Evidence Storage

Evidence storage is an area of the data recovery or computer forensic laboratory scoping exercise that is often missed, being included only as an afterthought. This should not be the case. Even small digital forensics practices could, conceivably, within a year, and taking into account current data storage devices, require the capability of storing in excess of one petabyte of live evidence.

Two basic types of storage are required: live and archive. Live storage is required for active cases, while archived storage, is material that needs to be archived a preserved, typically for a mandated period of time. The time is largely determined by your record keeping and evidentiary requirements, which are typically on a per-jurisdiction basis. The typical amount of time is 7 years.

Live storage does not have to be high speed, however it does need to be reliable and have good redundancy. Redundancy is essentially how many individual components can fail before a loss or corruption of data occurs. This is typically achieved by using a technology called RAID. What this technology does is combine two or more disk drives into one logical unit. It then applies a combination of techniques – namely mirroring, striping and fault tolerance (error correction) – to achieve the desired level of protection versus throughput. One of the key benefits of this approach is that the technology is expandable and uses industry standards for storage. The purchase of proprietary “silver bullet” solutions or the extensions of existing technologies (such as RAID) can be problematic and should be avoided.

The physical size of storage will have a significant impact on your electrical power supply requirements and you must factor in power requirements for both the storage devices and environmental control such as air conditioning.

Close your account?

Your account will be closed and all data will be permanently deleted and cannot be recovered. Are you sure?