I would use dd to create images of the entire system to a tape drive. You can deal with a system on a RAID 5 array from a logical perspective. Once the dd images are created, extract them to a forensic workstation, mount them with the loopback, nosuid, noexec, ro, etc options and perform forensics in the same manner that you would on a single drive system. -Dan -----Original Message----- From: Hunter Ely To: forensicsat_private Sent: 5/6/2002 8:24 AM Subject: Server with RAID-5 I have a server that was compromised. I've been doing lower level forensics on machines with single drives, but I don't know what I need to do to image a RAID array. I haven't seen the machine yet, so I can't give you any specifics about it. Can any of you guys give me an idea of what I need to do? Thanks. ------------------------------------------------------ Hunter Ely Network Security Analyst, Office of Computing Services Louisiana State University http://hunter.lsu.edu ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri May 10 2002 - 10:20:34 PDT