Lovtaler: Pile O' disks - Mar 30 2024

I've always found digital forensics fascinating, and despite a few career changes, I keep gravitating back to that soul-searching quest for truth. There's a certain grind to this field, involving a lot of repetitive tasks. Ideally, you can script away some of the transactional stuff, but even then, repetition is inevitable.

However, every now and then, something completely atypical comes along. One such case was an estate recovery I dubbed "Box of Disks."

The task involved sifting through an estate's collection of memory cards, disks, and hard drives—several petabytes' worth of both solid-state and spinning disk drives. The estate was looking for "data of value," which is a pretty vague directive.

On top of that, there was the looming specter of encryption, which can quickly become a rabbit hole. After talking to the family, I got a better sense of what they were after: the obvious financial information and some less obvious sentimental artifacts.

The entire haul arrived in many, many boxes. The physical proximity of items can sometimes offer clues about what platform they were used on, which posed a challenge from day one.

We tackled this in phases, starting with hardware-based triage. Fortunately, there were photos of the decedent's home, which were enormously helpful.

Phase I: Hardware Triage

Before we could start digging into the data, we needed to structure the triage and recovery process. This meant laying out the storage in a way that clearly separated which disk went to which platform.

Complicating matters was the vintage of the systems, ranging from the 1980s to very recent times. There were SCSI drives, IDE drives, Apple Hybrid drives, SAN drives, NAS drives, plus buckets of flash drives, cards, and other small storage devices.

Once we segregated these categories, the physical reconstruction of the pieces and parts began in earnest. Practically speaking, this meant rebuilding systems that used old technology and then reassembling the RAID-based systems.

The ease of recovery varied with the age of the systems. Older systems often lacked encryption, making them easier to deal with once you figured out the formats. The downside was that 30-year-old hard disks might not start up at all. In one case, a disk didn't start up, and we had to rely on eBay for old systems and parts.

Newer systems often functioned well but added complexity with RAID configurations and encryption.

Phase II: Data Characterization and Triage

This phase involved characterizing the data to determine what was financially relevant, personal, or required further analysis.

Direct inspection of each object isn't scalable, so we made some basic assumptions based on the type of system, the time frame, what we knew about the user(s), and the proximity of other data.

We grouped the data into two basic categories, which allowed us to apply some intelligence to our scripting. Basic Python skills are a force multiplier here, and large language model AI tools can be incredibly helpful too.

There were a lot of backups, which is great but also added to the data volume that needed analysis.

Phase III: Data Recovery

This phase focused on the prioritized recovery of data. Ultimately, we consolidated the data on a series of RAID5 portable NAS units—two verified copies.

The verification alone took a week, as there was more than 500 terabytes of data.

A staging environment was hugely helpful. It did mean multiple copies, but it was good not to have to go back and forth between platforms simply for the purpose of consolidation

Phase IV: Cleanup, Report Generation, and Responsible Disposal

Given the sensitive nature of the data, all storage had to be not only wiped but also physically destroyed. The family insisted on recycling the metal rather than the media.

This process will be detailed in another article I plan to publish next month.

Report generation is embedded in many tools, but ultimately, there needs to be an easily understood summary for the non-technical audience.

This is crucial for the family's sake and in case the matter ends up in court. Chain of custody is also an important topic.

Finally, we ensured a measured takedown of the cloud systems associated with the decedent. Data in the cloud will eventually be wiped, but it's essential to take overt steps to prevent leaks.

Investment of time - 9 months, 50 hours a week

Investment of money - 6-10K Euros in hardware

This was a challenging but fulfilling project, and the customers were very happy with the end product.