SANS Digital Forensics and Incident Response Blog | Custodians of Digital Evidence

Let's think like a system administrator for a moment....

Here is the scenario:

You're the corporate incident handler/digital forensics person and you've just finished your latest case. The finished forensics report has been handed off to your boss, human resources, and the legal team. You are looking at your raid 5 volume with all of the data the case generated. With 500 gigabyte drives and terabyte drives almost a standard now, the case data might be nearly that big. So you back up your data and tools you used on the case to your DLT tape drive or another hard drive, wipe your drives, and pack the media away for storage.

Now it is four and half years later, legal counsel calls you into their office to tell you that the ex-employee has decided the sue. Not a problem, you've got your all of the case data backed up. It is just a matter of restoring it and providing copies to counsel as required.

But here is the problem, the DLT drive you have been using, doesn't work any more. Or even worse, it was sent the trash heap (recycled) with that old forensics machine you used to use a year ago. Even if you have the DLT drive, is the tape still readable?

I've been a system administrator for over ten years and I have seen some interesting challenges regarding restoring from backups. The first issue is always hardware and the second is media. Usually, the hardware is worn out. In the corporate environment, chances are you are going to borrow a tape drive to do your backups. Doing so, leaves you open to the possibility that one day, that tape drive will not be on site any more as a new backup solution has been put in place without anyone informing you of the switch.

The second issue is media degradation. Most tapes are only good for about six years when stored in good to ideal conditions. The tapes can become brittle and break due to age. Also there is a chance, due to age or malfunction of the tape drive that the tapes stretch out when used, thus destroying that portion of the tape.

Let's say you back everything up to a hard drive, will it still spin up after resting for four and half years?

Another approach would be to use USB flash drives. From my research I have seen life expectancy for up to 10 years, provided writes are kept to a minimum. I have not heard of too many people doing this, mostly due to the size of the flash drives. Plus the drives have not been around that long.

The last type of easily available writable media is CD-R/DVD-R/Blueray. Per NIST, CD-R, DVD-R, and DVD+R should last anywhere from 100 to 200 years if properly stored. I think a realistic number is more likely 30 years simply due to having technology around that can still read the discs. Discs need to be stored in a vertical position, in a case, and in a dry, cool environment.

I have DVDs that are around three plus years old and are still working correctly. At the time I did not pay attention to the type of media I was saving my forensics cases to. At least not with regard to archival quality. Lucky for me, that DVDs are in excellent condition and all the hashes match the saved data.

Also, I have some old CD-Rs from 1996 to 1997 that show no signs of degradation visually and the disc is still readable. While, nothing was backed up for forensics purposes, my data backups are still readable.

The thing to take away here is to pay some attention to your backup solution.

Some suggestions:

Find out how long you need to store items
Pick an archival solution that meets the temporal requirements
Use archival quality media. It doesn't hurt to do a little research into brands as to which are good quality and which are not.
Always test your backups after you make them to ensure that data is good.
Store your backups in the environment recommended by manufacture or NIST.
Check your backups every year or every other year to see if there is degradation before it gets to the point where you cannot recover it.