±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36115
New Yesterday: 0 Visitors: 94

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

VXA Tape Forensic copy

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

Rampage
Senior Member
 

VXA Tape Forensic copy

Post Posted: Oct 23, 08 15:03

Hello everyone Smile

I have 10 VXA Tapes to make a forensic copy of.

i'm planning to use DD for the acquisition of these tapes, but since it's the first time i have to deadl with such media, are there things i need to take particular care of?

for example, if i make a dd image of the tape, can i then use dd to write the content back to a new tape?
can i access the content of the image to extract the data out of it?

is it possible to mount a dd image of the tape in loopback to check the content? or (as i think) it's not possible?

i've also read a topik about tape forensics on this forum and someone explained something about block-size that must be the same for both the source and the destination, but i can't find informations about these tapes block size anywhere, is there a way to obtain such information?

sorry but i'm really a n00b in these kind of stuff and i need some monkey-proof help Smile

thnx in advice.
sorry for my bad english.  
 
  

mobileforensicswales
Senior Member
 

Re: VXA Tape Forensic copy

Post Posted: Oct 23, 08 19:42

Tape cat is a pretty good piece of forensic software to image tape, I've used it before and had no problems.

Just make sure you put the tape into a read only mode

Hope this is of help

www.fieldsassociates.co.uk  
 
  

Rampage
Senior Member
 

Re: VXA Tape Forensic copy

Post Posted: Oct 23, 08 20:56

you mean this one?
www.inventivetechnology.at/tapecat/  
 
  

mobileforensicswales
Senior Member
 

Re: VXA Tape Forensic copy

Post Posted: Oct 24, 08 13:58

No this was the link here

www.sandersonforensics...sp?page=11

but looking at it now I'm not sure if it will support the tape format you were after  
 
  

Rampage
Senior Member
 

Re: VXA Tape Forensic copy

Post Posted: Oct 26, 08 20:46

I looked around for some software and it looks like that DD is the best choiche for me right now.

first of all becouse except of the tape model, i dunno anything about the content, how it was produced, wich software was used for the backups and such.

and since i'm in a hurry, the best choiche is to make a 1:1 copy of the tape to an image file and work on it, couse i can't keep these tapes any longer.

by googling around a bit i found this article:
www.crazytrain.com/dd.html

wich says something interesting about determining the source block size:


Now let's say we have an unknown tape to examine. If we are unsure of the block size used on the tape, we could use the ibs/obs flags to find the correct size. Finding the correct size speeds up the copying process - sometimes dramatically!
dd if=/dev/st0 ibs=128 of=/dev/case10img1 obs=1 count=1
The above usage will attempt to take 1 block with size of 128 from 'st0' and create 'case10img1' output with a block size of 1. The 'count' flag is used so that only 1 block is read. We do this because we want to limit DD to just the 1 block. If we did not set a count size DD would continue on and a whole lot of time would be wasted! What this example attempts to show is that by setting the input block size to 128 we can effectively find what the real block size is (unless, of course, it is 128!). With 512 as the standard block size, assuming 128 is virtually a failproof way to find the real block size. The output of the above command would most likely be an 'error' message (which was our intent) with the real block size revealed (say 1024, for example).


would this work?

sorry again for my bad english Smile  
 
  

PaulSanderson
Senior Member
 

Re: VXA Tape Forensic copy

Post Posted: Oct 27, 08 13:33

DD will prob not help.

A tape is usually split intoa number fo tapefiles, sometimes just one but normally (even for a tape with one backup session) multiple files. The block size can vary between tape files and even from block to block

DD will get the first file if it is a fixed block size but after that you need to start screwing around with mt to reposition the tape.
_________________
Paul Sanderson
SQLite Forensics Book
www.amazon.com/SQLite-...entries*=0

Forensic Toolkit for SQLite
sandersonforensics.com...for-SQLite 
 
  

Rampage
Senior Member
 

Re: VXA Tape Forensic copy

Post Posted: Oct 27, 08 13:41

so there's no way to use dd to make an image of the tape?

what do you suggest to do.  
 

Page 1 of 2
Page 1, 2  Next