'Re: Acquiring Large Raids'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       forensics
Subject:    Re: Acquiring Large Raids
From:       Dragos Ruiu <dr () kyx ! net>
Date:       2005-03-09 15:42:58
Message-ID: 200503090742.58819.dr () kyx ! net
[Download RAW message or body]

On March 8, 2005 06:59 am, Davidoff, Arieh (x1145) wrote:
> -----Original Message-----
> From: Gosalia, Veeral [mailto:veeral.gosalia@fticonsulting.com]
> Subject: Acquiring Large Raids
> What are everyone thoughts/approaches on acquiring large raid arrays?
> For example how do folks approach imaging a 1 Terabyte raid array
> consisting of SCSI drives.
>
> We use often use Encase in Windows for analysis but Encase DOS has
> proved too slow for most acquisitions.  The faster solution for server
> RAID acquisition is the combination of Linux, dd, netcat, and a
> crossover cable.  We recently performed a few tests on some older server
> equipment (PIII-500 with 6x 18.2GB SCSI in a RAID 5 configuration)
> booting the mock suspect server and acquisition system using Linux boot
> disks.  We recorded 600MB/min imaging the array over 100base-T Ethernet.

Buffallo Terastation. 4 drive raid5, 1 Terabyte, GigE - USD$1K

(EMC and the other "enterprise" storage vendors have a lot to
worry about from these new commodity raid boxes. I can buy
10-15 terastations for the price they charge for equivalent, 
mirror them all or use them as historical snapshots and throw 
away any boxes that break for the same price. :-)

There are other solutions too... I have a non raid four drive USB/1394 
terabyte enclosure here about the size of an american football,
but the Terastation is nice because it includes the server/GigE.

cheers,
--dr

P.s. prolly worth carrying a gigE nic with you for forensics like
that. 100baseT is quite a bottleneck, at 42Mbps real node--to-node.

-- 
World Security Pros. Cutting Edge Training, Tools, and Techniques
Vancouver, Canada	May 4-6 2005  http://cansecwest.com
pgpkey http://dragos.com/ kyxpgp

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic