Tape Tips
Data tapes often contain valuable clues for your case. It is important that the proper information is collected at the time a tape is seized as evidence or created, and documented accordingly to assist the analyst.
For each tape submitted with your request please include the following detail information.
This outline will assist you in completing Section 9: Support Requested of the Forensics Media Analysis Request if you are in need of Data Tape support.
When the proper information is not recorded or provided, data tape recovery can become exceedingly demanding and impacts our ability to provide results.
Answers to these questions are extremely helpful in order for us to expedite any tape recovery.
We will still conduct analysis on evidence even if these answers are not provided, however, an increased time may be associated with your request.
Systems Administrator
- Identify the systems administrator responsible for the network (if possible). Include the full name and phone number.
- Identify the person who physically conducted the backup process or seized the evidence (if possible). Include the full name, phone number and agency mailing address.
Physical Tape
- Identify if the tape in storage. If so, retentioning may be required before we handle the tape.
- Write protect each tape upon seizure:
- For a 4mm tape - write protection requires the tape tab to remain in the open position.
- For an 8mm tape - write protection requires the tape tab to remain in the closed position.
- For a DLT-4 tape - write protection requires the tape tab to show ORANGE.
- If you have created the backup set, ensure all tapes are labeled properly. Write the number of the tape out of the total number of tapes (e.g. Tape 1 of 2, Tape 2 of 2, etc.).
- Identify any password used during the backup process on the tape’s label.
Hardware
If the system involves a robotic tape arm, seizure of the device is preferred. This may require seizure of the server as many robotic arms utilize a special card installed in the server the device is attached to.
Question: What is the model number of the tape drive used?
An example is "Exabyte 8505 SCSI-II 8mm tape".
Question:What is the IP address of ALL network interfaces
of the machine being backed up?
Including the fully qualified domain name (Intrusion cases - this is crucial).
An example is IP=13X.1X.6X.X, Name=This.is.the.domain.
Operating System
Question: What operating system was the tape created with?
Include the exact version number and server type if possible.
Examples include SunOS 5.1 (Solaris 2.5) running on a SunSparc 5,
Windows 2000 with Service Pack 4, and Netware 6 with Support Pack 3.
Backup Information
Question: Does the backup process display the tape
block size or density?
An example is Block Size=1024 bytes, Density Code=21.
Data Backup Volume
Question: How much data (approximately) is backed up
on the tape(s)?
An example is 700MB.
Question: Was compression used?
Question: What tool did the system's administrator use to
create the tape?
Include all option settings and/or command lines options. If the backup
tool is a commercial product, include the version number. Examples include
tar cvf/dev/rmt/0*, Backup Exec for Windows 2000 Version 8, and ArcServe
for Novell Version Version 9.
Question: Was a password used to create the backup?
If so, please list it.