When performing incident response and forensics on a compromised system, the focus of analysis is on the most immediately available and relevant sources of evidence. Volatile data collected from a running system, the hard drive, network flow data and logs collected on a central server all serve as useful sources for determining the particulars of the incidents. But what about incidents that go back further requiring you to dig into backup tapes, potentially very old ones?
Fortunately, I've dealt with very few cases where I had to retrieve information from backup tapes, however, none of them have been pretty. The last time was the worst one because the tapes were the best source of evidence thanks to the botched first response by the client's sysadmins. Making matters worse, the client used an expensive and proprietary backup software that only they could use to extract the data for analysis. Oh yeah, and it was brutally slow.
The article, "Computer Forensics - Don't Let the Tape Evidence Escape You," is what started me thinking about tapes and moreover, legacy media and its impact on computer forensic investigations. Unless they've been at it for a very long time, independent forensic investigators unlikely to have an arsenal of legacy tape, magneto-optical, Zip disk and other drives at their beck and call when needed in an investigation. They either have to rely on their client to have the right drives or call a specialty shop that has the right drives to read the data for them--which luckily, those places do exist.
To Continue Reading: Click Here
---------------------------------------------
Source: darkreading.com
By: John Sawyer
Monday, June 29, 2009
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment