Data disaster: When COOP is not enough

 

Connecting state and local government leaders

Disasters, both natural and man-made, drive home the need for agencies to ensure that data held on IT systems and devices remains accessible in order to support mission-critical operations.

Disasters, both natural and man-made, drive home the need for agencies to ensure that data held on IT systems and devices remains accessible in order to support mission-critical operations.'In the wake of Katrina, I think you're going to see a greater focus on system integrity and data replication,' Chas Phillips, policy counsel for the House Government Reform Committee, said at an IT conference this fall.Continuity-of-operations plans'those that keep government going in the face of emergencies'are important, but far from foolproof. The fact is, the best-laid plans could be overwhelmed by unforeseen circumstances. And when that happens, COOP turns to disaster recovery. Maybe systems are still functional, maybe not. Even if you've protected most of your agency's data at a mirror site or on backup media, you probably haven't saved everything. How do you get that information back?Data recovery is easier said than done, experts say. Once tapes, disks and hard drives have been damaged, recovery becomes dicey and expensive.'It's going to take a long time and cost a lot of money,' possibly as much as $10,000, to extract usable data from a damaged $250 hard drive, said Mark Rasch, chief security counsel for Solutionary Inc. of Omaha, Neb. Rasch used to head up the Justice Department's computer crime unit.'The easiest way to recover data is not to lose it at all,' Rasch said. 'Did you make a backup?'But as many system administrators can testify, backup is not foolproof. In a recent survey by Asigra Inc. of Toronto, 75 percent of respondents said their organizations had lost backed-up data because of unreadable, lost or stolen media. Almost two-thirds of the respondents had run into unreadable backup tapes when trying to recover data.How difficult data recovery will be depends in part on the media you are dealing with. Floppy disks and diskettes can hold relatively little data, but even when mutilated they can be reconstructed using low-tech tools such as cellophane tape and glue.'We used to run an exercise for the Transportation Department at the Federal Law Enforcement Training Center,' Rasch said. At the end of the course, students were given damaged floppy disks containing their certificates of completion. 'If you couldn't recover it, you didn't graduate.'Hard drives hold a lot more data and present a greater challenge to recovery. Data on a hard drive is electro-mechanical'magnetic and stored on a spinning disk. Disk and reader have to be properly synchronized to read the information. If either is damaged, calibration can be a hard job.'It makes it more difficult, but not impossible,' Rasch said.One of the premier government shops for this kind of data recovery is the Defense Computer Forensics Lab.'We now have a hard-drive repair capability,' said Robert Renko, special agent with the Air Force Office of Special Investigations.OSI is the executive agency for the Computer Forensics Lab supporting the criminal investigative agencies of each military service, which have their own computer crime investigators.'We were stood up to handle the strange and complex cases,' Renko said. 'We've had everything in here from the typical laptop and desktop to cell phones, BlackBerrys and personal digital assistants, and Microsoft Xboxes and diver's watches.'There are two layers of data recovery for hard drives, logical and a physical. The logical layer involves the file allocation table, which allows an operating system to locate data on a disk.Removing the table is 'the same as taking the card catalog out of a library,' Renko said. The data remains, but access is difficult. There are forensic tools that can locate the data when operating systems cannot.Dealing with physically damaged drives can be trickier. If you left your notebook on the ground floor of a building that has been flooded, you might be out of luck. The circuit boards are useless, of course. The drives are sealed, but they have pressure equalization holes in them. 'They are not waterproof,' Renko said.The first step in bringing the data back to life would be to dry out the drive.'You can use a blow-dryer, or you can use calcium carbonate or some other desiccant,' Rasch said.But the water is not the real problem. 'The problem is the residue that remains,' which can scour, corrode and otherwise damage the hardware, Renko said. 'Rust is going to set in incredibly fast.'These problems can raise the cost of recovering hard drive data beyond the value of the data you're after.Cost-effectiveness is not the primary consideration in criminal investigations, but manpower and resources are being squeezed at the DOD forensics lab.'Our biggest challenge has turned out to be the growth of the storage capacity' of the devices being examined, Renko said.The gigabytes of data that can be stored on large servers can be time-consuming to recover and analyze, and some cases can involve hundreds of drives.The FBI also does forensic data recovery.'We've had limited success here' with hard drives, said an agent in the Cleveland field office. 'It depends on what it was subjected to.'Smaller devices such as PDAs can present different challenges.'They are supposedly dust-free and airtight, so the data should still be intact on the drive' after a catastrophic event such as a flood, the agent said. 'But once it is wet, the circuitry is gone, so getting the circuits to read it is a challenge.'Whether it is worth the effort depends on the value of the data being sought, he said. 'It might be worth trying.'Interestingly, new data-handling techniques not specifically designed for disaster recovery could ultimately apply to agencies trying to reconstruct critical information.Forensics investigators often must prepare data for use in a courtroom, which means it must be verified as accurate after it is recovered. The FBI has turned to the National Institute of Standards and Technology for help with this. NIST used its expertise in measurement to create high-resolution images of magnetic data that can tell an investigator when data has been written, erased or altered, said physicist David Pappas, project lead at NIST's labs in Boulder, Colo.The technique is called second harmonic magnetoresistive microscopy, and it uses powerful magnetic readers designed for server drives to image the fields on other magnetic media, such as tapes and disks.'You're actually taking a picture of the magnetic field above it, rather than just scanning it really fast and averaging the data,' Pappas said.This system works because it uses magnetic readers, designed to read very dense hard drives, to read much less-dense media such as magnetic tapes or strips.'The system we built to look at storage data was an answer looking for a problem,' Pappas said.The FBI provided the problem when it needed a way to validate the authenticity of evidence recovered from magnetic media. The image of the magnetic field can show erasure marks, like those you might find on a penciled message.The method can be used to noninvasively examine damaged and very short pieces of tape, such as those from a crashed airplane's flight data recorder. The resulting image also can be used to reconstruct and play back analog audio files from tapes.The Library of Congress also is interested in the technology.'They have thousands of tapes that have 'sticky shed syndrome,' ' in which old audio tape sticks to and peels apart on the heads of a tape player, Pappas said. NIST is doing a test to see if the technique can be used to recover data from these tapes without replaying them conventionally.'To do this data recovery, we're going to have to run the tape very slowly,' he said.Building large arrays of magnetic sensors than can read multiple tracks simultaneously might speed up the process.Unfortunately, there is no comparable way to build magnetic images from hard drives. The only certain way of making sure data from your hard drive is available, Pappas said, is to 'back up your hard drive.'

There is no one best way to ensure that critical data can be recovered in the event of a disaster or other IT failure. It depends on the type of data, how it is used and the threats it faces.

But the National Institute of Standards and Technology has put together an outline of techniques and technologies that should be considered in a data recovery program. Techniques for System and Data Recovery was published in 2002 but the advice still is relevant, said Joan Hash, director of security management assistance in NIST's Computer Security Division.

'We don't get technology-specific,' Hash said. 'The technology changes, but the general requirements don't.'

The bulletin does not offer a detailed plan but rather a 'quick reference primer on methods.' Hash warns that having a data recovery plan is not enough; success depends on execution.

'You really don't have a plan unless you can staff it and pay for it, and you really have to test it,' she said.

Elements to consider include:

Off-site storage. Critical data should be backed up and stored at an off-site location so a disaster that destroys the original does not also destroy the backup.

Formal policy. Create, document and enforce a policy on what data is to be backed up, how, when and where it is stored.

Testing. Procedures spelled out in the policy should be tested regularly.
System configuration. Although it might not always be achievable, recovery can be faster if hardware, software and peripherals are standardized throughout the organization.

Interoperability. It seems obvious, but backup devices must be compatible with operating systems and applications used in the recovery process.

Media. Choose the proper media for backing up data based on the amount of data involved, the frequency, retention and destruction policies, and recovery and transport requirements. Common media include diskettes, tape cartridges, removable media such as flash drives, CDs and network storage devices.

Type of backup. Decide whether you will be copying all your data or just recording changes since the last backup, and how it will be maintained.
Alternate sites. You can operate your own alternate site or use a commercial offering, but there are five basic site types: cold, which has the space and infrastructure but not the IT equipment you will need to use it; warm, a partially equipped site; hot, a fully equipped site; mobile, a self-contained unit that can be brought in as needed; and mirrored, a fully redundant facility with real-time information mirroring.

It's easier to back up data than recover it, but sometimes agencies have to do both























Recovery in the lab






































Learn from the FBI

























X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.