Recover deleted dat...
 
Notifications
Clear all

Recover deleted data from backup tapes?

Adam10541
(@adam10541)
Senior Member

My google fu is failing me here and I can't find any information about what happens to data on a backup tape when it is wiped.

My assumption is that it is gone but having minimal exposure to backup tapes thought someone here might have information.

Does wiping/deleting zero out the entire tape or just the index table. Is recovery of deleted data even possible on backup tapes?

Quote
Topic starter Posted : 10/10/2012 7:51 am
ddelija
(@ddelija)
New Member

this is a good admin site about backups and there was a lot about tapes in my admin times
http//www.backupcentral.com/

erasing tape depends on the type of tape capabilities of tape drive ..
tehnology was changing a lot

There was some erasing procedures which rewrites media as for disks, but it depends on drive and type model
can be tricky

there was even nightmare situations where tape was readable only on drive which was used to write data )

ReplyQuote
Posted : 10/10/2012 11:46 am
mscotgrove
(@mscotgrove)
Senior Member

It is very tape dependant, and also dependant on the backup software.

As a general rule there are only two things you can do with a tape, read it, and append to it. When a tape is 'reset' it starts writing at the start and the rest of the tape cannot be reached. Thus if you have a 100GB tape and write 1GB of data to it, there ay be 99GB of data still there but it cannot be accessed by any normal means. It may require a very specialist company to recover the data.

On the next level of tapes, some tape can have multiple partitions, and each partition acts like a separate tape. These may then have separate indexes which could be rewritten to give the impression of deleting files.

ReplyQuote
Posted : 10/10/2012 6:56 pm
PaulSanderson
(@paulsanderson)
Senior Member

To expand on the above.

A tape is a linear device which is essentially always read from the start. When you write to a tape you write a stream of data and when you stop writing the tape hardware automatically writes an end of data mark (EOD). You can then seek (and read) anywehere from beggining of tape (BOT) to EOT.

So, if you have a tape and write 100GB of data to it you can then seek anywhere within that 100GB and read any of the data. If you, for instance positioned the heads (did a seek) to say 10GB into the data and at that point wrote say 20GB you would end up with 10GB of the old data, followed immediately by the 20GB you have just written and then a new EOD mark that the tape firmeare will have already written for you.

Tapes allow for up to two partitions and the same rules apply for each of them.

So can you get the data back beyond the EOD mark? no and yes.

No - in that the tape firmware will not allow you to read beyond the EOD mark, all you can normally do is seek to EOD (or anywhere before it) and then write data.

Yes - in that you can sometimes trick the tape or you can get modified (or write your own) firmware that allows you to seek past EOD.

ReplyQuote
Posted : 10/10/2012 10:03 pm
jaclaz
(@jaclaz)
Community Legend

This may be of interest

Forensic acquisition and analysis of magnetic tapes
by Bruce J. Nikkel

http//digitalforensics.ch/nikkel05.pdf

Which sums up everything pretty well (IMHO).

If the scope is "recovery" (and not necessarily "forensic sound" recovery) the "overwrite the EOD" trick has been reported to work, you loose only a minimal amount of data, see
http//www.linux.org.za/Lists-Archives/glug-9708/msg00015.html
http//net.doit.wisc.edu/~plonka/sysadmin/backup.html

But the "right solution" for a forensic case (STRICTLY hardware/vendor specific) is to have a way to skip over the EOD with a modified firmware or, as in one of the cases above using a particular feature of the hardware.

But then again even if you have the knowledge to write a modified firmware (and possibly also the hardware tools that might be needed to "flash" the new firmware, how long will it take?
And "how much" is it "solid" in a Court?

AFAIK this is what you actually pay (dearly) the few specialized companies for.

jaclaz

ReplyQuote
Posted : 11/10/2012 12:57 am
PaulSanderson
(@paulsanderson)
Senior Member

This may be of interest

Forensic acquisition and analysis of magnetic tapes
by Bruce J. Nikkel

http//digitalforensics.ch/nikkel05.pdf

Which sums up everything pretty well (IMHO).

If the scope is "recovery" (and not necessarily "forensic sound" recovery) the "overwrite the EOD" trick has been reported to work, you loose only a minimal amount of data, see
http//www.linux.org.za/Lists-Archives/glug-9708/msg00015.html
http//net.doit.wisc.edu/~plonka/sysadmin/backup.html

But the "right solution" for a forensic case (STRICTLY hardware/vendor specific) is to have a way to skip over the EOD with a modified firmware or, as in one of the cases above using a particular feature of the hardware.

But then again even if you have the knowledge to write a modified firmware (and possibly also the hardware tools that might be needed to "flash" the new firmware, how long will it take?
And "how much" is it "solid" in a Court?

AFAIK this is what you actually pay (dearly) the few specialized companies for.

jaclaz

I took issue with that paper when it was first published - there are some assumptions about how data is written at a the lowest level - particularly with IIRC relation to tape frames and (again IIRC) slack space. But at a high level it is a good resource.

haven't the time or inclination to read it all again.

ReplyQuote
Posted : 11/10/2012 2:20 am
Adam10541
(@adam10541)
Senior Member

Thanks folks )

I don't have highly specialised software or equipment, just Backup Exec and a SAS LTO tape drive, so for me not doable but I will put it back to the client if they wish to spend big dollars they may have luck with a specialist firm.

ReplyQuote
Topic starter Posted : 11/10/2012 7:59 am
MarkAlto800
(@markalto800)
New Member

Data can be recovered from backup tapes also as recovered from hard disk. There are software available on Internet which claims recovering data from backup tapes. Why don't you download and try a software yourself. Here i suggest you to give Kernel for Tape data recovery software a try. I have used data recovery software from the same vendor and that worked like a charm for me.

ReplyQuote
Posted : 28/11/2012 2:55 pm
PaulSanderson
(@paulsanderson)
Senior Member

I would be very wary of software that claims it can recover from "despooled and broken tapes".

Although the demo offer seems good, I would again be wary. I did some work for a governmenrt agency who had used third party software. That software missed 70% of the files on some of the tapes and of the files it did recover 50% were corrupt.

Also they dont mention archive software - do they support backup exec, arcvserve (loads of variants), netbackup etc. - the BIGGEST problem with tapes is not the physical media but rather the format of the data on the tape.

They could simply be doing file carving and to a layman this might sound like a good idea as files are assumed to be written to tape sequentially. However some archive softare embeds small checksum data structures thoughout files, also other such as netbackup allow you to stream data from multiple machines, in this case files can be, and usually are, very fragmented.

No axe to grind here as I don't sell my tape tools - buyer beware etc. - too many oddities with the advert for me to trust it.

ReplyQuote
Posted : 28/11/2012 5:13 pm
Adam10541
(@adam10541)
Senior Member

Well as luck would have it I have the tapes here many of which are showing as blank. Evidence at hand suggests they have held data previously so I will download the demo and see what it can do.

If it recovers anything at all from the tapes then given how cheap it is I'll be buying a copy

If it recovers nothing then well…I won't )

Edit - Well that was a short lived test lol downloaded the trial version and it didn't recognise my backup tape drive at all. I checked and it had no windows drivers associated with it (Backup Exec uses it's own drivers). So I installed windows drivers and the software recognised the tape drive, recognises the tape I put in and accurately reports it's size. I click on "make image" which is the first step in data recovery, and instantly it reports "no data available"

Test conclusion, does not do what it says on the box = me not purchasing software

I tried to create an image of a tape which has data on it I've successfully recovered already with Backup exec, but now the software won't detect the tape no matter what I do. Seems very buggy and if it can't take an image of a wiped/blank tape then try and recover data seems a bit pointless really.

ReplyQuote
Topic starter Posted : 29/11/2012 5:46 am
PaulSanderson
(@paulsanderson)
Senior Member

You can't recover from a wiped tape using software. The firmware in the drive will prevent you reading passed the end of data marker (EOD) an dEOD on blank/wiped tape is at the beginning of media (BOM).

ReplyQuote
Posted : 29/11/2012 1:48 pm
Adam10541
(@adam10541)
Senior Member

So the claim on the website, that they can recover data from "Tape Drives have been erased."

Would appear to be either a blatant lie, or they have sipped the word "drives" in there so they can say "we were talking about the tape drive not the tape" haha.

Paul, that was my understanding as well but thought maybe they had figured some sneaky way to trick the drive into just imaging anyway, but as the software can't even recognise a tape that has live data on it the tool is clearly not worth any more of my time and certainly not my money )

ReplyQuote
Topic starter Posted : 30/11/2012 5:22 am
mscotgrove
(@mscotgrove)
Senior Member

There are a few very old tape drives you could read 'deleted data'. Open reel is one. However, all helical scan drives I have seen, and every other drive produced probably in the past 15 years can not be read without very specialised techniques. The techniques are very closely guarded by companies that may charge $5K to read a tape.

As Paul says, reading the physical tape may only be part of the story, logical variations, and local configuration issues are enormous.

ReplyQuote
Posted : 30/11/2012 8:24 pm
 Anonymous

This was a big issue for me. Verified DFS backups would not restore correctly. Threw some BS message that the jobs were created with a previous version, when they were created from scratch because that POS 2012 destroyed all my jobs during the upgrade. I resolved the problem myself by trial and error with a workaround. T3 tech worked on it for 3 hours straight with no fix/workaround…..except can you send me the logs when you try doing your next restore attempt. They never did correct it and just stopped inquiring.

Anybody that uses BKUP Exec 2012, I highly recommend you do monthly validity tests on your backup data.

ReplyQuote
Posted : 17/05/2016 8:24 pm
Share:
Share to...