Recover deleted dat...
 
Notifications
Clear all

Recover deleted data from backup tapes?

14 Posts
7 Users
0 Likes
2,802 Views
Adam10541
(@adam10541)
Posts: 550
Honorable Member
Topic starter
 

My google fu is failing me here and I can't find any information about what happens to data on a backup tape when it is wiped.

My assumption is that it is gone but having minimal exposure to backup tapes thought someone here might have information.

Does wiping/deleting zero out the entire tape or just the index table. Is recovery of deleted data even possible on backup tapes?

 
Posted : 10/10/2012 6:51 am
(@ddelija)
Posts: 14
Active Member
 

this is a good admin site about backups and there was a lot about tapes in my admin times
http//www.backupcentral.com/

erasing tape depends on the type of tape capabilities of tape drive ..
tehnology was changing a lot

There was some erasing procedures which rewrites media as for disks, but it depends on drive and type model
can be tricky

there was even nightmare situations where tape was readable only on drive which was used to write data )

 
Posted : 10/10/2012 10:46 am
(@mscotgrove)
Posts: 938
Prominent Member
 

It is very tape dependant, and also dependant on the backup software.

As a general rule there are only two things you can do with a tape, read it, and append to it. When a tape is 'reset' it starts writing at the start and the rest of the tape cannot be reached. Thus if you have a 100GB tape and write 1GB of data to it, there ay be 99GB of data still there but it cannot be accessed by any normal means. It may require a very specialist company to recover the data.

On the next level of tapes, some tape can have multiple partitions, and each partition acts like a separate tape. These may then have separate indexes which could be rewritten to give the impression of deleting files.

 
Posted : 10/10/2012 5:56 pm
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

To expand on the above.

A tape is a linear device which is essentially always read from the start. When you write to a tape you write a stream of data and when you stop writing the tape hardware automatically writes an end of data mark (EOD). You can then seek (and read) anywehere from beggining of tape (BOT) to EOT.

So, if you have a tape and write 100GB of data to it you can then seek anywhere within that 100GB and read any of the data. If you, for instance positioned the heads (did a seek) to say 10GB into the data and at that point wrote say 20GB you would end up with 10GB of the old data, followed immediately by the 20GB you have just written and then a new EOD mark that the tape firmeare will have already written for you.

Tapes allow for up to two partitions and the same rules apply for each of them.

So can you get the data back beyond the EOD mark? no and yes.

No - in that the tape firmware will not allow you to read beyond the EOD mark, all you can normally do is seek to EOD (or anywhere before it) and then write data.

Yes - in that you can sometimes trick the tape or you can get modified (or write your own) firmware that allows you to seek past EOD.

 
Posted : 10/10/2012 9:03 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

This may be of interest

Forensic acquisition and analysis of magnetic tapes
by Bruce J. Nikkel

http//digitalforensics.ch/nikkel05.pdf

Which sums up everything pretty well (IMHO).

If the scope is "recovery" (and not necessarily "forensic sound" recovery) the "overwrite the EOD" trick has been reported to work, you loose only a minimal amount of data, see
http//www.linux.org.za/Lists-Archives/glug-9708/msg00015.html
http//net.doit.wisc.edu/~plonka/sysadmin/backup.html

But the "right solution" for a forensic case (STRICTLY hardware/vendor specific) is to have a way to skip over the EOD with a modified firmware or, as in one of the cases above using a particular feature of the hardware.

But then again even if you have the knowledge to write a modified firmware (and possibly also the hardware tools that might be needed to "flash" the new firmware, how long will it take?
And "how much" is it "solid" in a Court?

AFAIK this is what you actually pay (dearly) the few specialized companies for.

jaclaz

 
Posted : 10/10/2012 11:57 pm
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

This may be of interest

Forensic acquisition and analysis of magnetic tapes
by Bruce J. Nikkel

http//digitalforensics.ch/nikkel05.pdf

Which sums up everything pretty well (IMHO).

If the scope is "recovery" (and not necessarily "forensic sound" recovery) the "overwrite the EOD" trick has been reported to work, you loose only a minimal amount of data, see
http//www.linux.org.za/Lists-Archives/glug-9708/msg00015.html
http//net.doit.wisc.edu/~plonka/sysadmin/backup.html

But the "right solution" for a forensic case (STRICTLY hardware/vendor specific) is to have a way to skip over the EOD with a modified firmware or, as in one of the cases above using a particular feature of the hardware.

But then again even if you have the knowledge to write a modified firmware (and possibly also the hardware tools that might be needed to "flash" the new firmware, how long will it take?
And "how much" is it "solid" in a Court?

AFAIK this is what you actually pay (dearly) the few specialized companies for.

jaclaz

I took issue with that paper when it was first published - there are some assumptions about how data is written at a the lowest level - particularly with IIRC relation to tape frames and (again IIRC) slack space. But at a high level it is a good resource.

haven't the time or inclination to read it all again.

 
Posted : 11/10/2012 1:20 am
Adam10541
(@adam10541)
Posts: 550
Honorable Member
Topic starter
 

Thanks folks )

I don't have highly specialised software or equipment, just Backup Exec and a SAS LTO tape drive, so for me not doable but I will put it back to the client if they wish to spend big dollars they may have luck with a specialist firm.

 
Posted : 11/10/2012 6:59 am
(@markalto800)
Posts: 2
New Member
 

Data can be recovered from backup tapes also as recovered from hard disk. There are software available on Internet which claims recovering data from backup tapes. Why don't you download and try a software yourself. Here i suggest you to give Kernel for Tape data recovery software a try. I have used data recovery software from the same vendor and that worked like a charm for me.

 
Posted : 28/11/2012 2:55 pm
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

I would be very wary of software that claims it can recover from "despooled and broken tapes".

Although the demo offer seems good, I would again be wary. I did some work for a governmenrt agency who had used third party software. That software missed 70% of the files on some of the tapes and of the files it did recover 50% were corrupt.

Also they dont mention archive software - do they support backup exec, arcvserve (loads of variants), netbackup etc. - the BIGGEST problem with tapes is not the physical media but rather the format of the data on the tape.

They could simply be doing file carving and to a layman this might sound like a good idea as files are assumed to be written to tape sequentially. However some archive softare embeds small checksum data structures thoughout files, also other such as netbackup allow you to stream data from multiple machines, in this case files can be, and usually are, very fragmented.

No axe to grind here as I don't sell my tape tools - buyer beware etc. - too many oddities with the advert for me to trust it.

 
Posted : 28/11/2012 5:13 pm
Adam10541
(@adam10541)
Posts: 550
Honorable Member
Topic starter
 

Well as luck would have it I have the tapes here many of which are showing as blank. Evidence at hand suggests they have held data previously so I will download the demo and see what it can do.

If it recovers anything at all from the tapes then given how cheap it is I'll be buying a copy

If it recovers nothing then well…I won't )

Edit - Well that was a short lived test lol downloaded the trial version and it didn't recognise my backup tape drive at all. I checked and it had no windows drivers associated with it (Backup Exec uses it's own drivers). So I installed windows drivers and the software recognised the tape drive, recognises the tape I put in and accurately reports it's size. I click on "make image" which is the first step in data recovery, and instantly it reports "no data available"

Test conclusion, does not do what it says on the box = me not purchasing software

I tried to create an image of a tape which has data on it I've successfully recovered already with Backup exec, but now the software won't detect the tape no matter what I do. Seems very buggy and if it can't take an image of a wiped/blank tape then try and recover data seems a bit pointless really.

 
Posted : 29/11/2012 5:46 am
Page 1 / 2
Share: