Close this search box.

Using a SAN or NAS to Store Digital Evidence

Table of Contents
    Add a header to begin generating the table of contents
    Scroll to Top

    Recent Posts

    Up-to-date rack-mounted illuminated computer hardware in data center



    This blog post addresses crucial considerations for digital forensic laboratories regarding the storage of digital forensic evidence, focusing on the use of Storage Area Networks (SAN) and Network Attached Storage (NAS) devices. It delves into the practices of sanitizing hard drives, the importance of strict administrative policies, and the technical setup to prevent evidence cross-contamination. The post emphasizes the necessity of a forensic LAN isolated from the internet, the use of Access Control Lists for examiner-specific partitions, and strategies for handling sensitive or classified data. Additionally, it explores data classification processes for managing highly sensitive data and confirms the compatibility of SAN usage with accreditation, highlighting the pivotal role of adhering to best practices and established policies in the forensic examination process.



    • Implement forensic wiping of SAN/NAS hard drives before use and avoid re-wiping unless necessary.
    • Establish detailed administrative policies specifying evidence storage conventions, including directory structures and file naming, to prevent cross-contamination.
    • Ensure the SAN/NAS is part of a dedicated forensic LAN, disconnected from the Internet, to mitigate risks of malware intrusion and data exfiltration.
    • Utilize Access Control Lists (ACLs) to create examiner-specific partitions on the SAN/NAS, limiting access to sensitive data and further safeguarding against evidence mishandling.
    • For handling classified or sensitive data, consider separate systems or partitions with strict access controls, and explore data classification processes to monitor and alert on the movement of sensitive information.



    Over the years the question of how to store digital forensic evidence has been raised many times.  Forensic examiners often ask how to properly use a Storage Area Network (SAN) or Network Attached Storage (NAS) device in a digital forensic laboratory.  Some of the main questions asked are:

    1. How do you handle the sanitization of hard disks in a SAN/NAS array?
    2. Are all hard drives periodically removed from the server, wiped, and then re-installed?
    3. While spillage of classified or contraband would likely necessitate some extraordinary efforts, what would be a “best practice” for cleaning a SAN/NAS not involving classified material or child pornography?
    4. Can you use a SAN/NAS if your laboratory is accredited?

    In my experience, hard drives for SAN/NAS devices should be forensically wiped prior to being placed into service. Once they are wiped, placed in the array, initialized, formatted, and put into a RAID, that is the last time you’ll wipe them (short of some maintenance issue, etc.). Forensically imaging directly to a SAN or NAS and then processing your cases off of the network storage device is a very nice way of doing business, particularly if you have the bandwidth to do so and a good backup solution.

    The key to this issue is as much administrative as it is technical. You need to have solid policies in place that define naming conventions and ensure those policies are followed to the letter. You want your policy so granular that you indicate the directories, subdirectories, file names, etc. that is used for any evidence being stored on the SAN/NAS. You also need to make sure to do periodic reviews of how examiners are naming things and ensure that everything is stored exactly where it is supposed to be. The real issue here is the potential for cross-contamination of evidence. By creating good policy and following that policy, you help defeat this issue.

    Obviously you want your SAN/NAS on your forensic LAN which is not connected to the Internet, further reducing the chances of malware, intrusion, or exfiltration of sensitive data. These steps further help you show the protection of data and reduce the likelihood of data contamination.

    Other suggested technological controls would be to create separate partitions on your network storage device for each examiner and then use Access Control Lists (ACLs) to ensure that only the examiner and their supervisor/manager can access their respective partition. This again limits the scope of the issue and the potential for cross-contamination.

    As for the question regarding sensitive or classified data – I think these are two different issues. For classified cases, generally you have a completely separate set of forensic computers and networking equipment that is accredited to operate in classified space. For example, you may have another LAN located within a limited area that only Secret/TS cleared individuals can physically access. This LAN is used to conduct forensics only on classified systems or classified material. You could have a SAN/NAS in the classified area as well, but it would only be used for the storage of classified information and the system would probably need a Certification & Accreditation package depending on your agency’s procedures. This should eliminate your classified spillage concern.

    For unclassified but sensitive matter (Official Use Only, child exploitation images, etc.) those could still reside on your unclassified SAN/NAS. I would recommend having a partition for your forensic images (.dd, E01, etc.), partitions for your evidence files (Encase, FTK, exports, exhibits, etc.), and partitions for your forensic reports.

    One area I was experimenting with a while managing a law enforcement digital forensics laboratory was a Data Classification process for exactly this situation. This wasn’t on a classified system, but an unclassified law enforcement network that processed a lot of child exploitation and other sensitive data. The idea is to place all of the sensitive data in a specific location (partition, physical disk, a separate SAN/NAS on the same LAN, etc.) and then monitor the usage and flow of traffic from that location. In addition to putting ACLs in place, this would provide you with alerting anytime data was placed in or removed from the sensitive location. This is also a great way for management to ensure information being accessed is on a need-to-know basis.

    As far as the accreditation question, I was a laboratory director for an ASCLD/LAB accredited LE forensics lab and can tell you that using a SAN is perfectly acceptable. Accreditation is more about making sure you have policies that match industry best practices and then following your own policy vice telling you how you must do business.

    Picture of Josh Moulin

    Josh Moulin

    Josh Moulin has been in the cybersecurity field for over two decades and worked in a variety of roles. He is the founder and principal of Natsar, a cybersecurity company in New York, USA. Previously, he has served in roles including the Senior VP of Operations at the Center for Internet Security (CIS), commander of an FBI cybercrimes task force, director of an ASCLD/LAB accredited digital forensics lab, Chief Information Officer (CIO) and Chief Information Security Officer (CISO) of a national security program within the United States nuclear weapons enterprise, and an Executive Partner at Gartner, the world’s largest research and advisory company. Josh is considered an expert in cybersecurity, risk management, and organizational leadership and frequently engages with companies around the world on these and other topics. He has a Master of Science Degree in Information Security Assurance and the following certifications: CAWFE, CEH, CFCE, CHFI, CISSP, CNDA, DFCP, GCFA, GCFR, GCIA, GIME, and GSEC.

    4 thoughts on “Using a SAN or NAS to Store Digital Evidence”

    1. Josh, great article. Question: I have custom built my own FRED and am looking at expanding the available disk space for case images and am trying to decide between a USB 3.0/3.1 Type-C DAS or go with a NAS.

      Can you comment on your preference and the speed/performance bottlenecks between using both. I would be using FTK 6.1 and the NAS or DAS would be my case drive where the images would be copied to, then imported. So it would basically be my working/primary drive during forensic analysis.

      Thanks in advance.

      1. Hi Alissa,

        Thanks for the comment and I am glad the article was useful. I don’t know what your infrastructure looks like, how many systems you may have accessing your data, or the criticality of your cases, all of which would make a difference in the solution you choose. If you have a single forensic system and just need a bunch of storage for your cases to be maintained then a USB 3.1 would be your fastest and most inexpensive solution. My recommendation would be to purchase a drive array though that supports RAID and make sure you have plenty of redundancy in the event of failure, particularly if you are not backing up your cases to any other array.

        If you want to look at future growth and may need more out of an array than just storage, then I would suggest a NAS or SAN. For a smaller shop, I would recommend something like the Synology NAS arrays with 4+ drive bays and a RAID configuration. Most likely your FRED has a 1 Gbps NIC which is fast, but not as fast as the USB 3.1. It is plenty fast enough though for forensics. The other benefit of a NAS is the scalability and potential for future growth. For example, I often will run multiple virtual machines for forensics, all doing different tasks with the data at the same time to speed up my processing and analysis time. With a direct-attached storage device, it is much more difficult to share across multiple devices or operating systems. With a NAS on the same LAN, I can share the storage and data across all of my workstations.

        A NAS is definitely the way to go if you want to grow your operations and work more like an enterprise than a one-person shop. These days, even with large hard drives, the Synology NAS’ are reasonably priced. I have ran a forensics lab both ways, with DAS and NAS/SAN and once I went to network storage I never wanted to go back. As for your question about speeds and bottlenecks, if you have Gb NICs with cat6 cables your networking speed is not going to be the issue. If you are using USB 3.1 for a DAS, the bus speed won’t be the issue either. Your problem is going to be memory on your forensic workstation and more importantly the i/o on the disk array you choose. I would buy the fastest drives you can afford and really try for flash drives. This will give you tremendous speed and flexibility.

        Hopefully this helped. Feel free to ask any additional questions and good luck!


    Leave a Comment

    Your email address will not be published. Required fields are marked *

    Scroll to Top

    Contact Natsar

    Fill out the form below, and we will be in touch shortly.
    Please enable JavaScript in your browser to complete this form.