Re: Stand-alone Hard Drive Duplicating Devices

From: Alvin Oga (alvin.secat_private-Consulting.com)
Date: Wed Jun 19 2002 - 01:44:26 PDT

Next message: H C: "RE: Imaging a "live" system"

Previous message: Martin Mačok: "Re: Audit Logs as submissible evidence."
In reply to: J Jewitt: "Stand-alone Hard Drive Duplicating Devices"
Next in thread: Darren Welch: "Re: Stand-alone Hard Drive Duplicating Devices"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

hi ya j

easiest way to clone systems ...

assuming you have a master(original) disk  /dev/hda 
assuming your clone is /dev/hdc

cloning scripts are here...
	http://www.Linux-Consulting.com/Boot/Linux-1U/

	
a.  fdisk  /dev/hdc
	( fdisks.sh )

b.  copy directories to /dev/hdc
	( clone.sh )

	mount /dev/hdc1 /mnt/hdc1
	cd / ; tar cf - boot root bin sbin etc dev lib \
	| ( cd /mnt/hdc1 ; tar xvfp - )

	... repeat for other partitions like
	/usr, /var


	- dont forget to tchange the hostname/domainname/ip#
	on the clone

c.  run lilo to make the clone bootable
	( i just use a boot floppy to boot the clone )

	- or run lilo to dump into /dev/hdc disk
	which will boot as hda when its used

takes about 10-30 minutes to clone ..dpending ony our 
duplicating station cpu/memory speeds

c ya
alvin


On Tue, 18 Jun 2002, J Jewitt wrote:

> 
>    All,
>   A few months ago, a post came through asking about
> forensic duplication devices. I'd like to revisit that
> issue.
>   My organization has a need to be able to quickly
> duplicate hard drives for forensic purposes, and we're
> now exploring these devices as an option.
>   We have a system in our forensics lab which uses
> Trinux (and soon Biatchux) to duplicate as well, so
> those paths have already been explored.
>   Analysis of the image is typically done using
> Encase. Encase can support a raw dd-type image or
> capture from the original hard drive.
> 
>   These are my requirements:
>   1. Support for SCSI and IDE hard drives
>   2. Fairly fast duplication (approx 1 G/min)
>   3. Claim of forensic-quality capabilities
>   4. Methodology does not rely on duplicating to hard
> drive with identical geometry.
>   5. Source drive write blocking by default.
>   6. Nice to have: optional evidence tag printer, hash
> or checksum generator.
>   7. Must be very portable.
> 
> We've looked at the following products, at their web
> site:
> 
> www.ics-iq.com          Solo Product Line
> www.logicube.com        Forensic SF5000
> 
> Does anyone have EXPERIENCE with a device like the
> above, and is willing to recommend it?
> 
>      Thanks in advance,
>        J Jewitt


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: H C: "RE: Imaging a "live" system"
Previous message: Martin Mačok: "Re: Audit Logs as submissible evidence."
In reply to: J Jewitt: "Stand-alone Hard Drive Duplicating Devices"
Next in thread: Darren Welch: "Re: Stand-alone Hard Drive Duplicating Devices"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jun 19 2002 - 08:11:21 PDT