Slide background Have you recently received digital evidence?

Be careful not to compromise any future computer forensics claim. It is easy to act with best intentions, but speak to us first!

A guide to handling electronic data and digital files....

The ease with which electronic documents can be created, copied, distributed and stored, and the frequency with which networked computers are backed up, means that the volume of potentially relevant documents can be staggering. It is easy to compromise electronic data if it is not handled in the correct way.

As soon as you suspect that relevant data may exist on a device, do whatever is within your power to assure that it remains untouched. It is human nature to want to “check out” possible evidence, but doing so risks compromising the evidence. If the computer is on and there is any reason to believe it might be “booby trapped” to destroy data - if it is not shut down in a certain way, simply unplug the machine from the electrical source.

Which hard drive should I choose?

Seagate, Western Digital, Samsung, Hitachi - the list is endless. Your data is valuable. Shouldn't it be on the best hard drive?

Which are the most reliable hard drives...

When buying a hard drive, bear in mind that they are not all of the same quality. Some manufacturers spend a lot of time and effort on research and development, making sure they source the best quality parts. Others manufacture their hard drives using the cheapest parts and labour available. Even two drives with identical model numbers, could have been manufactured at opposite sides of the World using very different quality components.

To establish which are the best drives let’s look at Backblaze’s statistics. Backblaze is an online backup enabling users to back up their data to an offsite data centre. As you can imagine, they support hundreds of thousands of hard drives in RAID configurations and it is expensive for them when hard drives fail. Hence they keep detailed statistics.

Deleted VMWare VMDK – What should you do?

DTI Data Recovery receives several requests for data recovery quotes each and every day. Many times the quotes are self-explanatory and we can offer an accurate solution as well as an upfront price for almost any recovery. With that being said, there are times when a more complex solution is necessary and some additional information is needed in order to offer an accurate quote and estimate the possibility of recovery. One of these instances is the deletion of data, any data. The possibility of recovery hinges on so many factors that a phone conversation is normally necessary in order to gather more information and make sure that the Deleted VMWare VMDK can be recovered.

Some of the most complex situations when dealing with deleted data involves virtual technology. Although this technology has been a real life safer when it comes to optimizing hardware resources it is a real nightmare when it comes to unraveling the mystery that involves a deleted VMWare VMDK. That being said, I received a request for a deleted VMWare VMDK recovery quote  recently. The person inquiring could not be contacted by phone so I could not speak to them. The description of the problem was so vague that I decided to send a list of questions that would enable me to make an educated and informed assessment of the recovery as well as the pricing for that recovery. The following are those questions and the reasons why they were asked. The questions were designed for a VMWare server.

1. What version of ESXi are you running on the server?
This is important in as much as some of the older versions of ESXi had file size limitations. In addition there are some utility functions for more recent versions that do not exist on the older versions of the operating system. These types of version discrepancies can and do affect the possibility of recovery.

2. Was the VM set up as thick or thin provision?
When a VKDK file is deleted then the storage map for that particular file is destroyed. There are times when a low level forensic scan is necessary to try and piece together the file. If the original VMDK is ‘thin’ provision then that means the file is compressed and allocated on an as needed basis. Thin provision can be difficult to recover if the actual block map for the file has been destroyed due to a deletion. Whereas ‘thick’ provision allocates the full size of the VMDL and can be treated like any other operating system partition.

Backing up SQL Server

SQL Server backup and recovery procedures must be in place before a database crash occurs -- or precious data and company time will be lost. This comprehensive checklist will help you set up, safeguard and test your backups.

The key to a successful recovery in the event of a database crash -- or worse yet -- a system crash, is to have the key elements for SQL Server backups in place. SQL Server offers many options for performing backups and the following checklist highlights some of the more important options to think about. This list is a comprehensive starting point for getting your backups in place, safeguarding your backups and testing. Take the time to understand all of the components. It will go a long way toward safeguarding your company's most prized asset and removing the possibility of data loss from the equation.

Select recovery model

The first thing you need to do is figure out which recovery model you will use for your databases. This option is set for each database on your server and can be set using Enterprise Manager or T-SQL. This starting point will determine the type of backups you will run and the type of restores you can run. SQL Server has three different recovery models: Simple, Full and Bulk-Logged. To learn more about recovery models, refer to this tip: Selecting a SQL Server recovery model.

Select backup options

Next, determine what types of backup you will run. SQL Server offers four backup variations: Full, Differential, Log and File and Filegroup. Each backup option offers different levels of recoverability; the options are also based on the recovery model you select. To maximize backup and restore times, the best option to choose is a mix of Full, Differential and Transaction Log backups. This will ensure you have the ability to do point-in-time recoveries, and it minimizes the number of files to restore in case of a failure. To learn more about backup options, refer to this tip: Selecting a SQL Server backup model.

Determine backup schedule

Once you have decided on backup options to use for your databases, you can set up a schedule of when your backups will run. A good rule of thumb is to run your Full backups during off hours or very low peak times. The scheduled time of the Full backup then determine when you will run your Differential and Transaction Log Backups. If you are not sure when to run each type of backup, a good practice would be to run Full backups daily, Differentials every three hours and Transaction Log backups every 15 minutes. Each environment is different, so you should set these options based on the acceptable amount of data loss in case of a failure.

Recover the master database in SQL Server

If the master database fails, Microsoft SQL Server can be brought to its knees. See how to recognize this event and learn the steps for recovering the master database using the Enterprise Manager and the Query Analyzer.

As a Microsoft SQL Server administrator, you must know how to recover a corrupt master database. The master database stores your logins and, most importantly, the pointers to all of your databases. Without the master database, you can't successfully start SQL Server. I'm going to walk you through the process of recovering the master database in the event of corruption and show you how to rebuild the master database, if necessary.

Have a plan

It is important to have a plan for dealing with the corruption and/or failure of your master database. That will help you follow a methodical approach when disaster strikes, rather than acting too quickly under pressure. I have been in many situations where it would have been easy to panic, but I've managed to weather the storm by remaining calm and following the proper methodology when dealing with a problem.