We use often use Encase in Windows for analysis but Encase DOS has
proved too slow for most acquisitions. The faster solution for server
RAID acquisition is the combination of Linux, dd, netcat, and a
crossover cable. We recently performed a few tests on some older server
equipment (PIII-500 with 6x 18.2GB SCSI in a RAID 5 configuration)
booting the mock suspect server and acquisition system using Linux boot
disks. We recorded 600MB/min imaging the array over 100base-T Ethernet.
As a control, we imaged one of the array's SCSI drives using a
SCSI-FireWire write blocker and recorded 420MB/min. Although acquisition
of an individual drive may be slower, we can image four or more
simultaneously with one field kit yielding 1.5 to 2GB/min. Please note,
however, that imaging the drives separately records the parity data
which adds to the overall size of the resulting image and time to the
acquisition.
-----Original Message-----
From: Gosalia, Veeral [mailto:veeral.gosalia (at) fticonsulting (dot) com [email concealed]]
Sent: Friday, March 04, 2005 10:39 AM
To: forensics (at) securityfocus (dot) com [email concealed]
Subject: Acquiring Large Raids
What are everyone thoughts/approaches on acquiring large raid arrays?
For example how do folks approach imaging a 1 Terabyte raid array
consisting of SCSI drives. I am somewhat reluctant of imaging each drive
separatly given the risk of damaging the raid. I generally prefer
inserting in a PCI IDE card and imaging in Encase DOS, but that process
takes almost 10 mins a GB to capture.
Thanks!
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
We use often use Encase in Windows for analysis but Encase DOS has
proved too slow for most acquisitions. The faster solution for server
RAID acquisition is the combination of Linux, dd, netcat, and a
crossover cable. We recently performed a few tests on some older server
equipment (PIII-500 with 6x 18.2GB SCSI in a RAID 5 configuration)
booting the mock suspect server and acquisition system using Linux boot
disks. We recorded 600MB/min imaging the array over 100base-T Ethernet.
As a control, we imaged one of the array's SCSI drives using a
SCSI-FireWire write blocker and recorded 420MB/min. Although acquisition
of an individual drive may be slower, we can image four or more
simultaneously with one field kit yielding 1.5 to 2GB/min. Please note,
however, that imaging the drives separately records the parity data
which adds to the overall size of the resulting image and time to the
acquisition.
I hope this helps.
Regards,
Arieh S. Davidoff
Manager - Computer Forensics and Advisory Services
Rachlin Cohen & Holtz LLP
1 S.E. 3rd Avenue, 10th Floor
Miami, FL, 33131
Phone: (305) 373-7939 x1145
Cell: (305) 205-7694
Fax: (305) 377-8331
adavidoff (at) rachlin (dot) com [email concealed]
http://www.rachlin.com
-----Original Message-----
From: Gosalia, Veeral [mailto:veeral.gosalia (at) fticonsulting (dot) com [email concealed]]
Sent: Friday, March 04, 2005 10:39 AM
To: forensics (at) securityfocus (dot) com [email concealed]
Subject: Acquiring Large Raids
What are everyone thoughts/approaches on acquiring large raid arrays?
For example how do folks approach imaging a 1 Terabyte raid array
consisting of SCSI drives. I am somewhat reluctant of imaging each drive
separatly given the risk of damaging the raid. I generally prefer
inserting in a PCI IDE card and imaging in Encase DOS, but that process
takes almost 10 mins a GB to capture.
Thanks!
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
[ reply ]