Business as normal. Just image every single drive, make note of what drive went where in the RAID... etc. Set all the SCSI id's on the duplicate drives to match the original drives after you image them. Make sure you put every duplicate drive into the RAID enclosure in the correct locations. (Remember there may be more then just one RAID-5 stripe set on those drives, there may be some mirrors of partitions making other virtual drives, etc.) The RAID may be SCA. (So no SCSI ID setting, except on the adapter you will use while duplicating.) If this is the case your best bet is to get SCA to standard SCSI-II adapters, about $30 each at Fry's. Then pop the drives into a linux box and DD one original to one duplicate. I did the same thing for a case and it worked like a charm. I bought two such adapters and just duplicated one drive at a time. It may have been slower, but it limits the risk of making a mistake.. and is cheaper. ;) -F -----Original Message----- From: Hunter Ely [mailto:hely1at_private] Sent: Monday, May 06, 2002 6:24 AM To: forensicsat_private Subject: Server with RAID-5 I have a server that was compromised. I've been doing lower level forensics on machines with single drives, but I don't know what I need to do to image a RAID array. I haven't seen the machine yet, so I can't give you any specifics about it. Can any of you guys give me an idea of what I need to do? Thanks. ------------------------------------------------------ Hunter Ely Network Security Analyst, Office of Computing Services Louisiana State University http://hunter.lsu.edu ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri May 10 2002 - 10:07:36 PDT