situations and techniques where these storage devices will appear can alleviate some of the inevitable issues. This paper summarises the main challenges to magnetic tape storage forensics, and includes two case studies of investigations that required backup tape analysis. Since the early 1950s, magnetic tape storage has been a standard backup solution for large data centres due to its low cost and the compactness of the medium. However, many view magnetic tape storage as obsolete and therefore little effort has been devoted to the forensic acquisition and analysis of backup tapes. Despite the lack of interest in this area, there are several situations that require forensics investigators to recover and analyse data from backup tapes. Data recovery professionals must also be prepared to handle this class of media: in a 2004 survey conducted by the Yankee Group, over 40% of respondents who had occasion to restore systems from tape, reported at least one incident where the information was unrecoverable due to tape failure [1]. Improvement of forensic techniques for backup tapes is necessary for a variety of reasons. Certain peculiarities of the magnetic tape format present unique challenges to the investigator: different types of tapes, proprietary storage formats and compression algorithms, and the fragility of the magnetic tape itself can all complicate investigations. The standard SCSI communication protocol for tape drives precludes lowlevel acquisition, and tape drives will generally not read past an End-of-File marker (regardless of what data lies beyond) without modification of the drive’s firmware. Backup Tapes in Landmark Cases Backup tapes were the centrepiece of two landmark digital forensics cases in the USA: Coleman v. Morgan Stanley and Zubulake v. UBS Warburg [3][4], lending credence to their use as digital evidence in court. Both of these cases set precedents for the admission and validity of digital evidence in the modern legal landscape. Coleman vs. Morgan Stanley In Coleman vs. Morgan Stanley, Coleman’s document production request specified emails from a certain date range, which according to Morgan Stanley resided on a complex backup system that required significant resources to recover. It was later discovered that Morgan Stanley had found backup tapes containing relevant emails, but had not produced them in response to the Court’s Order. Furthermore, it was found that searching these tapes would have been relatively easy, despite the company’s claims to the contrary. Morgan Stanley was issued an adverse inference order by the court for failing to comply with the discovery orders, and was ordered to pay $1.5 million in damages. Although this decision has since been reversed, the sanctions relating to the failure to disclose were not removed. Zubulake vs. UBS Warburg In Zubulake v. UBS Warburg (2003), a wrongful termination suit that ended in a $29 million verdict for the plaintiff, information was requested which resided on backup tapes. However, it was found that those tapes had been deleted after the lawsuit had been filed. An adverse inference instruction was given to the jury on the basis that UBS Warburg had failed to preserve emails that it knew to be relevant to litigation. In both of these cases, backup tapes proved to be crucial evidence on which the verdict hinged. Clearly, the proper and thorough forensic acquisition and investigation of backup tape media should not be ignored when performing a digital forensics investigation. Backup Tape Issues Tape Formats and Hardware Issues There are a large variety of magnetic tape formats, each of which requires different hardware to read. While internal forensics investigators employed by a company may only have to accommodate the tape formats in use by that company, a standalone forensics or data recovery company needs to maintain a collection of tape drives at hand to cover at least the most commonly encountered tapes. The most likely formats likely include DAT, Exabyte, and DLT, with AIT and LTO types growing in popularity. Even if a company possesses all of these devices, they usually will not read past an “End of Data” marker on the tape, which can leave unread data on the tape from any previous backups. Although the SCSI standard provides a standard interface for all of these drives, it lacks the low-level control commands needed by forensic investigators to make a complete bitstream copy of the tape. Some drives contain firmware with a special mode that allows reading past the End of Data marker. There are currently other proposed solutions to allow for complete bitstream copies to be created using customized firmware, but most of the research in this area is either theoretical or not publicly available. Archive Types Beyond the hardware issues, investigators also encounter issues with the large number of backup archive formats in use. Tape hardware only provides a medium to place the data onto, while a staggering amount of software solutions provide the means to store the data on the tape. The most common archive types are the tar and dump formats typically used on Linux systems and the built-in Windows NTBACKUP; however, most vendors providing backup software solutions have their own proprietary tape formats [5]. This present significant problems for investigators, especially if the software used to create the tapes is rare or obsolete. These situations may require the use of a data recovery company. Integrated Solutions Solutions to the problems of backup tape forensics will be either hardware- or software-related. Hardware considerations for deploying a backup tape solution for a forensics lab must account for the most common types of tapes that the investigator is likely to encounter in the field. Several stopgap solutions have been developed for the forensic acquisition of backup tapes through the use of standard tape management tools, and occasionally tape recovery software [2]. These tools address the problem, but require more preparation than a simple computer hard drive. Again, the wide range of tapes, archive formats, and backup recovery software complicates the issue. Recommendations Duplication of the backup tape to prevent accidental damage or spoliation of evidence is highly recommended when attempting to extract information. Safe duplication of tape data can be achieved, usually in a single read pass, by using dd on a Linux machine [2][6]. This creates a set of tape files which can then be copied to a duplicate tape. All data recovery operations should be performed on this tape to prevent unnecessary wear and tear on the original physical media and to prevent any accidental destruction of evidence. Recovery of the backup tape data can then be performed on the duplicate. Extraction of the files from the tape can be performed in a number of ways. It is generally acceptable to use the original backup tape software to restore the information onto a hard disk. Several third party solutions exist that can handle a variety of tape formats and are especially useful when the original tape format is unknown. Whichever method is utilized, the software should be used to restore the files from the backup tape onto a hard disk which can then be imaged or directly analyzed as part of an investigation. Forensic Uses of Backup Tapes There are a number of both practical and theoretical uses of backup tapes in the course of digital forensics investigations. Backup tapes are typically used to retrieve data in the event of a server failure or retirement, and are superior to backup files due to their inherent resistance to tampering or destruction of data. Backup tapes are typically used to retrieve data in the event of a server failure or retirement. Forensics professionals can use backup tapes when a server is too large of onsite collection, since the tapes can be taken to a forensics lab and its contents restored onto RAID system or other large storage device. There are more innovative applications of backup tapes during forensics investigations. Investigators can build a sophisticated timeline of a computer’s history by comparing the current state of the system to a disk image in order to identify signs of tampering. If such nefarious activity was suspected, it is unlikely that both the system and the backup tapes would be modified. Backup tapes can also be used to ensure compliance with evidentiary rules regarding spoliation. They can show that while evidence existed on a machine at a certain point it time, it was either negligently or maliciously deleted after that date. Using tapes from an intermittent period can also provide information regarding the loss or destruction of data that is unavailable on a disk image of the current system. This information could help provide grounds for a negative inference instruction. Investigators can use backup tapes to find files and documents that have been deleted, and it is possible to recover information from log files that might have been overwritten on the current system. These logs contain information about the history of the system and other resources such as network systems, users, logs, services, etc. These resources may not exist anymore and their removal may signal illicit or negligent behavior: such information could be useful either in the discovery process or to establish grounds for arguing that evidence was not properly preserved. Case Studies The practical uses of backup tapes are illustrated by the following case studies. Both highlight some of the complexities that can arise during the collection and investigation portion of the digital forensics process when using backup tapes. Case Study #1 A company required forensics investigation of an email server related to the departure of an employee two years previous. The server had been decommissioned and removed from the company inventory since the events in question and a newer server had taken its place. The IT staff had performed manual migration for the mailboxes of current employees during the changeover. However, the company had retained backup tapes of the original server, several of which contained information from the time period in question. Since the backup tapes represented the only potential evidence from that time period, it was critically important to recover and examine the information on the tapes in the most forensically sound manner possible. The forensic acquisition of these backup tapes presented a challenge for the investigation team. Since the backup tape was of a format the forensics team currently did not have available, equipment purchases had to be made, and extensive research was conducted into the sound forensic methodology for analyzing the tapes. Even though this case included only one tape, the amount of time needed to research the factors involved was significant due to the presence of unfamiliar technology and the necessity to duplicate the information in a forensically acceptable manner. The team decided to use the dd program to create a bit-for-bit copy of the accessible data on the tape, write it onto a newly purchased tape of the exact same type, and then perform recovery operations on the cloned tape. In this instance an extra two weeks of preparation time was added to the investigation. Even when an investigation team is prepared for dealing with tapes it can be a time consuming operation to perform recovery. Case Study #2 The second case study also involved a large, mission-critical e-mail and file server. In this case, the machine was to be collected from a company on the opposing side of a lawsuit. This situation is often called a “hostile” collection, and it is even more important than usual that forensic acquisition proceed without business interruptions. In this case the terms of the collection agreement had stated that the forensics team was limited to a single day of access to make a “live image” of the machine. Due to the size of the server, it quickly became clear that even with a file-system level acquisition of active files, the imaging process could not be completed during the allotted time. However, during discussion of alternatives with the company’s IT team, investigators discovered that backup tapes for the server were available. Indeed, the tapes would provide information from the server that was more likely to house relevant information since it was from a time closer to the events in question. Therefore, the investigator decided that the backup tapes offered an appealing alternative to traditional acquisition. After approval by the attorneys, the investigation team collected a set of eight backup tapes from the company. These included multiple sets of incremental backups from before and after the date in question, providing a healthy time frame for investigators to examine. Due to the large number of tapes acquired from the company, the size of each tape, and the perceived complexity in trying to apply their methods to a set of incremental backups, an external data recovery company was employed to restore each tape to hard disk at a substantial cost. Once complete, the hard disks provided by the data recovery company were then imaged and analyzed. Initial analysis of the restored backups revealed that several large file-based backups were found on the file server that forensic software was unable to process. So, the files were exported and the software used to create the backups was determined. Each individual file was then processed and extracted onto disk, which was then imaged and processed via forensic tools. By not processing the backup tapes in-house, the forensic company incurred large additional costs that may have been offset by the cost of new equipment and challenges in processing the incremental backup tape format. Additionally they encountered more file-based backups and spent additional time processing those files in case any contained any relevant data. Although these costs and challenges may seem like disadvantages to the investigators, but in fact it provided two large advantages. First, they were able to collect the information from the collection site in a very timely manner. Second, they were able to compare the different states of the server over the time frame from which they had collected information. Therefore they could accurately compare the state of a user’s mailbox or personal files from different periods of time, which assisted in reconstructing the events of the time period in question. Conclusion Tape backup systems are a crucial component of any case involving corporate lawsuits. Indeed, the inclusion of tape backup systems in the civil realm is increasing, which brings all of the issues with their acquisition and investigation to the forefront. Many of the same problems encountered by investigators for the past few years still exist since little research has been devoted to this area. Therefore, forensics companies should be prepared to handle digital information from backup tapes, since so much can hinge on a company’s ability to retrieve information from them. Future work in this area includes the creation of a vendor-neutral tool to retrieve data from the large variety of tapes in corporate use. In the meantime, it would behoove digital forensics investigators to familiarize themselves with the potential issues, techniques, and available solutions regarding backup tape forensics in order to be most effective to their customers. |
 |
Copyright 2008 Avansic
Home Contact Us
|