RE: Server with RAID-5

From: Artes, Francisco (franciscoat_private)
Date: Thu May 09 2002 - 08:21:22 PDT

Next message: Albert Lederer: "Re: Server with RAID-5"

Previous message: Burnette, Michael: "RE: Desktop files enumerated in windows user.dat?"
Maybe in reply to: Hunter Ely: "Server with RAID-5"
Next in thread: Albert Lederer: "Re: Server with RAID-5"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Business as normal.  Just image every single drive, make note of what drive
went where in the RAID... etc.  Set all the SCSI id's on the duplicate
drives to match the original drives after you image them. Make sure you put
every duplicate drive into the RAID enclosure in the correct locations.
(Remember there may be more then just one RAID-5 stripe set on those drives,
there may be some mirrors of partitions making other virtual drives, etc.)

The RAID may be SCA. (So no SCSI ID setting, except on the adapter you will
use while duplicating.)  If this is the case your best bet is to get SCA to
standard SCSI-II adapters, about $30 each at Fry's.  Then pop the drives
into a linux box and DD one original to one duplicate.  I did the same thing
for a case and it worked like a charm.  I bought two such adapters and just
duplicated one drive at a time.  It may have been slower, but it limits the
risk of making a mistake.. and is cheaper.  ;)

-F

-----Original Message-----
From: Hunter Ely [mailto:hely1at_private]
Sent: Monday, May 06, 2002 6:24 AM
To: forensicsat_private
Subject: Server with RAID-5


I have a server that was compromised.  I've been doing lower level forensics
on machines with single drives, but I don't know what I need to do to image
a RAID array.  I haven't seen the machine yet, so I can't give you any
specifics about it.  Can any of you guys give me an idea of what I need to
do?  Thanks.
------------------------------------------------------
Hunter Ely
Network Security Analyst, Office of Computing Services
Louisiana State University
http://hunter.lsu.edu



-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Albert Lederer: "Re: Server with RAID-5"
Previous message: Burnette, Michael: "RE: Desktop files enumerated in windows user.dat?"
Maybe in reply to: Hunter Ely: "Server with RAID-5"
Next in thread: Albert Lederer: "Re: Server with RAID-5"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri May 10 2002 - 10:07:36 PDT