The Cost of Storing...
 
Notifications
Clear all

The Cost of Storing Digital Images

16 Posts
6 Users
0 Likes
1,660 Views
(@akaplan0qw9)
Posts: 69
Trusted Member
Topic starter
 

Several weeks ago I had the honor of being mentored one-on-one in computer forensics, for a full week by Greg Marshall, EnCE. Greg is not only a world class Computer Forensics practitioner; he is also an investigator’s investigator. After doing nothing but eat, drink and sleep investigation for the past 41 years, I believe I’m qualified to judge investigators and for my money, Greg is a Top Gun.

Although I’m still reeling from all of the sophisticated CF techniques Greg taught me, (or more accurately tried to teach me!) my most immediate problem lies in the mundane administrative area of the storage of computer images and cost reduction.

Although I’ve dealt with all sorts of evidence over the years and have never had a loss or destruction of evidence, Greg has convinced me that when comes to HD images, we are dealing with something so fragile that we are professionally obligated to go above and beyond, in ensuring that computer forensic images is protected for months or even years.

We all know that the textbook solution to storage of evidence of this type, is - redundancy and remote distribution. Those in law enforcement often seize, and get to hold the original HD as evidence, as long as they might need it. That gives them the opportunity of going back to the original HD, should the forensic image be lost, damaged or called into question. In civil practice, it is less often that we can hold a HD as evidence. We often have to use a combination of an implied specter of a court order and gentle persuasion to get the HD image we need. For example, tomorrow, I will go to a lawyer’s office and image the HD of a laptop of his client, a former girlfriend of a multi-million dollar embezzler. I will get one shot at the computer and walk away with an external HD containing an image.

Greg will tell you that before he does anything else with that image, he would burn a verified copy on a set of DVDs. In this case, I don’t know how big the drive will be, but it is unlikely that it will be more than 40 GB. For the sake of this discussion, I’ll assume that that is the case. OK, I have a first generation image on my external HD and a verified copy of that on DVDs. I’m feeling pretty safe. Let’s see what that storage will cost me.

I figure that it will take me about 1.5 hours to burn the 8-10 DVDs needed for this 40 GB backup. Our normal billing rate is $75/hour. That means that it will cost me $112 in un-billable time just to make a redundant set of discs. My storage costs are:

Hard Disk space = $40
DVD Media = $4
Labor = $112 to burn DVDs
Total holding costs = $156.00

I don’t like it, but I can live with it. I can even pass that $156 cost on to my client.

The problem is that aside from laptops and the like, 40 GB is no longer representative. I recently sent a 60GB HD back to Maxtor under warranty. They replaced it with an 80GB because they no longer had a 60 GB in stock. More to the point, standard stock drives are getting larger and larger. We recently took into evidence a 200GB and a 250GB and have another 250 GB that I will take into evidence next week. Using the same approach as we did previously let’s look at the storage costs.

Hard Disk space = $250
DVD Media = $25
Labor = $ 715 labor to burn DVDs
Total holding costs = $990.

As you can see, our costs come to almost $4/GB before we even start an analysis. I am interested in ideas or alternate approaches that would allow us to do the job right and at the same time, cut costs.

Thanks!

 
Posted : 20/06/2005 8:23 pm
(@femur)
Posts: 6
Active Member
 

Actually im doing a 1st gen. image on a HP NAS, redundant disks and interfaces, then i do a DLT Backup of the image on a fresh DLT …
The source disk or disks are hooked to a live CD linux and transfered through a crossover 5e through 1g ethernet …

 
Posted : 21/06/2005 3:10 pm
 Andy
(@andy)
Posts: 357
Reputable Member
 

Similar… We image to a Network RAID, then archive to tape (AIT). Although tape is sounds oldfashioned, its a tried & tested method of backing up your data. Tape might be the way to go Al, if you are considering keeping those backups for some time. Its a little more costly for the initial outlay (but check eBay - you might pick up a bargain) than for example DVD, but at least you can fit 100's of gigs on one tape in one go, rather than many hours buring to disk, with the risk of a failure every disk in so many.

Andy

 
Posted : 21/06/2005 6:25 pm
(@femur)
Posts: 6
Active Member
 

Andy, hard to beat the cost and linear speed of a DLT!

 
Posted : 22/06/2005 2:50 pm
(@gmarshall139)
Posts: 378
Reputable Member
 

Thank you Al for the kind words. I think that this board is a good resource due to the richness of experience of it's contributors. Alan contributes greatly to that richness and it has been a pleasure to get to know him.

I agree with Andy that tape backups may be a good option for you Al. I have always been concerned however with the long term viability of the tapes. I have to admit that I don't use tape backup, nor have I ever. I am wary however from the experiences of others that a tape drives heads may shift over time. While backups saved one day, and restored a week later would be fine, it may be a different story when years have passed, and maybe you are using a different drive than the one originally used. Perhaps techology has improved and this issue is no longer a concern. If not it seems a better option than DVD's. DVD's are far from trouble free, but by using good media, and verifying the images I feel pretty good about using it. I don't bill all that time, only a fraction of it. Mainly it's just swapping disks, and can be done on a dedicated machine while working on other things. You need a fast burner, but processor speeds and memory are not that important. I usually burn a disk, put it in my analysis machine for verification and start another one in the burner. I rarely get a bad disk unless I'm tasking the computer with other things as it burns.

Another option, which is currently pretty costly, is a robot system such as those sold by forensic-computers.com. The $5000 unit holds 25 disks, burns, prints labels, and verifies the data.

I have been looking at external storage options myself. I don't need network storage as I'm the only one accessing the images, but am favoring some type of firewire RAID. Not the Lacie units that I know you've had trouble with, but perhaps a unit that could be configured as RAID 5 such as those from Weibtech. If I had a RAID 5 for image storage I wouldn't feel the need to archive right away (although it's probably still a good idea). These units are also somewhat portable, which would allow them to be used in the field for acquiring a large RAID should the need arise.

 
Posted : 22/06/2005 3:35 pm
andy1500mac
(@andy1500mac)
Posts: 79
Trusted Member
 

Hi Greg,

I don't want to veer too off topic here but in terms of backing up an image to lets say multiple CD/ DVD's what is the recommended process off verifying the integrity of the finished product.

Assuming I have a 40gb image (and md5 value associated) that has been backed up to 8 or so DVD’s… Do you have to rebuild the image to verify the hash matches the original or are checks done during the copying sufficient?

Thanks,
Andrew-

 
Posted : 22/06/2005 9:23 pm
(@gmarshall139)
Posts: 378
Reputable Member
 

Andrew,

Verification can be accomplished in a couple of different ways. Nero, and probably some other burning applications, have a verify process built in that can be set to run after each burn. This makes the burn process longer, but requires no action by you. Swap disks every 20 minutes or so as long as everything is going well. I don't use it just because I haven't tested it's reliability very thoroughly.

If you acquire images to the .e01 format then you know that these evidence files have within them crc values for each block of data (default block size is 32k in Encase) as well as an md5 hash value for the entire evidence file. Encase has a verification tool built in that recomputes each of these crc values and compares it with the original. It also recomputes the md5 hash of the evidence file as a whole. If any are different the sector blocks are flagged by Encase. If I put 3 image files on a DVD I can point Encase at all 3 at once and let it run. Takes about 11 minutes to complete and doesn't require me to verify each one seperately.

If you are using some other application without this type function you could compute a hash value of each evidence file and recomputer after burning.

Either way you go verification is a necessity. Errors are too common when burning to optical media.

 
Posted : 23/06/2005 2:07 am
andy1500mac
(@andy1500mac)
Posts: 79
Trusted Member
 

Thanks for that Greg,

As with a lot who are starting out I am not quite ready for the $$$ of Encase and have been doing much of my work on Winhex and others.

This does however seem like another good feature and as I move along I will surely delve into Guidance’s software and add it to my toolkit… I have the demo CD which many have stated gives you an idea of the software but can be a bit frustrating…

Thanks again for the info, it cleared up some of my fogginess on the subject.

Andrew-

 
Posted : 23/06/2005 3:12 am
 Andy
(@andy)
Posts: 357
Reputable Member
 

femur, we use SAIT (Super AIT) which transfers at 500GB (that's manufacturers GB) at 30MB/s (uncompressed). It has a larger capasity than DLT.

To my knowledge SDLT 600 transfers at 300GB at 36MB/s. Slightly faster but its not got the storage.

I actually don't have much to do with the tape backup we use, as a colleague has taken ownership of archiving, but he tells me that many factors come into play with using tape, such as, where on the network we place the drive?, what software is used? etc.

If you are not storing vast amounts of data (we currently have about 5 Terabytes, with room for 5 more or there abouts), then I agree with Greg, DVD is a realistic option. But be careful of the DC/DVD burning robots, as we've had one for a couple of years, and its been a complete waste of money. It hardly ever worked right.

Andy

 
Posted : 23/06/2005 11:20 am
mark777
(@mark777)
Posts: 101
Estimable Member
 

Andy

It wasn't from fernico was it

 
Posted : 27/06/2005 8:59 pm
Page 1 / 2
Share: