DEPARTMENT OF IT UNIT-1 INTRODUCTION 1.1 WHAT IS COMPUTER FORENSICS? > — Computer forensics is the process of methodically examining computer media (hard disks, diskettes, tapes, etc.) for evidence. In other words, computer forensics is the collection, preservation, analysis, and presentation of computer-related evidence. > — Computer forensics also referred to as computer forensic analysis, electronic discovery, electronic evidence discovery, digital discovery, data recovery, data discovery, computer analysis, and computer examination, v Computer evidence can be useful in criminal cases, civil disputes, and human resources! employment proceedings. 1.2 USE OF COMPUTER FORENSICS IN LAW ENFORCEMENT Computer forensics assists in Law Enforcement. This can include: > Recovering deleted files such as documents, graphies, and photos. > Searching unallocated space on the hard drive, places where an abundance of data often resides. > Tracing artifacts, those tidbits of data left behind by the operating system. Our experts know how to find these artifacts and, more importantly, they know how to evaluate the value of the information they find. v Processing hidden files — files that are not visible or accessible to the user — that contain past usage information, Often, this process requires reconstructing and analyzing the date codes for each file and determining when each file was created, last modified, last accessed and when deleted, > Running a string-search for e-mail, when no e-mail client is obvious, COMPUTER FORENSICS Page 1DEPARTMENT OF IT 1.3 COMPUTER FORENSICS ASSISTANCE TO HUMAN RESOURCES / EMPLOYMENT PROCEEDINGS Computers can contain evidence in many types of human resources proceedings, including sexual harassment suits, allegations of discrimination, and wrongful termination claims, E dence can be found in electronic mail systems, on network servers, and on individual employee’s computers. EMPLOYER SAFE! JARD PROGRAM Employers must safeguard critical business information. An unfortunate concern today is the possibility that data could be damaged, destroyed, or misappropriated by a discontented individual. Before an individual is informed of their termination, a computer forensic specialist should come on-site and create an exact duplicate of the data on the individual’s computer. In this way, should the employee choose to do anything to that data before leaving, the employer is protected. Damaged or deleted data can be re-placed, and evidence can be recovered to show what occurred. This method can also be used to bolster an employer's case by showing the removal of proprietary information or to protect the employer from false charges made by the employee. You should be equipped to find and interpret the clues that have been left behind. This includes situations where files have been deleted, disks have been reformatted, or other steps have been taken to conceal or destroy the evidence. For example, did you know? v What Web sites have been visited? v What files have been downloaded? Y When files were last accessed? Y Of attempts to conceal or destroy evidence? Y Ofattempts to fabricate evidence? ¥- That the electronic copy of a document can contain text that was removed from the final printed version? ¥ That some fax machines can contain exact duplicates of the last several hundred pages received? COMPUTER FORENSICS Page 2DEPARTMENT OF IT ¥ That faxes sent or received via computer may remain on the computer indefinitely? “That email is rapidly becoming the communications medium of choice for businesses? ¥ That people tend to write things in email that they would never consider writing in a memorandum or letter? ¥- That email has been used successfully in criminal cases as well as in civil litigation? ¥ That email is often backed up on tapes that are generally kept for months or years? ¥ That many people keep their financial records, including investments, on computers? 1.4 COMPUTER FORENSICS SERVICES Computer forensics professionals should be able to successfully perform complex evidence recovery procedures with the skill and expertise that lends credibility to your ease. For example, they should be able to perform the following services: 1, DATA SEIZURE ¥ Following federal guidelines, computer forensics experts should act asthe representative, using their knowledge of data storage technologies to track down evidence. The experts should also be able to assist officials during the equipment seizure process. 2. DATA DUPLICATION/PRESERVATION When one party must seize data from another, two concerns must be addressed: + the data must not be altered in any way ‘the seizure must not put an undue burden on the responding party ¥ The computer forensics experts should acknowledge both of these concerns by making an exact duplicate of the needed data. ¥ When experts works on the duplicate data, the integrity of the original is maintained. 3. DATA RECOVERY ¥- Using proprietary tools, your computer forensics experts should be able to safe! y recover COMPUTER FORENSICS Page 3DEPARTMENT OF IT and analyze otherwise inaccessible evidence. Y The ability to recover lost evidence is made possible by the expert’s advanced understanding of storage technologies. 4, DOCUMI SEARCHES Y Computer forensics experts should also be able to search over 200,000 electronic documents in seconds rather than hours. ¥- The speed and efficiency of these searches make the discovery process less complicated and less intrusive to all parties involved. 5. MEDIA CONVERSION ¥ Computer forensics experts should extract the relevant data from old and un-readable devices, convert it into readable formats, and place it onto new storage media for analysis. 6. EXPERT WITNESS SERVICES ¥ Computer forensics experts should be able to explain complex technical processes in an easy-to- understand fashion. ¥ This should help judges and juries comprehend how computer evidence is found, what it consists of, and how itis relevant to a specific situation. 7. COMPUTER EVIDENCE SERVICE OPTIONS ‘Computer forensics experts should offer various levels of service, each designed to suit your individual investigative needs. For example, they should be able to offer the following services: ¥ Standard service: Computer forensics experts should be able to work on your case during nor-mal business hours until your critical electronic evidence is found, ¥ On-site service: Computer forensics experts should be able to travel to your location to COMPUTER FORENSICS Page 4DEPARTMENT OF IT per-form complete computer evidence services. While on-site, the experts should quickly be able to produce exact duplicates of the data storage media in question, ¥ Emergency service: Your computer forensics experts should be able to give your case the highest priority in their laboratories. They should be able to work on it without interruption until your evidence objectives are met. ¥ Priority service: Dedicated computer forensics experts should be able to work on your case during normal business hours (8:00 A.M. to 5:00 P.M., Monday through Friday) until the evidence is found. Priority service typically cuts your turnaround time in half, Y Weekend service: Computer forensics experts should be able to work from 8:00 A.M. to 5:00 P.M, Saturday and Sunday, to locate the needed electronic evidence and will continue 14 Computer Forensics, Second Edition working on your case until your evidence objectives are met. 8. OTHER MISCELLANEOUS SERVICES Computer forensics experts should also be able to provide extended services. These services include: ¥ Analysis of computers and data in criminal investigations Y Onssite seizure of computer data in criminal investigs ¥ Analysis of computers and data in civil litigation. ¥ On-site seizure of computer data in civil litigation ¥ Analysis of company computers to determine employee activity ¥ Assistance in preparing electronic discovery request ¥- Reporting in a comprehensive and readily understandable manner ¥ Court-recognized computer expert witness testimony ¥ Computer forensics on both PC and Mac platforms ¥ Fast tumaround time. COMPUTER FORENSICS Page 5DEPARTMENT OF IT 1.5 BENEFITS OF PROFESSIONAL FORENSIC METHODOLOGY A knowledgeable computer forensics professional should ensure that a subject computer system is carefully handled to ensure that: 1. No possible evidence is damaged, destroyed, or otherwise compromised by the procedures used to investigate the computer. 2. No possible computer virus is introduced to a subject computer during the analysis process. 3. Extracted and possibly relevant evidence is properly handled and protected from later mechanical or electromagnetic damage. istody is established and maintained, 4. Acontinuing chain of 5. Business operations are affected for a limited amount of time, if at all. 6, Any client-attomey information that is inadvertently acquired during a forensic exploration is ethically and legally respected and not divulged. 1.6 STEPS TAKEN BY COMPUTER FORENSICS SPECIALISTS The computer forensics specialist should take several careful steps to identify and attempt to retrieve possible evidence that may exist on a subject’s computer system. For example, the following steps should be taken: 1. Proteet the subject computer system during the forensic examination from any possible alteration, damage, data corruption, or virus introduction. 2. Discover all files on the subject system. This includes existing normal files, deleted yet remaining files, hidden files, password-protected files, and encrypted files. 3. Recover all of discovered deleted files. 4, Reveal the contents of hidden files as well as temporary or swap files used by both the application programs and the operating system. 5. Access the contents of protected or encrypted files. 6. Analyze all possibly relevant data found in special areas of a disk. This includes but is not limited to what is called unallocated space on a disk, as well as slack space in a file COMPUTER FORENSICS Page 6DEPARTMENT OF IT (the remnant area at the end of a file in the last assigned disk cluster, that is unused by current file data, but once again, may be a possible site for previously created and relevant evidence). 7. Print out an overall analysis of the subject computer system, as well as a listing of all possibly relevant files and discovered file data, 8. Provide an opinion of the system layout; the file structures discoveres ny discovered data and authorship information; any attempts to hide, delete, protect, and encrypt information; and anything else that has been discovered and appears to be relevant to the overall computer system examination. 9. Provide expert consultation and/or testimony, as required TYPES OF COMPUTER FORENSIC TECHNOLOGY 1.7 TYPES OF MILITARY COMPUTER FORENSIC TECHNOLOGY v imation of Key objectives of cyber forensics include rapid discovery of evidence, potential impact of the malicious activity on the victim, and assessment of the intent and identity of the perpetrator. v Real-time tracking of potentially malicious activity is especially difficult when the pertinent information has been intentionally hidden, destroyed, or modified in order to elude discovery. ECTC) works with v National Law Enforcement and Corrections Technology Center (NL criminal justice professionals to ident ‘urgent and emerging technology needs, v NLECTC centers demonstrate new technologies, test commercially available technologies and publish results — linking research and practice. v National Institute of Justice (NIJ) sponsors research and development or identifies best practices to address those needs v The information directorate entered into a partnership with the NIJ via the auspices of the NLECTC, to test the new ideas and prototype tools. The Computer Forensies Experiment 2000 (CFX-2000) resulted from this partnership. COMPUTER FORENSICS Page 7MRC. DEPARTMENT OF IT COMPUTER FORENSIC EXPERIMENT-2000 (CFX-2000) Y CFX-2000 is an integrated forensic analysis framework. ¥ The central hypothesis of CFX-2000 is that it is possible to accurately determine the ‘motives, intent, targets, sophistication, identity, and location of cyber criminals and cyber terrorists by deploying an integrated forensic analysis framework. ¥ The cyber forensic tools involved in CFX-2000 consisted of commercial off-the-shelf software and directorate-sponsored R&D prototypes. CEX includes SI-FI integration environment. ¥ The Synthesizing Information from Forensic Investigations (SI-FI) integration environment supports the collection, examination, and analysis processes employed during a cyber-forensic investigation Y The SI-FI prototype uses digital evidence bags (DEBs), which are secure and tamperproof containers used to store digital evidence. Y Investigators can seal evidence in the DEBs and use the SI-FI implementation to collaborate on complex investigations. ¥ Authorized users can securely reopen the DEBs for examination, while automatic audit of all actions ensures the continued integrity of their contents. Y The teams used other forensic tools and prototypes to collect and analyze specific features of the digital evidence, perform case management and time lining of digital ‘events, automate event link analysis, and perform steganography detection. ¥ The results of CFX-2000 verified that the hypothesis was largely correct and that it is possible to ascertain the intent and identity of cyber criminals. ¥ As electronic technology continues its explosive growth, researchers need to continue vigorous R&D of cyber forensic technology in preparation for the onslaught of cyber reconnaissance probes and attacks. COMPUTER FORENSICS Page 8MRCET DEPARTMENT OF IT Multi-dimensional Crime Scenario Ld Evidence Creation Advanced Cyber-Crime Methods Lessons Learned # Document sree t 1.8 TYPES OF LAW ENFORCEMENT COMPUTER FORENSIC TECHNOLOGY Computer forensics tools and techniques have become important resources for use in internal investigations, civil lawsuits, and computer security risk management. Law enforcement and military agencies have been involved in processing computer evidence for years. Computer Evidence Processing Procedures Processing procedures and methodologies should conform to federal computer evidence processing standards, 1. Preservation of Evidence Y Computer evidence is fragile and susceptible to alteration or erasure by any number of occurrences. ¥ Computer evidence can be useful in criminal cases, civil disputes, and human resources! COMPUTER FORENSICS Page 9DEPARTMENT OF IT employment proceedings. Y Black box computer forensics software tools are good for some basic investigation tasks, but they do not offer a full computer forensies solution. Y SafeBack software overcomes some of the evidence weaknesses inherent in black box computer forensics approaches. ¥ SafeBack technology has become a worldwide standard in making mirror image backups since 1990, TROJAN HORSE PROGRAMS ¥ The computer forensic expert should be able to demonstrate his or her ability to avoid destructive programs and traps that can be planted by computer users bent on destroying data and evidence. Y Such programs can also be used to covertly capture sensitive information, passwords, and network logons. COMPUTER FORENSICS DOCUMENTATIO! Y Without proper documentation, it is difficult to present findings. Y If the security or audit findings become the object of a lawsuit or a criminal investigation, then documentation becomes even more important FILE SLACK Y Slack space in a file is the remnant area at the end of a file in the last assigned disk cluster, that is unused by current file data, but once again, may be a possible site for previously created and relevant evidence. Y Techniques and automated tools that are used by the experts to capture and evaluate file slack, DATA-HIDING TECHNIQUES Y ‘Trade secret information and other sensitive data can easily be secreted using any number of techniques. It is possible to hide diskettes within diskettes and to hide entire computer hard disk drive partitions. Computer forensic experts should understand such issues and tools that help in the identification of such anomalies. COMPUTER FORENSICS Page 10MRC. DEPARTMENT OF IT E-COMMERCE INVESTIGATIONS ¥ Net Threat Analyzer can be used to identify past Internet browsing and email activity done through specific computers. The software analyzes a computer's disk drives and other storage areas that are generally unknown to or beyond the reach of most general computer users. Net Threat Analyzer avail-able free of charge to computer crime specialists, school officials, and police. DUAL-PURPOSE PROGRAMS ¥ Programs can be designed to perform multiple processes and tasks at the same time. Computer forensics experts must have hands-on experience with these programs. ‘TEXT SEARCH TECHNIQUES Y Tools that can be used to find targeted strings of text in files, file slack, unallocated file space, and Windows swap files. FUZZY LOGIC TOOLS USED TO IDENTIFY UNKNOWN TEXT Y Computer evidence searches require that the computer specialist know what is being searched for. Many times not all is known about what may be stored on a given computer system. Y In such cases, fuzzy logic tools can provide valuable leads as to how the subject computer was used. 2. Disk Structure Y Computer forensic experts must understand how computer hard disks and floppy diskettes are structured and how computer evidence can reside at various levels within the structure of the disk. Y They should also demonstrate their knowledge of how to modify the structure and hide data in obscure places on floppy diskettes and hard disk drives. 3. Data Encryption Y Computer forensic experts should become familiar with the use of software to crack security associated with the different file structures, COMPUTER FORENSICS Page 11DEPARTMENT OF IT 4. Matching a Diskette to a Computer ¥ Specialized techniques and tools that make it possible to conclusively tie a diskette to a computer that was used to create or edit files stored on it. Computer forensic experts should become familiar how to use special software tools to complete this proc 5. Data Compression Y Computer forensic experts should become familiar with how compression works and how compression programs can be used to hide and disguise sensitive data and also eam how password- protected compressed files ean be broken. 6. Erased Files ¥ Computer forensic experts should become familiar with how previously erased files ean be recovered by using DOS programs and by manually using data-recovery technique & familiar with cluster chaining. 7. Internet Abuse Identification and Detection ¥ Computer forensic experts should become familiar with how to use specialized software to identify how a targeted computer has been used on the Internet. Y This process will focus on computer forensics issues tied to data that the computer user probably doesn’t realize exists (file slack, unallocated file space, and Windows swap files). 8. The Boot Process and Memory Resident Programs Y Computer forensic experts should become familiar with how the operating system ean be modified to change data and destroy data at the whim of the person who configured thesystem, Y Such a technique could be used to covertly capture keyboard activity from corporate executives, for example, For this reason, it is important that the experts understand these potential risks and how to identify them. 1.9 TYPES OF BUSINESS COMPUTER FORENSIC TECHNOLOGY ‘The following are different types of business computer forensics technology:- COMPUTER FORENSICS Page 12MRC. DEPARTMENT OF IT REMOTE MONITORING OF TARGET COMPUTERS ¥ Data Interception by Remote Transmission (DIRT) is a powerful remote control monitoring tool that allows stealth monitoring of all activity on one or more target computers simultaneously from a remote command center. ¥ No physical access is necessary. Application also allows agents to remotely seize and secure digital evidence prior to physically entering suspect premi CREATING TRACKABLE ELECTRONIC DOCUMENTS, Binary Audit Identification Transfer (BAIT) is a powerful intrusion detection tool that allows users to create trackable electronic documents. ¥ BAIT identifies (including their location) unauthorized intruders who access, download, and view these tagged documents, ¥ BAIT also allows security personnel to trace the chain of custody and chain of command of all who possess the stolen electronic documents. THEFT RECOVERY SOFTWARE FOR LAPTOPS AND PCS Y What it really cos to replace a stolen computer: * The price of the replacement hardware & software, * The cost of recreating data, lost production time or instruction time, reporting and investigating the theft, filing police reports and insurance claims, increased insurance, processing and ordering replacements, cutting a check, and the like. © The loss of customer goodwill. * Ifa thiefiis ever caught, the cost of time involved in prosecution. ¥ PC PHONEHOME * PC PhoneHome is a software application that will track and locate a lost or stolen PC or laptop any-where in the world. It is easy to install, It is also completely transparent to the user COMPUTER FORENSICS Page 13MRCET DEPARTMENT OF IT + If your PC PhoneHome-protected computer is lost or stolen, all you need to do is make a report to the local police and call CD's 24-hour command center. CD's recovery specialists will assist local law enforcement in the recovery of your property. FORENSIC SERVICES AVAILABLE Services include but are not limited Lost password and file recovery Location and retrieval of deleted and hidden files File and email decryption Email supervision and authentication Threatening email traced to source vVvvvyvy Identification of Internet activity > Computer usage policy and supervision v Remote PC and network monitoring > Tracking and location of stolen electronic files > Honeypot sting operations v Location and identity of unauthorized software users > Theft recovery software for laptops and PCs v Investigative and security software creation v Protection from hackers and viruses. COMPUTER FORENSICS Page 14MRC. DEPARTMENT OF IT COMPUTER FORENSIC EVIDENCE & CAPTURE 1.10 > Ll Data Recovery Defined Data recovery is the process in which highly trained engineers evaluate and extract data from damaged media and return it in an intact format, Many people, even computer experts, fail to recognize data recovery as an option during a data crisis. But it is possible to retrieve files that have xd and passwords that have been forgotten or to recov that have been physically damaged. entire hard Data Back-up and Recovery Back-up Obstacles v Back-up Window: The back-up window is the period of time when back-ups can be run, The back-up window is generally timed to occur during nonproduction periods when network bandwidth and CPU utilization are low. Network bandwidth: If a network cannot handle the impact of transporting hundreds of gigabytes of data over a short period of time, the organization’s centralized backup strategy is not viable. System throughput: Three 1/O bottlenecks are commonly found in traditional backup schemes. These are 1. The ability of the system being backed up to push data to the backup server 2. The ability of the backup server to accept data from multiple systems simultaneously 3. The available throughput of the tape device(s) onto which the data is moved COMPUTER FORENSICS Page 15,T DEPARTMENT OF IT Lack-of Resources: Many companies fail to make appropriate investments in data protection until itis too late 1.12 The Role of Back-up in Data Recovery There are many factors that affect back-up. For example: > Storage costs are decreasing: The cost per megabyte of primary (online) storage has fallen dramatically over the past several years and continues to do so as disk drive technologies advance. v Systems have to be on-line continuously: Because systems must be continuously online, the dilemma becomes that you can no longer take files offline long enough to perform backup. v ‘The role of Back-up has changed: The role of backup now includes the responsibility for recovering user errors and ensuring that good data has been saved and can quickly be restored. CONVENTIONAL TAPE BACK-UP IN TODAY’S MARKET v A typical tape management system consists of a dedicated workstation with the front-end interfaced to the network and the back-end controlling a repository of tape devices. The media server runs tape management software. It can administer backup devices throughout an enterprise and can run continuous parallel backups and restores. v An alternative to tape backup is to physically replicate or mirror all data and keep two copies online at all times. The advantage is that the data does not have to be restored, so there are no issues with immediate data availability. ISSUES WITH TODAY’S BACK: v NETWORK BACKUP creates network performance problems. Using the production network to carry backup data, as well as for normal user COMPUTER FORENSICS Page 16data access, can severely overburden today’s busy network resources. OFFLINE BACKUP affects data accessibility. The time that the host is offline for data backup must be minimized. This requires extremely high- speed, continuous parallel backup of the raw image of the data. LIVE BACKUPS allow data access during the backup process but affect performance. The downside to the live backup is that it puts a tremendous burden on the host. MIRRORING doesn’t protect against user error and replication of bad data. Fully replicated online data sounds great, albeit at twice the cost per megabyte of a single copy of online data, NEW ARCHITECTURES AND TECHNIQUES ARE REQUIRED v 1.13 Backup at extremely high speed is required. Recovery must be available at file level. The time that systems off-line for back-up must be eliminated. Remote hot recovery sites are needed for immediate resumption of data access. Backup of critical data is still required to ensure against data errors and user errors. To achieve effective backup and recovery, the decoupling of data from its storage space is needed, It is necessary to develop techniques to journal modified pages, so that journaling can be invoked within the primary storage device, without host intervention. Part of the primary storage area must be set aside for data to be backed up. This area must be as large as the largest backup block. We should have fast nonrandom restoration of critical data, The Data Recovery Solution HRINKING EXPERTISE, GROWING COMPLEXITY a. The complex systems that have evolved over the past 30 years must be COMPUTER FORENSICS DEPARTMENT OF ITDEPARTMENT OF IT monitored, managed, controlled, and optimized. But most of the bright young graduates this term haven’t had much exposure to mainframe concepts. b. Backups often take place while an application is running. Application changes take place on the fly. If'an outage occurs, the company stands to lose tens of thousands of dollars an hour. FAILURES: Disk storage is more reliable than ever, but hardware failures are still possible. A. simple mistake can be made by an application programmer, system programmer, or operations person. Logic errors in programs or application of the wrong update at the wrong time can result in a system erash or, worse. Disasters do really occurs! Floods, tornadoes, earthquakes, tsunamis, and even terrorism can do strike, We must be ready. BUDGETS AND DOWNTIME We have fewer resources (people, processing power, time, and money) to do more work than ever before, and we must keep your expenses under control. Systems must remain available to make money and serve customers. Downtime is much too expensive to be tolerated. RECOVERY: THINK BEFORE YOU BACK-UP One of the most critical data-management tasks involves recovering data in the event of a problem, You must evaluate your preparations, make sure that all resources are available in usable condition, automate processes as much as possible, and make sure you have the right kind of resourees. Evaluate your preparation If all of the resources (image copies, change accumulations, and logs) are available at recovery time, these preparations certainly allow for a standard recovery. Finding out at recovery time that some critical resource is missing can be disastrous! Don’t let your resources fall through the cracks Identifying different types of conditions is critical to ensuring a successful recovery. Checking your assets to make sure they’re ready should be part of your plan. COMPUTER FORENSICS Page 18DEPARTMENT OF IT Automated Recovery With proper planning and automation, recovery is made possible, reliance on specific personnel is reduced, and the human-error factor is nearly eliminated. Data integrity and your business relay on building recovery job control language (ICL). In the event of a disaster, the Information Management System (IMS) recovery control (RECON) data sets must be modified in preparation for the recovery Cleaning your RECON data sets can take hours if done manually, and it’s an error-prone process. Make Recoveries Efficient Multithreading tasks shorten the recovery process. Recovering multiple databases with one pass through your log data certainly will save time. Taking image copies, rebuilding indexes, and validating pointers concurrently with the recovery process further reduce downtime. Take Back-ups The first step to a successful recovery is the backup of your data. Your goal in backing up data is to do so quickly, efficiently, and usually with minimal impact to your customers. You might need only very brief out-ages to take instant copies of your data, or you might have intelligent storage devices that allow you to take a snapshot of your data. Both methods call for tools to assist in the management of resources. BACK-UP AND RECOVERY SOLUTION BMC software has developed a model called the Back-up and Recovery Solution (BRS) for the Information Management System (IMS) product. Image Copy BRS contains an Image Copy component to help manage your image copy process. BRS can take batch, on-line (fuzzy), or incremental image copies; Snapshot copies; or Instant Snapshot copies. COMPUTER FORENSICS Page 19MRC. DEPARTMENT OF IT ‘The Image Copy component of BRS offers a variety of powerful features: dynamic allocation of all input and output data sets, stacking of output data sets, high performance access methods (faster 1/0), copying by volume, compression of output image copies, and database group processing--- all while interfacing with DBRC and processing asynchronously. Change Accumulation The BRS Change Accumulation c advantage of multiple engines, large virtual mponent taki storage resources, and high-speed channels and controllers that are available in many environments, Use of multiple tack control block (TCB) structures enables overlapping of as much processing as possible, reducing both elapsed and CPU time. Recovery > The BRS Recovery component, which functionally replaces the IMS Database Recovery utility for null- function (DL/1) databases and data-entry databases (DEDBs). allow recovery of multiple databases with one pass of the log and change accumulation data sets while dynamically allocating all data sets required for recovery. > BRS recovers multiple databases to any point in time. BRS can determine the best choice for a Point-in- Time (PIT) recovery. Full DBRS support includes: RECOVERY MANAGER > Recovery Manager component lets you automate and synchronize recoveries across applications and databases by creating meaningful groups of related databases and creating optimized JCL to perform the recovery of these groups > Recovery Manager component provides a positive response for the IMS ‘commands that are used to deallocate and start your databases. > Recovery Manager component fully automates the process of cleaning the RECON data sets for restart following a disaster recovery. > Recovery Manager component also allows you to test your recovery strategy and COMPUTER FORENSICS Page 20MRCET DEPARTMENT OF IT notifies you when media errors have jeopardized your recovery resources. POINTER CHECKING BRS offers the capability to verify the validity of database pointers through the Concurrent Pointer Checking function for both full-function databases and Fast Path data-entry databases (DEDBs). INDEX REBUILD If indexes are ever damaged or lost, the Index Rebuild function of BRS allows you rebuild them rather than recover them, RECOVERY ADVISOR The Recovery Advisor component of BRS allows you to monitor the frequency of your image copies and change accumulations. It helps you to determine whether all your databases are being backed-up. By using any number of back-up and recovery tools available, you can better manage your world and be ready to recover! COMPUTER FORENSICS Page 21