±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35628
New Yesterday: 3 Visitors: 150

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

The Cost of Storing Digital Images

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3  Next 
  

akaplan0qw9
Senior Member
 

The Cost of Storing Digital Images

Post Posted: Jun 20, 05 20:23

Several weeks ago I had the honor of being mentored one-on-one in computer forensics, for a full week by Greg Marshall, EnCE. Greg is not only a world class Computer Forensics practitioner; he is also an investigator’s investigator. After doing nothing but eat, drink and sleep investigation for the past 41 years, I believe I’m qualified to judge investigators and for my money, Greg is a Top Gun.

Although I’m still reeling from all of the sophisticated CF techniques Greg taught me, (or more accurately tried to teach me!) my most immediate problem lies in the mundane administrative area of the storage of computer images and cost reduction.

Although I’ve dealt with all sorts of evidence over the years and have never had a loss or destruction of evidence, Greg has convinced me that when comes to HD images, we are dealing with something so fragile that we are professionally obligated to go above and beyond, in ensuring that computer forensic images is protected for months or even years.

We all know that the textbook solution to storage of evidence of this type, is - redundancy and remote distribution. Those in law enforcement often seize, and get to hold the original HD as evidence, as long as they might need it. That gives them the opportunity of going back to the original HD, should the forensic image be lost, damaged or called into question. In civil practice, it is less often that we can hold a HD as evidence. We often have to use a combination of an implied specter of a court order and gentle persuasion to get the HD image we need. For example, tomorrow, I will go to a lawyer’s office and image the HD of a laptop of his client, a former girlfriend of a multi-million dollar embezzler. I will get one shot at the computer and walk away with an external HD containing an image.

Greg will tell you that before he does anything else with that image, he would burn a verified copy on a set of DVDs. In this case, I don’t know how big the drive will be, but it is unlikely that it will be more than 40 GB. For the sake of this discussion, I’ll assume that that is the case. OK, I have a first generation image on my external HD and a verified copy of that on DVDs. I’m feeling pretty safe. Let’s see what that storage will cost me.

I figure that it will take me about 1.5 hours to burn the 8-10 DVDs needed for this 40 GB backup. Our normal billing rate is $75/hour. That means that it will cost me $112 in un-billable time just to make a redundant set of discs. My storage costs are:

Hard Disk space = $40
DVD Media = $4
Labor = $112 to burn DVDs
Total holding costs = $156.00

I don’t like it, but I can live with it. I can even pass that $156 cost on to my client.

The problem is that aside from laptops and the like, 40 GB is no longer representative. I recently sent a 60GB HD back to Maxtor under warranty. They replaced it with an 80GB because they no longer had a 60 GB in stock. More to the point, standard stock drives are getting larger and larger. We recently took into evidence a 200GB and a 250GB and have another 250 GB that I will take into evidence next week. Using the same approach as we did previously let’s look at the storage costs.

Hard Disk space = $250
DVD Media = $25
Labor = $ 715 labor to burn DVDs
Total holding costs = $990.

As you can see, our costs come to almost $4/GB before we even start an analysis. I am interested in ideas or alternate approaches that would allow us to do the job right and at the same time, cut costs.

Thanks!
_________________
Alan M. Kaplan, ACE
Nevada PI License #220
AKaplan @ LasVegasPI.com 
 
  

femur
Newbie
 

Re: The Cost of Storing Digital Images

Post Posted: Jun 21, 05 15:10

Actually im doing a 1st gen. image on a HP NAS, redundant disks and interfaces, then i do a DLT Backup of the image on a fresh DLT ...
The source disk or disks are hooked to a live CD linux and transfered through a crossover 5e through 1g ethernet ...
_________________
If aint broke, don´t fix it! 
 
  

Andy
Senior Member
 

Re: The Cost of Storing Digital Images

Post Posted: Jun 21, 05 18:25

Similar... We image to a Network RAID, then archive to tape (AIT). Although tape is sounds oldfashioned, its a tried & tested method of backing up your data. Tape might be the way to go Al, if you are considering keeping those backups for some time. Its a little more costly for the initial outlay (but check eBay - you might pick up a bargain) than for example DVD, but at least you can fit 100's of gigs on one tape in one go, rather than many hours buring to disk, with the risk of a failure every disk in so many.

Andy  
 
  

femur
Newbie
 

Re: The Cost of Storing Digital Images

Post Posted: Jun 22, 05 14:50

Andy, hard to beat the cost and linear speed of a DLT!
_________________
If aint broke, don´t fix it! 
 
  

gmarshall139
Senior Member
 

Re: The Cost of Storing Digital Images

Post Posted: Jun 22, 05 15:35

Thank you Al for the kind words. I think that this board is a good resource due to the richness of experience of it's contributors. Alan contributes greatly to that richness and it has been a pleasure to get to know him.

I agree with Andy that tape backups may be a good option for you Al. I have always been concerned however with the long term viability of the tapes. I have to admit that I don't use tape backup, nor have I ever. I am wary however from the experiences of others that a tape drives heads may shift over time. While backups saved one day, and restored a week later would be fine, it may be a different story when years have passed, and maybe you are using a different drive than the one originally used. Perhaps techology has improved and this issue is no longer a concern. If not it seems a better option than DVD's. DVD's are far from trouble free, but by using good media, and verifying the images I feel pretty good about using it. I don't bill all that time, only a fraction of it. Mainly it's just swapping disks, and can be done on a dedicated machine while working on other things. You need a fast burner, but processor speeds and memory are not that important. I usually burn a disk, put it in my analysis machine for verification and start another one in the burner. I rarely get a bad disk unless I'm tasking the computer with other things as it burns.

Another option, which is currently pretty costly, is a robot system such as those sold by forensic-computers.com. The $5000 unit holds 25 disks, burns, prints labels, and verifies the data.

I have been looking at external storage options myself. I don't need network storage as I'm the only one accessing the images, but am favoring some type of firewire RAID. Not the Lacie units that I know you've had trouble with, but perhaps a unit that could be configured as RAID 5 such as those from Weibtech. If I had a RAID 5 for image storage I wouldn't feel the need to archive right away (although it's probably still a good idea). These units are also somewhat portable, which would allow them to be used in the field for acquiring a large RAID should the need arise.
_________________
Greg Marshall, EnCE 
 
  

andy1500mac
Senior Member
 

Re: The Cost of Storing Digital Images

Post Posted: Jun 22, 05 21:23

Hi Greg,

I don't want to veer too off topic here but in terms of backing up an image to lets say multiple CD/ DVD's what is the recommended process off verifying the integrity of the finished product.

Assuming I have a 40gb image (and md5 value associated) that has been backed up to 8 or so DVD’s… Do you have to rebuild the image to verify the hash matches the original or are checks done during the copying sufficient?

Thanks,
Andrew-  
 
  

gmarshall139
Senior Member
 

Re: The Cost of Storing Digital Images

Post Posted: Jun 23, 05 02:07

Andrew,

Verification can be accomplished in a couple of different ways. Nero, and probably some other burning applications, have a verify process built in that can be set to run after each burn. This makes the burn process longer, but requires no action by you. Swap disks every 20 minutes or so as long as everything is going well. I don't use it just because I haven't tested it's reliability very thoroughly.

If you acquire images to the .e01 format then you know that these evidence files have within them crc values for each block of data (default block size is 32k in Encase) as well as an md5 hash value for the entire evidence file. Encase has a verification tool built in that recomputes each of these crc values and compares it with the original. It also recomputes the md5 hash of the evidence file as a whole. If any are different the sector blocks are flagged by Encase. If I put 3 image files on a DVD I can point Encase at all 3 at once and let it run. Takes about 11 minutes to complete and doesn't require me to verify each one seperately.

If you are using some other application without this type function you could compute a hash value of each evidence file and recomputer after burning.

Either way you go verification is a necessity. Errors are too common when burning to optical media.
_________________
Greg Marshall, EnCE 
 

Page 1 of 3
Page 1, 2, 3  Next