SafeBack - Evidence Grade Bitstream Backup Utility

NEW! SafeBack is now supported by the ICS LinkMASSter, making USB or Firewire imaging even easier and faster than before. Call NTI to find out more about this capability!

Introduction to SafeBack 3.0

SafeBack is used to create mirror-image (bit-stream) backup files of hard disks or to make a mirror-image copy of an entire hard disk drive or partition. The process is analogous to photography and the creation of a photo negative. Once the photo negative has been made several exact reproductions can be made of the original. Unlike the taking of a photo, SafeBack image files can detect attempts to alter the reproduction. SafeBack is an industry standard self-authenticating computer forensics tool that is used to create evidence grade backups of hard drives. SafeBack and its uses are described extensively in Computer Forensics, Incident Response Essentials by Warren G. Kruse II and Jay G. Heiser, Cyber Crime Investigator's Field Guide by Bruce Middleton and Computer Forensics, Crime Scene Investigations by John R. Vacca. It is also mentioned in the book Cybersecurity Operations Handbook by Dr. John W. Rittinghouse and Dr. William M. Hancock.

With the release of SafeBack version 3.0, the integrity of SafeBack files is maintained through the use of two separate mathematical hashing processes which rely upon the National Institute of Standards and Technology (NIST) tested SHA256 algorithm. Users of prior versions of SafeBack are encouraged to upgrade to take advantage of the greater levels of accuracy achieved with version 3.0. Information about upgrades can be found on the SafeBack Upgrade Page. The upgrade of SafeBack 3.0 has new and added features and it also takes into account the last sector error finding by NIST concerning the older SafeBack version 2.0.

Backup image files created with SafeBack can be written to any writable magnetic storage device, including SCSI tape backup units. SafeBack preserves all the data on a backed-up or copied hard disk, including inactive or "deleted" data. Backup image files can be restored to another system's hard disk. Remote operation via parallel port connection allows the hard disk on a remote PC to be read or written by the master system. A date- and time-stamped audit trail maintains a record of SafeBack operations during a session and when the default is used an SHA256 hash is recorded in the output audit file. This hash can be used to cross validate the accuracy of the process with any other software utility which relies upon the NIST tested SHA256 algorithm. To avoid possible claims that the SafeBack image file may have been altered after-the-fact, SafeBack now safeguards the internally stored SHA256 values. Any alterations computer data are quickly brought to the attention of the operator of the program when the SafeBack image file is restored.

Simply put, SafeBack is a DOS-based utility to back up and restore hard disks. SafeBack picks up every last bit of data-unused and erased data included-on the original disk and stores it in a tape or disk file (or series of files). SafeBack can take that same backup file and re-create the original disk on your own system. SafeBack does not write or otherwise modify the original system and can (and should) be started from a boot diskette.

SafeBack also has a couple of "derivative" operating modes. The first is Verify mode where restoring from a backup disk is done, but the data is thrown away. This is more useful than it first appears to be because it allows the operator of the program to scan his (or her) backups to make sure that they will read back without errors, without having to go through the setup required by a standard SafeBack restore procedure. The other derivative operation is Copy, which feeds the Restore function directly with the output of the Backup function, with no intermediate files. This is actually less useful than it first appears to be. If the operator of SafeBack is considering the making of a copy, they might as well make a backup image file and then restore it as needed.

The History of SafeBack

SafeBack has been the industry standard in making evidence grade bit-stream backups since 1990 when Sydex, Inc. developed the first version of the software. SafeBack was designed for military and law enforcement use and the original design incorporated two important levels of mathematical hashing to guarantee accuracy. Storage block hashes relied upon a 16 bit CRC and a separate 32 bit CRC was used to hash the contents of the entire hard disk drive. The design also included several layers of error checking and the creation of an audit log to document the backup process and to report any errors. Compression of relevant computer data was also not used in the original design to avoid legal arguments concerning software translation of evidence.

In 2000 New Technologies, Inc. (NTI), a subsidiary of Armor Holdings, Inc. (NYSE:AH) purchased the rights to SafeBack from Sydex, Inc.

The original SafeBack design has withstood the test of time for over 12 years. That success was in part due to the wisdom and knowledge of Chuck Guzis who designed and created SafeBack. Since 1990 hard disk drive storage capacities have increased exponentially. Back in 1990, who would have even guessed that personal computer hard disk drive capacities would ever exceed 100 gigabytes? To Chuck's credit, the original SafeBack design has accurately created thousands of evidence grade backups of hard disk drives for thousands of law enforcement and military computer specialists around the world. In 2002 and 2003, the design successfully withstood legal "Junk Science attacks in two high profile national security cases in the United States. Needless to say, SafeBack has proven to be an extremely reliable evidence processing tool since its creation in 1990 by Mr. Guzis and Sydex Corporation.

In February 2003, NIST successfully tested the SHA256 CRC and NTI made the decision to upgrade SafeBack (version 2.2) to incorporate the robust SHA256 algorithm in SafeBack. Please note that NTI no longer supports or endorses older versions of SafeBack. This is because it was not designed for use with today's huge hard disk drive sizes. The upgrade from SafeBack 2.2 to SafeBack 3.0 brings together the talents and technical expertise of two credible publicly-traded corporations. In 2003, NTI entered into an agreement with Integrated Information Systems (NASDAQ:IISX) concerning the upgrade of SafeBack to version 3.0. Based upon the strength of the original SafeBack design, no changes were required concerning the basic design or interface but the mathematical hashing was substantially strengthened to ensure a greater level of accuracy when processing large hard disk drives and drives that will be developed in the future.

As stated previously, SafeBack 3.0 relies upon the NIST tested SHA256 algorithm in two independent validation processes. One would think that an increase from the original 32 bit CRC hash to the more robust 256 bit CRC hash would substantially decrease SafeBack's processing speeds. However, that is not the case because much time and effort was devoted to increased processing speeds. Depending upon the CPU speed of the processing computer, SafeBack 3.0 is actually faster than prior versions. Other performance improvements and data integrity features have also been added but the original SafeBack design, interface and features remains intact.

SafeBack - Training and Reference Information

Because SafeBack is the industry standard concerning the creation of evidence grade backups of computer hard disk drives, its uses and operation are covered in numerous publications that are available from a wide range of publishers. Its use is also covered in training courses at the Federal Law Enforcement Training Center, the US Department of Defense and some universities in the United States. It is also covered in NTI's Computer Forensics Training Course. Information is also available concerning SafeBack upgrades and there is information available concerning frequently asked questions about SafeBack from NTI on the Internet.

SafeBack 3.0 Licensing

The licensing for SafeBack 3.0 has changed to more adequately safeguard our investment and intellectual property. SafeBack 3.0 is licensed for use by specific individuals and the licensed users name is embedded in the software to clearly identify the licensed user. We do it in this way to make life easy for our clients and to avoid the problems associated with restrictive software dongles.

Copies of the SafeBack software and SafeBack instruction manual cannot legally be shared between individuals or licensed SafeBack users. However, the SafeBack output files can be shared with other licensed SafeBack users. All licensed users of SafeBack 3.0 will be required to sign a software license agreement before the software can be shipped. Our intent is to protect our ownership rights to the SafeBack related technology. It is not our intent to negatively affect our clients and their use of the software. Discounted site licenses are available for use by large business units and government agencies and SafeBack libraries are available for software developers who desire to transparently access the SafeBack file format. Questions concerning licensing, site licenses and SafeBack access libraries should be directed to NTI.

SafeBack - Primary Uses:

  • Used to create evidence grade backups of hard disk drives on Intel based computer systems.

  • Used to exactly restore archived SafeBack images to another computer hard disk drive of equal or larger storage capacity.

  • Used as an evidence preservation tool in law enforcement and civil litigation matters.

  • Used as an intelligence gathering tool by military agencies.

SafeBack - Program Features and Benefits:

  • DOS based for ease of operation, speed and to eliminate the problems created by Windows concerning the potential alteration of data.

  • No Software Dongle! - We know that software dongles get in the way and they restrict your ability to process several computers at the same time. That is why NTI does not use software dongles and our licensing of this software allows you to process multiple computers at the same time. NTI's goal is to make your life easier and this software was designed with ease of use in mind.

  • Incorporates two separate implementations of the NIST tested SHA256 algorithm to ensure the integrity of all data contained on the target computer storage device.

  • Provides a detailed audit trail of the backup process for evidence documentation purposes and the SafeBack default outputs an SHA256 hash value that can be compared with other utilities when cross validation of findings are deemed to be important.

  • Checks for possible data hiding when sector CRC's do not match on the target hard disk drive. These findings are automatically recorded in the SafeBack audit log file.

  • Accurately copies all areas of the hard disk drive.

  • Allows the archive of non-DOS and non-Windows hard disk drives, e.g., Unix on an Intel based computer system.

  • Allows for the backup process to be made via the printer port.

  • Duplicate copies of hard disk drives can be made from hard disk to hard disk in direct mode.

  • SafeBack image files can be stored as one large file or separate files of fixed sizes. This feature is helpful in making copies for archive on CDs.

  • Tried and proven evidence preservation technology with a long-term legacy of success in government agencies.

  • Does not compress relevant data to avoid legal arguments that the original computer evidence was altered through data compression and/or software translation.

  • Fast and efficient. In spite of the extensive mathematical validation, the latest version of SafeBack runs as fast or faster than prior versions of SafeBack. Processing speeds are much faster when state-of-the-art computer systems are used to make the backup.

  • Makes copies in either physical or logical mode at the option of the user.

  • Copies and restores multiple partitions containing one or more operating systems.

  • Can be used to accurately copy and restore most hard disk drives including, Windows NT, Windows 2000 and Windows XP configured drives.

  • Accuracy is guaranteed in the backup process through the combination of mathematical CRCs which provides a level of accuracy which far exceeds the accuracy provided by 128 bit CRCs, e.g., RSA MD5.

  • Writes to SCSI tape backup units or hard disk drives at the option of the user.

  • The current version of SafeBack compresses unused and unformatted sections of the hard disk drive to increase processing speeds and to conserve storage space concerning the writing of the SafeBack image file.

For definitions of some of the technical computer forensic terms used, please refer to our technical definitions section.

The current release is Version 3.03 and the GSA Product Number is SB3.03 U. S. Government clients should click here for information about GSA purchases.

Please direct E-Mail to