My google fu is failing me here and I can't find any information about what happens to data on a backup tape when it is wiped.

My assumption is that it is gone but having minimal exposure to backup tapes thought someone here might have information.

Does wiping/deleting zero out the entire tape or just the index table. Is recovery of deleted data even possible on backup tapes?  

this is a good admin site about backups and there was a lot about tapes in my admin times
www.backupcentral.com/

erasing tape depends on the type of tape capabilities of tape drive ..
tehnology was changing a lot

There was some erasing procedures which rewrites media as for disks, but it depends on drive and type model
can be tricky

there was even nightmare situations where tape was readable only on drive which was used to write data  

It is very tape dependant, and also dependant on the backup software.

As a general rule there are only two things you can do with a tape, read it, and append to it. When a tape is 'reset' it starts writing at the start and the rest of the tape cannot be reached. Thus if you have a 100GB tape and write 1GB of data to it, there ay be 99GB of data still there but it cannot be accessed by any normal means. It may require a very specialist company to recover the data.

On the next level of tapes, some tape can have multiple partitions, and each partition acts like a separate tape. These may then have separate indexes which could be rewritten to give the impression of deleting files.
_________________
Michael Cotgrove
www.cnwrecovery.com
cnwrecovery.blogspot.com/ 

To expand on the above.

A tape is a linear device which is essentially always read from the start. When you write to a tape you write a stream of data and when you stop writing the tape hardware automatically writes an end of data mark (EOD). You can then seek (and read) anywehere from beggining of tape (BOT) to EOT.

So, if you have a tape and write 100GB of data to it you can then seek anywhere within that 100GB and read any of the data. If you, for instance positioned the heads (did a seek) to say 10GB into the data and at that point wrote say 20GB you would end up with 10GB of the old data, followed immediately by the 20GB you have just written and then a new EOD mark that the tape firmeare will have already written for you.

Tapes allow for up to two partitions and the same rules apply for each of them.

So can you get the data back beyond the EOD mark? no and yes.

No - in that the tape firmware will not allow you to read beyond the EOD mark, all you can normally do is seek to EOD (or anywhere before it) and then write data.

Yes - in that you can sometimes trick the tape or you can get modified (or write your own) firmware that allows you to seek past EOD.
_________________
Paul Sanderson
Reconnoitre, VSC processing made easy - www.sandersonforensics...oitre.html
www.twitter.com/sandersonforens 

This may be of interest:

Forensic acquisition and analysis of magnetic tapes
by Bruce J. Nikkel

digitalforensics.ch/nikkel05.pdf

Which sums up everything pretty well (IMHO).

If the scope is "recovery" (and not necessarily "forensic sound" recovery) the "overwrite the EOD" trick has been reported to work, you loose only a minimal amount of data, see:
www.linux.org.za/Lists...00015.html
net.doit.wisc.edu/~plo...ackup.html

But the "right solution" for a forensic case (STRICTLY hardware/vendor specific) is to have a way to skip over the EOD with a modified firmware or, as in one of the cases above using a particular feature of the hardware.

But then again even if you have the knowledge to write a modified firmware (and possibly also the hardware tools that might be needed to "flash" the new firmware, how long will it take?
And "how much" is it "solid" in a Court?

AFAIK this is what you actually pay (dearly) the few specialized companies for.


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

- jaclaz

This may be of interest:

Forensic acquisition and analysis of magnetic tapes
by Bruce J. Nikkel

digitalforensics.ch/nikkel05.pdf

Which sums up everything pretty well (IMHO).

If the scope is "recovery" (and not necessarily "forensic sound" recovery) the "overwrite the EOD" trick has been reported to work, you loose only a minimal amount of data, see:
www.linux.org.za/Lists...00015.html
net.doit.wisc.edu/~plo...ackup.html

But the "right solution" for a forensic case (STRICTLY hardware/vendor specific) is to have a way to skip over the EOD with a modified firmware or, as in one of the cases above using a particular feature of the hardware.

But then again even if you have the knowledge to write a modified firmware (and possibly also the hardware tools that might be needed to "flash" the new firmware, how long will it take?
And "how much" is it "solid" in a Court?

AFAIK this is what you actually pay (dearly) the few specialized companies for.


jaclaz

I took issue with that paper when it was first published - there are some assumptions about how data is written at a the lowest level - particularly with IIRC relation to tape frames and (again IIRC) slack space. But at a high level it is a good resource.

haven't the time or inclination to read it all again.
_________________
Paul Sanderson
Reconnoitre, VSC processing made easy - www.sandersonforensics...oitre.html
www.twitter.com/sandersonforens 

Thanks folks

I don't have highly specialised software or equipment, just Backup Exec and a SAS LTO tape drive, so for me not doable but I will put it back to the client if they wish to spend big dollars they may have luck with a specialist firm.