Competition Results - Computer Forensic Investigation
Know the Difference - Backup vs. Archive
Information availability and IT operations require Data Backup. Legal and Compliance requirements dictate Data Archival. But many organizations make the mistake of equalizing Archive with Backup, which can lead to wrong choice of backup or archival media, very poor restore time and even loss of information.
Example Scenario
As part of an audit, an auditor reviewed the backup and archival system of a company. The company presented their backup systems, access controls and audit. When asked about archived data, they again pointed to the tapes containing their backup. But their backup tapes are rotated every 6 months, so the company does not have any archive from earlier then 6 months ago.
The company failed the legal Archival requirement.
Analysis
In order to properly design and architect a backup or archive systems, one must clearly understand the differences between backup and archive:
Backup
The key reason for the existence of backup is to provide an alternative data source in case the primary data source is corrupted or destroyed. A Backup process is creating a copy of the current state of data. It is understood and accepted that the state of the backed up data will change in the future under controlled circumstances. At that point the old backup will become irrelevant for operational purposes and the data will need to be backed-up again.
Criteria for selecting a backup solution
- The backup needs to be accessible fast
- The media should be reusable for maximum cost efficiency
- The media should survive transport in less then ideal conditions (trunk of a car)
- The backed up information should survive with full integrity and availability for several months on the backup media.
- The backup should be able to span multiple media (if backup set is larger then media capacity).
- The solution should be intelligent enough to enable different backup sets (full backup, incremental backup, differential backup etc)
Archive
The key reason for the existence of archive is to provide historical reference of information. The archive's process final product is a long term non-changeable copy of data or information. It is understood and accepted that the archive media must be resilient, capable of surviving over long periods of time (years) and must guarantee that the archived data remain unchanged during the entire archive lifespan.
Criteria for selecting archive solution
- The archive media needs to be able to operate with different data collections while treating them at the same level of integrity - individual data records from a database as well as entire documents,
- The access speed to an archive can be slow, but archive media should have an extremely high level of reliability (remember, archives can span several decades)
- When creating an archive, always plan the lifetime of the archive, and make sure that the manufacturer will provide systems that can retrieve the stored data - having an archive that is unreadable because there is nothing to read it on is a terrible idea.
- Data integrity must be maintained over the entire period of the archive existence - there is no point in having an archive if you can't trust that it's the same as it was when archived.
- There should be an index of archive media to retreive relevant information from archive
Conclusion
Backup and archive solutions may be part of an integral system, but they perform a different function, so the actual media and individual systems will most likely vary.
While backup is still performed mostly on magnetic tapes, archive is usually performed on optical disks or microfilm. You may choose magnetic media for archive, but if you do, you need to plan that your archive tapes must be shielded from long term adverse influences, and you must maintain a functional reader for the tapes over the entire lifespan of the archive.
Talkback and comments are most welcome
Related posts
3 Rules to Prevent Backup Headaches
Business Continuity Plan for Blogs
New Helix3 Forensic CD - Welcome
E-fense has published a new version of their acclaimed Helix Forensic Live CD. It is now in version 2.0. Here are the first impressions of the new version.
Just as the old version, the new one contains two major components
- A LiveCD (Based on Ubuntu) - A full blown forensic toolkit with a nice all-encompassing set of tools.
- Windows set of tools - which allow the user to use a subset of forensic tools within a running windows system (most often during first response).
Just a reminder of the Windows Helix Menu
The Linux LiveCD interface has seen a major overhaul. It is now based on Gnome, and the overall interface is much better organized.
The following screenshot depicts the new Helix boot menu
Unfortunately, probably in search of a better overall performance, it is departing the Forensic track and moving much more into mainstream - The toolkit is missing a lot of nice new Forensic tools that could have been installed and utilized. Hopefully, they'll be included in the next version.
There is one new major feature that was missing from the previous version - the LiveCD can now be installed on a hard drive - effectively creating a full blown Forensic investigation computer without the need to lug around a bootable CD.
The installer suffers from several bugs, so make sure you partition the target hard drive manually - the automatic option doesn't work
The following Screenshot depicts the installed version of Helix
The new version of Helix is much easier to use and overall a much more completed product. You can download the new version of Helix here. With the ability to install the software onto a computer and then add your own tools, you are able to make a very good forensic tool for everyday use.
The only drawback is that the E-fense's site is down quite often, so you may stumble onto problems while downloading the ISO image
Talkback and comments are most welcome
Related Posts
Tutorial - Computer Forensics Process for Begginners
Tutorial - Computer Forensics Evidence Collection