[prev in list] [next in list] [prev in thread] [next in thread]
List: forensics
Subject: Re: Acquiring Large Raids
From: Dragos Ruiu <dr () kyx ! net>
Date: 2005-03-09 15:42:58
Message-ID: 200503090742.58819.dr () kyx ! net
[Download RAW message or body]
On March 8, 2005 06:59 am, Davidoff, Arieh (x1145) wrote:
> -----Original Message-----
> From: Gosalia, Veeral [mailto:veeral.gosalia@fticonsulting.com]
> Subject: Acquiring Large Raids
> What are everyone thoughts/approaches on acquiring large raid arrays?
> For example how do folks approach imaging a 1 Terabyte raid array
> consisting of SCSI drives.
>
> We use often use Encase in Windows for analysis but Encase DOS has
> proved too slow for most acquisitions. The faster solution for server
> RAID acquisition is the combination of Linux, dd, netcat, and a
> crossover cable. We recently performed a few tests on some older server
> equipment (PIII-500 with 6x 18.2GB SCSI in a RAID 5 configuration)
> booting the mock suspect server and acquisition system using Linux boot
> disks. We recorded 600MB/min imaging the array over 100base-T Ethernet.
Buffallo Terastation. 4 drive raid5, 1 Terabyte, GigE - USD$1K
(EMC and the other "enterprise" storage vendors have a lot to
worry about from these new commodity raid boxes. I can buy
10-15 terastations for the price they charge for equivalent,
mirror them all or use them as historical snapshots and throw
away any boxes that break for the same price. :-)
There are other solutions too... I have a non raid four drive USB/1394
terabyte enclosure here about the size of an american football,
but the Terastation is nice because it includes the server/GigE.
cheers,
--dr
P.s. prolly worth carrying a gigE nic with you for forensics like
that. 100baseT is quite a bottleneck, at 42Mbps real node--to-node.
--
World Security Pros. Cutting Edge Training, Tools, and Techniques
Vancouver, Canada May 4-6 2005 http://cansecwest.com
pgpkey http://dragos.com/ kyxpgp
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic