Quick update on my idea of a 'live system'; There's a difference between a live system that I should have explained: live with users connected and working as normal, and live as in was live with users working but now just up and running in current state but users have been told to cease activity that connects to the server, etc. First scenario makes no sense to image as it's being changed too often I agree. Second scenario is a bit different. Users have been booted off the system but it has not been shut down nor have services been shut down. So it's live in the sense that network connectivity and processes are alive and well, but *hopefully* data movement is minimized as users have been removed from the equation. Does this help clarify? farmerdude > Craig, > > Excellent points, all. > > > the system that you're talking about > > imaging has a number of active users > > Good assumption. Also consider a system with > services, such as a web server, ftp server, etc. > > > Even with really high data transfer rates it's going > > to take a good 20 > > mins to take the image of that system, > > I've used the term "smear-shot", vice "snapshot", to > describe this...for exactly the reasons you pointed > out. As the image is being made of the live system, > sectors that have already been copied may be altered. > In such a case, you would end up with an image in > which the data isn't simply a snapshot of what was on > the drive at the time the system was shut down, but > rather "smeared" over the time interval of the imaging > process. > > A reader of this list sent me email stating that there > are legal reasons for imaging a live system, but given > what you've specifically pointed out (and without > elaboration by that reader), I can't see how there > _would_ be any legal reason for doing so. > > Carv > > > > __________________________________________________ > Do You Yahoo!? > Yahoo! - Official partner of 2002 FIFA World Cup > http://fifaworldcup.yahoo.com > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jun 19 2002 - 14:02:42 PDT