On March 8, 2005 06:59 am, Davidoff, Arieh (x1145) wrote:
-----Original Message-----
From: Gosalia, Veeral [mailto:veeral.gosalia@fticonsulting.com]
Subject: Acquiring Large Raids
What are everyone thoughts/approaches on acquiring large raid arrays?
For example how do folks approach imaging a 1 Terabyte raid array
consisting of SCSI drives.
We use often use Encase in Windows for analysis but Encase DOS has
proved too slow for most acquisitions. The faster solution for server
RAID acquisition is the combination of Linux, dd, netcat, and a
crossover cable. We recently performed a few tests on some older server
equipment (PIII-500 with 6x 18.2GB SCSI in a RAID 5 configuration)
booting the mock suspect server and acquisition system using Linux boot
disks. We recorded 600MB/min imaging the array over 100base-T Ethernet.
Buffallo Terastation. 4 drive raid5, 1 Terabyte, GigE - USD$1K
(EMC and the other "enterprise" storage vendors have a lot to
worry about from these new commodity raid boxes. I can buy
10-15 terastations for the price they charge for equivalent,
mirror them all or use them as historical snapshots and throw
away any boxes that break for the same price. :-)
There are other solutions too... I have a non raid four drive USB/1394
terabyte enclosure here about the size of an american football,
but the Terastation is nice because it includes the server/GigE.
cheers,
--dr
P.s. prolly worth carrying a gigE nic with you for forensics like
that. 100baseT is quite a bottleneck, at 42Mbps real node--to-node.
--
World Security Pros. Cutting Edge Training, Tools, and Techniques
Vancouver, Canada May 4-6 2005 http://cansecwest.com
pgpkey http://dragos.com/ kyxpgp
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
