Just a thought about imaging a "live" system: Take the following scenario - the system that you're talking about imaging has a number of active users on it at any given time, those users are reading from, and writing to, the drive in that machine, and that the drive in the machine is anything over a couple of gig, lets say 5Gb. Even with really high data transfer rates it's going to take a good 20 mins to take the image of that system, in that time the active users on the system will have written data to the drive, and the OS will also have written data to the drive (logs etc). The image of the system that you end up with probably isn't going to be worth much as I would suspect that large amounts of the data will be corrupt as, by the time that the data in the last third of the drive is imaged its content, and layout, will have changed to the point whereby it no longer matches up with its layout when the image was started (ie at the start of the image process a file resides in sectors 1, 23, 457, 1127, 28847, 28848, and 28856, by the time that the image is completed the file may have changed and my now reside in 2, 87, 332, 1127, 1128, 1129, and 1130 - no of your data pointers would be pointing to the correct place for the OS to find any part of the file). Not quite sure if I'm explaining myself very well, but I think it illustrates the concept. Any thoughts.....? Craig ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jun 19 2002 - 09:46:01 PDT