DEPARTMENT OF COMPUTER ENGG.

INTRODUCTION
COMPUTER FORENSICS FUNDAMENTALS:

1.1 WHAT IS COMPUTER FORENSICS?

Computer forensics is the process of methodically examining computer media (hard

disks, diskettes, tapes, etc.) for evidence. In other words, computer forensics is the
collection, preservation, analysis, and presentation of computer-related evidence.
Computer forensics also referred to as computer forensic analysis, electronic discovery,
electronic evidence discovery, digital discovery, data recovery, data discovery, computer
analysis, and computer examination.
Computer evidence can be useful in criminal cases, civil disputes, and human resources/
employment proceedings.

1.2 USE OF COMPUTER FORENSICS IN LAW ENFORCEMENT

Computer forensics assists in Law Enforcement. This can include:

Recovering deleted files such as documents, graphics, and photos.

Searching unallocated space on the hard drive, places where an abundance of data often
resides.

Tracing artifacts, those tidbits of data left behind by the operating system. Our experts
know how to find these artifacts and, more importantly, they know how to evaluate the
value of the information they find.
Processing hidden files files that are not visible or accessible to the user that contain
past usage information. Often, this process requires reconstructing and analyzing the date
codes for each file and determining when each file was created, last modified, last accessed
and when deleted.
Running a string-search for e-mail, when no e-mail client is obvious.
 DEPARTMENT OF COMPUTER ENGG.

1.3 COMPUTER FORENSICS ASSISTANCE TO HUMAN RESOURCES /

EMPLOYMENT PROCEEDINGS
Computers can contain evidence in many types of human resources proceedings, including
sexual harassment suits, allegations of discrimination, and wrongful termination claims.
Evidence can be found in electronic mail systems, on network servers, and on individual
computers.
EMPLOYER SAFEGUARD PROGRAM

Employers must safeguard critical business information. An unfortunate concern today is the
possibility that data could be damaged, destroyed, or misappropriated by a discontented
individual. Before an individual is informed of their termination, a computer forensic specialist
should come on-s
this way, should the employee choose to do anything to that data before leaving, the employer
is protected. Damaged or deleted data can be re-placed, and evidence can be recovered to show

removal of proprietary information or to protect the employer from false charges made by the
employee. You should be equipped to find and interpret the clues that have been left behind.
This includes situations where files have been deleted, disks have been reformatted, or other
steps have been taken to conceal or destroy the evidence. For example, did you know?

What Web sites have been visited?

What files have been downloaded?

When files were last accessed?

Of attempts to conceal or destroy evidence?

Of attempts to fabricate evidence?

That the electronic copy of a document can contain text that was removed from the final
printed version?
That some fax machines can contain exact duplicates of the last several hundred pages
received?
 DEPARTMENT OF COMPUTER ENGG.

That faxes sent or received via computer may remain on the computer indefinitely?

That email is rapidly becoming the communications medium of choice for businesses?

That people tend to write things in email that they would never consider writing in a
memorandum or letter?
That email has been used successfully in criminal cases as well as in civil litigation?

That email is often backed up on tapes that are generally kept for months or years?

That many people keep their financial records, including investments, on computers?

1.4 COMPUTER FORENSICS SERVICES

Computer forensics professionals should be able to successfully perform complex evidence
recovery procedures with the skill and expertise that lends credibility to your case.

For example, they should be able to perform the following services:

1. DATA SEIZURE

Following federal guidelines, computer forensics experts should act as the

representative, using their knowledge of data storage technologies to track down
evidence.
The experts should also be able to assist officials during the equipment seizure process.

2. DATA DUPLICATION/PRESERVATION

When one party must seize data from another, two concerns must be addressed:
the data must not be altered in any way
the seizure must not put an undue burden on the responding party
The computer forensics experts should acknowledge both of these concerns by making
an exact duplicate of the needed data.
When experts works on the duplicate data, the integrity of the original is maintained.

3. DATA RECOVERY

Using proprietary tools, your computer forensics experts should be able to safely recover
 DEPARTMENT OF COMPUTER ENGG.

and analyze otherwise inaccessible evidence.

The ability to recover lost evidence is made possible by the advanced
understanding of storage technologies.

4. DOCUMENT SEARCHES

Computer forensics experts should also be able to search over 200,000 electronic
documents in seconds rather than hours.
The speed and efficiency of these searches make the discovery process less complicated
and less intrusive to all parties involved.

5. MEDIA CONVERSION

Computer forensics experts should extract the relevant data from old and un-readable
devices, convert it into readable formats, and place it onto new storage media for
analysis.

6. EXPERT WITNESS SERVICES

Computer forensics experts should be able to explain complex technical processes in an

easy-to- understand fashion.
This should help judges and juries comprehend how computer evidence is found, what it
consists of, and how it is relevant to a specific situation.

7. COMPUTER EVIDENCE SERVICE OPTIONS

Computer forensics experts should offer various levels of service, each designed to suit your
individual investigative needs. For example, they should be able to offer the following
services:

Standard service: Computer forensics experts should be able to work on your case
during nor-mal business hours until your critical electronic evidence is found.
On-site service: Computer forensics experts should be able to travel to your location to
 DEPARTMENT OF COMPUTER ENGG.

per-form complete computer evidence services. While on-site, the experts should
quickly be able to produce exact duplicates of the data storage media in question.
Emergency service: Your computer forensics experts should be able to give your case
the highest priority in their laboratories. They should be able to work on it without
interruption until your evidence objectives are met.
Priority service: Dedicated computer forensics experts should be able to work on your
case during normal business hours (8:00 A.M. to 5:00 P.M., Monday through Friday)
until the evidence is found. Priority service typically cuts your turnaround time in half.
Weekend service: Computer forensics experts should be able to work from 8:00 A.M.
to 5:00 P.M., Saturday and Sunday, to locate the needed electronic evidence and will
continue 14 Computer Forensics, Second Edition working on your case until your
evidence objectives are met.

8. OTHER MISCELLANEOUS SERVICES

Computer forensics experts should also be able to provide extended services. These services
include:

Analysis of computers and data in criminal investigations

On-site seizure of computer data in criminal investigations

Analysis of computers and data in civil litigation.

On-site seizure of computer data in civil litigation

Analysis of company computers to determine employee activity

Assistance in preparing electronic discovery requests

Reporting in a comprehensive and readily understandable manner

Court-recognized computer expert witness testimony

Computer forensics on both PC and Mac platforms

Fast turnaround time.

 DEPARTMENT OF COMPUTER ENGG.

1.5 BENEFITS OF PROFESSIONAL FORENSIC METHODOLOGY

A knowledgeable computer forensics professional should ensure that a subject computer

system is carefully handled to ensure that:

1. No possible evidence is damaged, destroyed, or otherwise compromised by the

procedures used to investigate the computer.
2. No possible computer virus is introduced to a subject computer during the analysis process.

3. Extracted and possibly relevant evidence is properly handled and protected from later
mechanical or electromagnetic damage.
4. A continuing chain of custody is established and maintained.

5. Business operations are affected for a limited amount of time, if at all.

6. Any client-attorney information that is inadvertently acquired during a forensic

exploration is ethically and legally respected and not divulged.

1.6 STEPS TAKEN BY COMPUTER FORENSICS SPECIALISTS

The computer forensics specialist should take several careful steps to identify and attempt to
retrieve poss
following steps should be taken:

1. Protect the subject computer system during the forensic examination from any possible
alteration, damage, data corruption, or virus introduction.
2. Discover all files on the subject system. This includes existing normal files, deleted yet
remaining files, hidden files, password-protected files, and encrypted files.
3. Recover all of discovered deleted files.

4. Reveal the contents of hidden files as well as temporary or swap files used by both the
application programs and the operating system.
5. Access the contents of protected or encrypted files.

6. Analyze all possibly relevant data found in special areas of a disk. This includes but is
not limited to what is called unallocated space on a disk, as well as slack space in a file
 DEPARTMENT OF COMPUTER ENGG.

(the remnant area at the end of a file in the last assigned disk cluster, that is unused by
current file data, but once again, may be a possible site for previously created and
relevant evidence).
7. Print out an overall analysis of the subject computer system, as well as a listing of all
possibly relevant files and discovered file data.
8. Provide an opinion of the system layout; the file structures discovered; any discovered
data and authorship information; any attempts to hide, delete, protect, and encrypt
information; and anything else that has been discovered and appears to be relevant to the
overall computer system examination.
9. Provide expert consultation and/or testimony, as required.

TYPES OF COMPUTER FORENSIC TECHNOLOGY

1.7 TYPES OF MILITARY COMPUTER FORENSIC TECHNOLOGY

Key objectives of cyber forensics include rapid discovery of evidence, estimation of

potential impact of the malicious activity on the victim, and assessment of the intent and
identity of the perpetrator.
Real-time tracking of potentially malicious activity is especially difficult when the
pertinent information has been intentionally hidden, destroyed, or modified in order to
elude discovery.
National Law Enforcement and Corrections Technology Center (NLECTC) works with
criminal justice professionals to identify urgent and emerging technology needs.
NLECTC centers demonstrate new technologies, test commercially available
technologies and publish results linking research and practice.
National Institute of Justice (NIJ) sponsors research and development or identifies best
practices to address those needs.
The information directorate entered into a partnership with the NIJ via the auspices of
the NLECTC, to test the new ideas and prototype tools. The Computer Forensics
Experiment 2000 (CFX-2000) resulted from this partnership.
 DEPARTMENT OF COMPUTER ENGG.

COMPUTER FORENSIC EXPERIMENT-2000 (CFX-2000)

CFX-2000 is an integrated forensic analysis framework.

The central hypothesis of CFX-2000 is that it is possible to accurately determine the

motives, intent, targets, sophistication, identity, and location of cyber criminals and
cyber terrorists by deploying an integrated forensic analysis framework.
The cyber forensic tools involved in CFX-2000 consisted of commercial off-the-shelf
software and directorate-sponsored R&D prototypes. CFX includes SI-FI integration
environment.
The Synthesizing Information from Forensic Investigations (SI-FI) integration
environment supports the collection, examination, and analysis processes employed
during a cyber-forensic investigation.
The SI-FI prototype uses digital evidence bags (DEBs), which are secure and
tamperproof containers used to store digital evidence.
Investigators can seal evidence in the DEBs and use the SI-FI implementation to
collaborate on complex investigations.

Authorized users can securely reopen the DEBs for examination, while automatic audit
of all actions ensures the continued integrity of their contents.
The teams used other forensic tools and prototypes to collect and analyze specific
features of the digital evidence, perform case management and time lining of digital
events, automate event link analysis, and perform steganography detection.
The results of CFX-2000 verified that the hypothesis was largely correct and that it is
possible to ascertain the intent and identity of cyber criminals.
As electronic technology continues its explosive growth, researchers need to continue
vigorous R&D of cyber forensic technology in preparation for the onslaught of cyber
reconnaissance probes and attacks.
 DEPARTMENT OF COMPUTER ENGG.

1.8 TYPES OF LAW ENFORCEMENT COMPUTER FORENSIC

TECHNOLOGY

Computer forensics tools and techniques have become important resources for use in
internal investigations, civil lawsuits, and computer security risk management. Law
enforcement and military agencies have been involved in processing computer evidence for
years.

Computer Evidence Processing Procedures

Processing procedures and methodologies should conform to federal computer evidence

processing standards.

1. Preservation of Evidence
Computer evidence is fragile and susceptible to alteration or erasure by any number of
occurrences.

Computer evidence can be useful in criminal cases, civil disputes, and human resources/
 DEPARTMENT OF COMPUTER ENGG.

employment proceedings.
Black box computer forensics software tools are good for some basic investigation
tasks, but they do not offer a full computer forensics solution.
SafeBack software overcomes some of the evidence weaknesses inherent in black box
computer forensics approaches.
SafeBack technology has become a worldwide standard in making mirror image backups
since 1990.
TROJAN HORSE PROGRAMS

The computer forensic expert should be able to demonstrate his or her ability to avoid
destructive programs and traps that can be planted by computer users bent on
destroying data and evidence.
Such programs can also be used to covertly capture sensitive information, passwords,
and network logons.

COMPUTER FORENSICS DOCUMENTATION

Without proper documentation, it is difficult to present findings.

If the security or audit findings become the object of a lawsuit or a criminal

investigation, then documentation becomes even more important.
FILE SLACK
Slack space in a file is the remnant area at the end of a file in the last assigned disk
cluster, that is unused by current file data, but once again, may be a possible site for
previously created and relevant evidence.
Techniques and automated tools that are used by the experts to capture and evaluate file
slack.

DATA-HIDING TECHNIQUES
Trade secret information and other sensitive data can easily be secreted using any
number of techniques. It is possible to hide diskettes within diskettes and to hide entire
computer hard disk drive partitions. Computer forensic experts should understand such
issues and tools that help in the identification of such anomalies.
 DEPARTMENT OF COMPUTER ENGG.

E-C OMMERCE INVESTIGATIONS

Net Threat Analyzer can be used to identify past Internet browsing and email activity
done through specific computers. The software ana
other storage areas that are generally unknown to or beyond the reach of most general
computer users. Net Threat Analyzer avail-able free of charge to computer crime
specialists, school officials, and police.
DUAL-PURPOSE PROGRAMS
Programs can be designed to perform multiple processes and tasks at the same time.
Computer forensics experts must have hands-on experience with these programs.

TEXT SEARCH TECHNIQUES

Tools that can be used to find targeted strings of text in files, file slack, unallocated file
space, and Windows swap files.
FUZZY LOGIC TOOLS USED TO IDENTIFY UNKNOWN TEXT

Computer evidence searches require that the computer specialist know what is being
searched for. Many times not all is known about what may be stored on a given
computer system.
In such cases, fuzzy logic tools can provide valuable leads as to how the subject computer
was used.

2. Disk Structure
Computer forensic experts must understand how computer hard disks and floppy
diskettes are structured and how computer evidence can reside at various levels within
the structure of the disk.
They should also demonstrate their knowledge of how to modify the structure and hide
data in obscure places on floppy diskettes and hard disk drives.

3. Data Encryption
Computer forensic experts should become familiar with the use of software to crack
security associated with the different file structures.
 DEPARTMENT OF COMPUTER ENGG.

4. Matching a Diskette to a Computer

Specialized techniques and tools that make it possible to conclusively tie a diskette to a
computer that was used to create or edit files stored on it. Computer forensic experts
should become familiar how to use special software tools to complete this process.
5. Data Compression
Computer forensic experts should become familiar with how compression works and
how compression programs can be used to hide and disguise sensitive data and also
learn how password- protected compressed files can be broken.
6. Erased Files
Computer forensic experts should become familiar with how previously erased files can
be recovered by using DOS programs and by manually using data-recovery technique &
familiar with cluster chaining.
7. Internet Abuse Identification and Detection
Computer forensic experts should become familiar with how to use specialized software
to identify how a targeted computer has been used on the Internet.
This process will focus on computer forensics issues tied to data that the computer user

files).
8. The Boot Process and Memory Resident Programs
Computer forensic experts should become familiar with how the operating system can
be modified to change data and destroy data at the whim of the person who configured
the system.
Such a technique could be used to covertly capture keyboard activity from corporate
executives, for example. For this reason, it is important that the experts understand
these potential risks and how to identify them.

1.9 TYPES OF BUSINESS COMPUTER FORENSIC TECHNOLOGY

The following are different types of business computer forensics technology:-

 DEPARTMENT OF COMPUTER ENGG.

REMOTE MONITORING OF TARGET COMPUTERS

Data Interception by Remote Transmission (DIRT) is a powerful remote control

monitoring tool that allows stealth monitoring of all activity on one or more target
computers simultaneously from a remote command center.
No physical access is necessary. Application also allows agents to remotely seize and
secure digital evidence prior to physically entering suspect premises.
CREATING TRACKABLE ELECTRONIC DOCUMENTS

Binary Audit Identification Transfer (BAIT) is a powerful intrusion detection tool that
allows users to create trackable electronic documents.
BAIT identifies (including their location) unauthorized intruders who access, download,
and view these tagged documents.
BAIT also allows security personnel to trace the chain of custody and chain of
command of all who possess the stolen electronic documents.

THEFT RECOVERY SOFTWARE FOR LAPTOPS AND PCS

What it really costs to replace a stolen computer:

The price of the replacement hardware & software.

The cost of recreating data, lost production time or instruction time, reporting
and investigating the theft, filing police reports and insurance claims, increased
insurance, processing and ordering replacements, cutting a check, and the like.
The loss of customer goodwill.

If a thief is ever caught, the cost of time involved in prosecution.

PC PHONEHOME

PC PhoneHome is a software application that will track and locate a lost or stolen
PC or laptop any-where in the world. It is easy to install. It is also completely
transparent to the user.
 DEPARTMENT OF COMPUTER ENGG.

If your PC PhoneHome-protected computer is lost or stolen, all you need to do is

-
recovery specialists will assist local law enforcement in the recovery of your
property.

FORENSIC SERVICES AVAILABLE

Services include but are not limited to:

Lost password and file recovery

Location and retrieval of deleted and hidden files

File and email decryption

Email supervision and authentication

Threatening email traced to source

Identification of Internet activity

Computer usage policy and supervision

Remote PC and network monitoring

Tracking and location of stolen electronic files

Honeypot sting operations

Location and identity of unauthorized software users

Theft recovery software for laptops and PCs

Investigative and security software creation

Protection from hackers and viruses.

 DEPARTMENT OF COMPUTER ENGG.

COMPUTER FORENSIC EVIDENCE & CAPTURE

1.10 Data Recovery Defined

Data recovery is the process in which highly trained engineers

evaluate and extract data from damaged media and return it in an intact format.

Many people, even computer experts, fail to recognize data recovery

as an option during a data crisis. But it is possible to retrieve files that have
been deleted and passwords that have been forgotten or to recover entire hard
drives that have been physically damaged.

1.11 Data Back-up and Recovery

Back-up Obstacles

Back-up Window: The back-up window is the period of time when

back-ups can be run. The back-up window is generally timed to occur during
nonproduction periods when network bandwidth and CPU utilization are low.

Network bandwidth: If a network cannot handle the impact of

transporting hundreds of gigabytes of data over a short period of time, the
centralized backup strategy is not viable.

System throughput: Three I/O bottlenecks are commonly found in

traditional backup schemes. These are

1. The ability of the system being backed up to push data to the backup
server

2. The ability of the backup server to accept data from multiple systems
simultaneously

3. The available throughput of the tape device(s) onto which the data is
moved
 DEPARTMENT OF COMPUTER ENGG.

Lack-of Resources: Many companies fail to make appropriate

investments in data protection until it is too late.

1.12 The Role of Back-up in Data Recovery

There are many factors that affect back-up. For example:

Storage costs are decreasing: The cost per megabyte of primary

(online) storage has fallen dramatically over the past several years and
continues to do so as disk drive technologies advance.

Systems have to be on-line continuously: Because systems must be

continuously online, the dilemma becomes that you can no longer take files
offline long enough to perform backup.

The role of Back-up has changed: The role of backup now includes
the responsibility for recovering user errors and ensuring that good data has
been saved and can quickly be restored.

CONVENTIONAL TAPE BACK-UP IN MARKET

A typical tape management system consists of a dedicated workstation

with the front-end interfaced to the network and the back-end controlling a
repository of tape devices. The media server runs tape management software.
It can administer backup devices throughout an enterprise and can run
continuous parallel backups and restores.

An alternative to tape backup is to physically replicate or mirror all

data and keep two copies online at all times. The advantage is that the data
does not have to be restored, so there are no issues with immediate data
availability.
ISSUES WITH BACK-UP

NETWORK BACKUP creates network performance problems.

Using the production network to carry backup data, as well as for normal user
 DEPARTMENT OF COMPUTER ENGG.

data access, can severely overburden busy network resources.

OFFLINE BACKUP affects data accessibility. The time that the host
is offline for data backup must be minimized. This requires extremely high-
speed, continuous parallel backup of the raw image of the data.
LIVE BACKUPS allow data access during the backup process but
affect performance. The downside to the live backup is that it puts a
tremendous burden on the host.
MIRRORING
bad data. Fully replicated online data sounds great, albeit at twice the cost per
megabyte of a single copy of online data.

NEW ARCHITECTURES AND TECHNIQUES ARE REQUIRED

Backup at extremely high speed is required. Recovery must be

available at file level. The time that systems off-line for back-up must be
eliminated.
Remote hot recovery sites are needed for immediate resumption of
data access. Backup of critical data is still required to ensure against data
errors and user errors.
To achieve effective backup and recovery, the decoupling of data from its storage
space is needed.

It is necessary to develop techniques to journal modified pages, so that

journaling can be invoked within the primary storage device, without host
intervention.
Part of the primary storage area must be set aside for data to be backed
up. This area must be as large as the largest backup block. We should have fast
nonrandom restoration of critical data.

1.13 The Data Recovery Solution

SHRINKING EXPERTISE, GROWING COMPLEXITY

a. The complex systems that have evolved over the past 30 years must be
 DEPARTMENT OF COMPUTER ENGG.

monitored, managed, controlled, and optimized. But most of the bright

concepts.

b. Backups often take place while an application is running. Application

changes take place on the fly. If an outage occurs, the company stands
to lose tens of thousands of dollars an hour.
FAILURES:
Disk storage is more reliable than ever, but hardware failures are still possible. A simple
mistake can be made by an application programmer, system programmer, or operations person.
Logic errors in programs or application of the wrong update at the wrong time can result in a
system crash or, worse. Disasters do really occurs! Floods, tornadoes, earthquakes, tsunamis,
and even terrorism can do strike. We must be ready.

BUDGETS AND DOWNTIME

We have fewer resources (people, processing power, time, and money) to do more work than
ever before, and we must keep your expenses under control. Systems must remain available to
make money and serve customers. Downtime is much too expensive to be tolerated.

RECOVERY: THINK BEFORE YOU BACK-UP

One of the most critical data-management tasks involves recovering data in the event of a
problem. You must evaluate your preparations, make sure that all resources are available in
usable condition, automate processes as much as possible, and make sure you have the right
kind of resources.

Evaluate your preparation

If all of the resources (image copies, change accumulations, and logs) are available at recovery
time, these preparations certainly allow for a standard recovery. Finding out at recovery time
that some critical resource is missing can be disastrous!
let your resources fall through the cracks
Identifying different types of conditions is critical to ensuring a successful recovery. Checking
your assets to make sure ready should be part of your plan.
 DEPARTMENT OF COMPUTER ENGG.

Automated Recovery

With proper planning and automation, recovery is made possible, reliance on specific
personnel is reduced, and the human-error factor is nearly eliminated.

Data integrity and your business relay on building recovery job control language (JCL). In the
event of a disaster, the Information Management System (IMS) recovery control (RECON) data
sets must be modified in preparation for the recovery.

Cleaning your RECON data sets can take hours if done manually, and an error-prone process.

Make Recoveries Efficient

Multithreading tasks shorten the recovery process. Recovering multiple databases with one
pass through your log data certainly will save time. Taking image copies, rebuilding indexes,
and validating pointers concurrently with the recovery process further reduce downtime.

Take Back-ups

The first step to a successful recovery is the backup of your data. Your goal in backing up data
is to do so quickly, efficiently, and usually with minimal impact to your customers. You might
need only very brief out-ages to take instant copies of your data, or you might have intelligent
storage devices that allow you to take a snapshot of your data. Both methods call for tools to
assist in the management of resources.

BACK-UP AND RECOVERY SOLUTION

BMC software has developed a model called the Back-up and Recovery Solution (BRS) for the
Information Management System (IMS) product.

Image Copy

BRS contains an Image Copy component to help manage your image copy process.
BRS can take batch, on-line (fuzzy), or incremental image copies; Snapshot copies; or
Instant Snapshot copies.
 DEPARTMENT OF COMPUTER ENGG.

The Image Copy component of BRS offers a variety of powerful features: dynamic allocation of
all input and output data sets, stacking of output data sets, high performance access methods
(faster I/O), copying by volume, compression of output image copies, and database group
processing--- all while interfacing with DBRC and processing asynchronously.

Change Accumulation

The BRS Change Accumulation component takes advantage of multiple engines, large virtual
storage resources, and high-speed channels and controllers that are available in many
environments.

Use of multiple tack control block (TCB) structures enables overlapping of as much processing
as possible, reducing both elapsed and CPU time.

Recovery

The BRS Recovery component, which functionally replaces the IMS Database
Recovery utility for null- function (DL/I) databases and data-entry databases (DEDBs),
allow recovery of multiple databases with one pass of the log and change accumulation
data sets while dynamically allocating all data sets required for recovery.

BRS recovers multiple databases to any point in time. BRS can determine the best
choice for a Point-in- Time (PIT) recovery. Full DBRS support includes:

RECOVERY MANAGER

Recovery Manager component lets you automate and synchronize recoveries

across applications and databases by creating meaningful groups of related databases and
creating optimized JCL to perform the recovery of these groups.
Recovery Manager component provides a positive response for the IMS
commands that are used to deallocate and start your databases.
Recovery Manager component fully automates the process of cleaning the
RECON data sets for restart following a disaster recovery.
Recovery Manager component also allows you to test your recovery strategy and
 DEPARTMENT OF COMPUTER ENGG.

notifies you when media errors have jeopardized your recovery resources.
POINTER CHECKING

BRS offers the capability to verify the validity of database pointers through the Concurrent
Pointer Checking function for both full-function databases and Fast Path data-entry databases
(DEDBs).

INDEX REBUILD

If indexes are ever damaged or lost, the Index Rebuild function of BRS allows you rebuild them
rather than recover them.

RECOVERY ADVISOR

The Recovery Advisor component of BRS allows you to monitor the frequency of your image
copies and change accumulations.

It helps you to determine whether all your databases are being backed-up. By using any
number of back-up and recovery tools available, you can better manage your world and be
ready to recover!