Manualshelf

Solution Guide

ManualsBrandsDell ManualsSoftwareDell Digital Forensics Solution
919293949596979899100
Archive 89
merely needs to navigate through the original folder structure, locate the folder
or file she wants to restore, right-click the file or folder, and then select the
restore option.
Dell recommends that all evidence and case files be located on a central scalable
NAS device that allows for a central expandable point of storage, allowing for
easy collaboration between analysts. This recommendation also allows a single
point of audit for chain-of-custody purposes. When a file has been selected for
archive, it is moved into the next available system processing window from the
primary storage to a secondary option (tape or near line).
Archive and recall times will vary greatly depending on the current traffic to and
from the centralized NAS storage, the current files being archived, and the type
of media that comprises the secondary storage option. For example, near line
SATA will deliver much quicker completion rates than tape. All files can be
encrypted onto tape for additional security when they reach the long-term
archive phase of the Solution, which may require additional licensing.
Dell Backup Recommendations
Backup of Evidence and Case files
A forensics lab has three core file types:
Image files – These are the forensically-sound images of the suspect device.
Once ingested, they never change and only need to be backed up once
(possible extensions:
E01
,
DD
, etc.). Evidence files tend to be found low in
quantity but very large in size.
Case files – These are the data files and indexes that are the result of
analyses; they may need to be exported out of the forensics application. The
files change frequently if the case is currently live, and they can contain
multiple extension types, requiring them to be backed up on a daily basis.
Case files tend to be numerous in quantity but usually very small in size.
Database – This file type is used only in FTK 3 (at the moment), but it holds
all of the links between the case files and the evidence files, as well as all of
the investigation bookmarks and notes. Database file types must be backed
up daily.
Figure 7-2 shows the suggested best practice for backing up a digital forensics
lab. Due to the fact that many forensics labs have 50 TB plus of storage, it may
not be possible to complete a full backup in a standard weekend backup window.