Corporate Backups: Forensically Sound Or Not?

In a corporate environment, critical system specifications should be made available to law enforcement to assist in investigations. Forensic imaging is a common practice in such situations, with internal investigations within corporations being a frequent occurrence. Forensic backups are achieved by capturing all data from a source media, such as computers or cell phones, in a forensically sound manner, ensuring that all original data remains unaltered. This allows for the validation of an exact duplicate through checksums, hash functions, or divisions. While backup tapes can provide a forensically sound collection of files, digital forensic evidence can lose integrity over time due to overwritten timestamps, flushed logs, and deleted files.

Explore related products

iPhone and iOS Forensics: Investigation, Analysis and Mobile Security for Apple iPhone, iPad and iOS Devices

$39.22 $69.95

Virtualization for Security: Including Sandboxing, Disaster Recovery, High Availability, Forensic Analysis, and Honeypotting

$47.21 $62.95

How to Argue and Win Every Time

$10.89 $22

The Rape of Europa: The Fate of Europe's Treasures in the Third Reich and the Second World War

$10.99 $21

Compliance [Blu-ray]

$7.77

Compliance

$3.69

Time Machine backups

It is important to note that Time Machine backups provide logical copies of files, but not a full physical image of the disk. This means that while the content of the files can be accessed, the structure of the disk and metadata associated with the files may not be available.

To ensure the forensic soundness of Time Machine backups, it is recommended to use a test system to demonstrate the steps of how the backup is created and how it determines what to back up. Additionally, proper documentation of processes is essential to explain any actions taken during the collection of evidence.

In some cases, using third-party tools to create forensic images of the disk may be necessary. However, it is crucial to use the correct tools to ensure the forensic image is readable and that the original data is not modified.

Explore related products

How to Be a Wildly Effective Compliance Officer: Learn the Secrets of Influence, Motivation and Persuasion to become an In-Demand Business Asset

$12.63 $15.99

Insider's Guide to Compliance: Real World Advice for Building a Successful Compliance Program

$29.99

Governance, Risk Management, and Compliance: It Can't Happen to Us--Avoiding Corporate Disaster While Driving Success

$30.37 $52

Building a World-Class Compliance Program: Best Practices and Strategies for Success

$32.19 $55

Compliance

$6.99

Connections Over Compliance: Rewiring Our Perceptions of Discipline

$24 $26

Forensic imaging vs cloning

Forensic imaging and cloning are both information technology tactics for copying the complete content of a hard drive. They are often used to back up a drive or replace an old, corrupted, or failed drive. However, they differ in several ways.

Forensic imaging is a bit-by-bit, sector-by-sector direct copy of a physical storage device, including all files, folders, and unallocated, free, and slack space. It captures both the active and latent data of a hard drive or any other digital storage device. It is created through a bit-for-bit copying process, also known as a bit-stream image or forensic image. It is preferred over a simple "copy and paste" operation due to its ability to preserve the original evidence and provide a fallback option for examination purposes. Imaging can also be useful for defragmenting a drive. One disadvantage of imaging is that it requires an imaging program, which can be cumbersome compared to using a cloned drive.

Cloning, on the other hand, is the one-to-one transfer of the entire contents of a hard drive to another hard drive, creating an exact replica. With cloning, if something happens to the source drive, you can revert to the destination drive. However, you will miss any changes made since the clone was created. Cloning can get you up and running quicker than imaging in the event of a hard drive corruption or failure. Additionally, cloning includes the free space on the drive, while imaging omits it, making clones larger in size than image files. Unlike imaging, cloning must be done manually, and only one clone can be held on one drive at a time due to the space required.

In terms of forensic soundness, a forensic clone is an exact, bit-for-bit copy of a hard drive, capturing all the data from the source media, including unused space, slack data, and unallocated space. A hash value, or "digital fingerprint," can be used to ensure the integrity of the cloning process. If the hash values of the source and clone match, the cloning is considered successful and forensically sound. Similarly, a forensic image can be validated using a checksum or hashing function to confirm that it is an exact duplicate of the original device.

In summary, both forensic imaging and cloning have their advantages and disadvantages. Imaging may be preferred for its ability to preserve original data and provide a fallback option for examination, while cloning may be preferred for quicker recovery in the event of hard drive failure. The choice between imaging and cloning depends on the specific needs and requirements of the user or investigator.

Explore related products

Living Your Best Compliance Life: 65 Hacks and Cheat Codes to Level up Your Compliance Program

$18.69 $19.99

The Fundamentals of Compliance

$6.99 $14.99

Compliance Officer: Dictionary Definition Blank Lined Journal Notebook

$6.99

CCEP Study Guide: UPDATED All-in-One CCEP Compliance Review + 300 Practice Questions with Detailed Answer Explanations for the Certified Compliance & ... Exam(Includes 3 Full-Length Tests)

$19.99

Compliance Management: A How-to Guide for Executives, Lawyers, and Other Compliance Professionals

$41 $54

Law of Governance, Risk Management and Compliance: [Connected Ebook] (Aspen Casebook)

$230 $351

Tape forensics

When considering tape forensics, it is essential to understand the process of creating a forensic backup. This involves capturing all data from a source media device, including computers, cell phones, and tablets, in a manner that preserves the original data in its unaltered state. By collecting the entire contents of the source media, including unused space, slack data, and unallocated space, forensic backups provide a comprehensive snapshot of the device.

One of the key challenges in tape forensics is maintaining the integrity of digital forensic evidence over time. Timestamps can be overwritten, logs flushed, and files deleted, which can impact the accuracy of the analysis. To address this, metadata plays a crucial role, as it provides additional context and helps tell the "life story" of the documents, allowing for a more accurate interpretation of the data.

While tape forensics offers unique advantages, it is important to recognise its limitations. For instance, many personal computers (PCs) are not typically backed up at the system level, which reduces the potential for forensic analysis. Additionally, the term "tape forensics" itself is a subject of discussion, as some argue for the distinction between it and "backup forensics" to highlight the unique characteristics of tape-based evidence collection and analysis.

Explore related products

Wildly STRATEGIC Compliance Officer Workbook: Learn the secrets of strategy and planning to become an in-demand business asset

$26.5 $26.5

Internal investigations

Conducting internal investigations is a crucial aspect of maintaining the integrity of corporate backups. Organisations like CYFOR and Capsicum offer digital forensic investigation services to assist companies in this process. These investigations aim to identify, recover, and analyse digital evidence while preserving its forensic soundness.

Forensic soundness refers to the preservation of evidence from tampering and spoliation, ensuring that it can be defended and explained in a court of law. In the context of corporate backups, this means capturing all data from source media (computers, cell phones, tablets, etc.) in a manner that maintains the original data in an unaltered state. This includes collecting all content, including unused space, slack data, and unallocated space.

When conducting internal investigations, organisations like CYFOR can provide expertise in audio-visual investigations, enhancing and analysing digital evidence that may be crucial in legal proceedings. They can respond swiftly to search and preservation orders, ensuring the preservation of evidence. Additionally, investigators can assist in forming an internal risk management strategy and developing a comprehensive employee off-boarding process.

The process of making a forensic backup is nuanced and has evolved over the years. Previously, creating a forensically sound backup was as simple as connecting to a write blocker. Today, it involves more complex processes, such as using test systems to demonstrate the steps of creating a backup and determining what data to include.

It is important to note that the absence of forensic tools can render an image unreadable, and modifying original data can impact its forensic soundness. As such, organisations like Capsicum collaborate with attorneys to produce both clones and images, ensuring the integrity of the data and its admissibility in legal proceedings.

Corporate specifications for critical systems

A critical system is one that must be highly reliable and maintain its reliability as it evolves without incurring prohibitive costs. There are four types of critical systems: safety-critical, mission-critical, business-critical, and security-critical.

Safety-critical systems are those that deal with scenarios that may lead to loss of life, serious personal injury, or damage to the natural environment. Examples include control systems for chemical manufacturing plants, aircraft, unmanned train metro systems, and nuclear plants. Mission-critical systems are designed to avoid the inability to complete overall system or project objectives. Examples include a spacecraft's navigational system and airport baggage handling software. Business-critical systems are programmed to avoid significant tangible or intangible economic costs, such as loss of business or damage to reputation. Examples include a bank's client accounting systems and stock-trading systems.

Critical systems are further distinguished between fail-operational and fail-safe systems. Fail-operational systems are required to operate in nominal conditions and degraded situations when some parts are not functioning properly. Aircraft, for instance, must be able to fly even if some components fail. On the other hand, fail-safe systems must safely shut down in case of single or multiple failures. Trains, for example, are considered fail-safe systems because stopping them is typically enough to put them in a safe state.

When developing critical systems, trusted methods and well-tested techniques are typically used to ensure reliability. Software engineering for safety-critical systems is particularly challenging. Key considerations include process engineering and management, selecting appropriate tools and environments for effective testing, and addressing legal and regulatory requirements. To improve software quality in safety-critical systems, standard approaches such as careful coding, inspection, documentation, testing, verification, and analysis are employed.

To ensure resilience in critical systems, redundancy and recoverability are essential. Tier 1 systems, for instance, require that the acceptance environment matches the production environment, and that Tier 1 DR (remote site) system components are also redundant. Additionally, critical systems data layers should have redundant clustered Database Management Systems (DBMS or DB servers) with fault-tolerant primary storage systems and separate DR data copies in remote sites.

Frequently asked questions