Using a SAN or NAS to Store Digital Evidence

Over the years the question of how to store digital forensic evidence has been raised many times.  Forensic examiners often ask how to properly use a Storage Area Network (SAN) or Network Attached Storage (NAS) device in a digital forensic laboratory.  Some of the main questions asked are: 1) How do you handle the sanitization of hard disks in a SAN/NAS array?  2) Are all hard drives periodically removed from the server, wiped, and then re-installed?  3)  While spillage of classified or contraband would likely necessitate some extraordinary efforts, what would be a “best practice” for cleaning a SAN/NAS not involving classified material or child pornography?  And 4)  Can you use a SAN/NAS if your laboratory is ASCLD/LAB accredited?

In my experience, hard drives for SAN/NAS devices should be forensically wiped prior to being placed into service. Once they are wiped, placed in the array, initialized, formatted, and put into a RAID, that is the last time you’ll wipe them (short of some maintenance issue, etc.). Forensically imaging directly to a SAN or NAS and then processing your cases off of the network storage device is a very nice way of doing business, particularly if you have the bandwidth to do so and a good backup solution.

The key to this issue is as much administrative as it is technical. You need to have solid policies in place that define naming conventions and ensure those policies are followed to the letter. You want your policy so granular that you indicate the directories, subdirectories, file names, etc. that is used for any evidence being stored on the SAN/NAS. You also need to make sure to do periodic reviews of how examiners are naming things and ensure that everything is stored exactly where it is supposed to be. The real issue here is the potential for cross-contamination of evidence. By creating good policy and following that policy, you help defeat this issue.

Obviously you want your SAN/NAS on your forensic LAN which is not connected to the Internet, further reducing the chances of malware, intrusion, or exfiltration of sensitive data. These steps further help you show the protection of data and reduce the likelihood of data contamination.

Other suggested technological controls would be to create separate partitions on your network storage device for each examiner and then use Access Control Lists (ACLs) to ensure that only the examiner and their supervisor/manager can access their respective partition. This again limits the scope of the issue and the potential for cross-contamination.

As for the question regarding sensitive or classified data – I think these are two different issues. For classified cases, generally you have a completely separate set of forensic computers and networking equipment that is accredited to operate in classified space. For example, you may have another LAN located within a limited area that only Secret/TS cleared individuals can physically access. This LAN is used to conduct forensics only on classified systems or classified material. You could have a SAN/NAS in the classified area as well, but it would only be used for the storage of classified information and the system would probably need a Certification & Accreditation package depending on your agency’s procedures. This should eliminate your classified spillage concern.

For unclassified but sensitive matter (Official Use Only, child exploitation images, etc.) those could still reside on your unclassified SAN/NAS. I would recommend having a partition for your forensic images (.dd, E01, etc.), partitions for your evidence files (Encase, FTK, exports, exhibits, etc.), and partitions for your forensic reports.

One area I was experimenting with a while managing a law enforcement digital forensics laboratory was a Data Classification process for exactly this situation. This wasn’t on a classified system, but an unclassified law enforcement network that processed a lot of child exploitation and other sensitive data. The idea is to place all of the sensitive data in a specific location (partition, physical disk, a separate SAN/NAS on the same LAN, etc.) and then monitor the usage and flow of traffic from that location. In addition to putting ACLs in place, this would provide you with alerting anytime data was placed in or removed from the sensitive location. This is also a great way for management to ensure information being accessed is on a need-to-know basis.

As far as the ASCLD/LAB question, I was a laboratory director for an ASCLD/LAB accredited LE forensics lab and can tell you that using a SAN is perfectly acceptable. ASCLD/LAB is more about making sure you have policies that match industry best practices and then following your own policy vice telling you how you must do business.

Related Posts

Comments (4)

Josh, great article. Question: I have custom built my own FRED and am looking at expanding the available disk space for case images and am trying to decide between a USB 3.0/3.1 Type-C DAS or go with a NAS.

Can you comment on your preference and the speed/performance bottlenecks between using both. I would be using FTK 6.1 and the NAS or DAS would be my case drive where the images would be copied to, then imported. So it would basically be my working/primary drive during forensic analysis.

Thanks in advance.

Hi Alissa,

Thanks for the comment and I am glad the article was useful. I don’t know what your infrastructure looks like, how many systems you may have accessing your data, or the criticality of your cases, all of which would make a difference in the solution you choose. If you have a single forensic system and just need a bunch of storage for your cases to be maintained then a USB 3.1 would be your fastest and most inexpensive solution. My recommendation would be to purchase a drive array though that supports RAID and make sure you have plenty of redundancy in the event of failure, particularly if you are not backing up your cases to any other array.

If you want to look at future growth and may need more out of an array than just storage, then I would suggest a NAS or SAN. For a smaller shop, I would recommend something like the Synology NAS arrays with 4+ drive bays and a RAID configuration. Most likely your FRED has a 1 Gbps NIC which is fast, but not as fast as the USB 3.1. It is plenty fast enough though for forensics. The other benefit of a NAS is the scalability and potential for future growth. For example, I often will run multiple virtual machines for forensics, all doing different tasks with the data at the same time to speed up my processing and analysis time. With a direct-attached storage device, it is much more difficult to share across multiple devices or operating systems. With a NAS on the same LAN, I can share the storage and data across all of my workstations.

A NAS is definitely the way to go if you want to grow your operations and work more like an enterprise than a one-person shop. These days, even with large hard drives, the Synology NAS’ are reasonably priced. I have ran a forensics lab both ways, with DAS and NAS/SAN and once I went to network storage I never wanted to go back. As for your question about speeds and bottlenecks, if you have Gb NICs with cat6 cables your networking speed is not going to be the issue. If you are using USB 3.1 for a DAS, the bus speed won’t be the issue either. Your problem is going to be memory on your forensic workstation and more importantly the i/o on the disk array you choose. I would buy the fastest drives you can afford and really try for flash drives. This will give you tremendous speed and flexibility.

Hopefully this helped. Feel free to ask any additional questions and good luck!


Really enjoyed this post.Thanks Again. Really Cool.

You are very welcome, thanks for the comment.

Leave a comment

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.