Tuesday, November 21, 2006

Archiving digital evidence

Popular Mechanics magazine has an interesting article on the issues involved in long term digital storage and retrieval. These issues are of particular concern in forensics - how do we safely store evidence in digital format for 20 plus years and also make sense of it when after retrieving it, despite the ravages of time and the march of technology?

To put things in perspective, when I was in high school (years 10-12 for those of you from other countries), we used slide rules in my electronics courses. For the first few years at university, we used punched cards for data and program input (this was how you programmed the venerable workhorse IBM 360/370 computer back then). Computer data storage in those days was either an analog audio cassette tape (for low-end machines, such as the Commodore computer) or tape reels. To move quickly to the present day on this trip down memory lane, now we use thumb drives, memory cards, and RAID systems, to name a few current alternatives.

There is also the issue of possibly needing to maintain the computer operating systems to "address" the data and/or programs - they've changed rapidly too. Add proprietary standards on top of it and you've got the makings of a very big problem.

Some important things to remember on this subject are:
  • Use media that is certified to last for at least as long as you are required to retain the data, preferably longer. I advise staying away from tape myself, given the number of cases of dry rot and self-erasure I've encountered. CD and DVD are the current favorites, but don't confuse a short-term cost savings with long term viability - buy "gold" disks. Also see NIST publications, such as this one, for tips on archiving CD and DVD media. The environment in which you store your media matters!
  • Render your results into "data" and store the data. Don't (only) store the data as part of a "project" file that will then require running the program to get the data back out. The same goes for the audit trail. Don't rely on (only) a "project" file to store the steps you took in processing the evidence.
  • Store data in non-proprietary formats, preferably ones with wide support. In the case of audio and video data, I recommend WAV and AVI, respectively. For textual data (reports, audit trails, etc.), .TXT is a good choice.
  • Periodically perform spot checks to ensure archiving and retrieval procedures are working properly. It only takes one mistake to ruin a lot of evidence!
Please note I am not trying to say that you should never use proprietary data, project files, and such. What I am trying to get across is to not be single-threaded on them. In other words, go ahead and store your report in Microsoft Word (R) but also store a copy in TXT, just in case. Go ahead and store the project in your audio or video software, but also render and store a WAV or AVI. For that matter, you should burn an audio CD (i.e. CDA format) or video DVD too, so that an operating system is not required for playback.

In closing, effective archival of data is a tough problem, but one that has been around for a long time in one form or another - consider cave paintings and hieroglyphics as examples. We won't "solve" the problem even now, but it is our responsibility as professionals and keepers of the public trust to take reasonable and effective steps to maintain the integrity of the evidence.

No comments: