Interestingly, the latest versions of Sun's Solaris OS(Solaris 8 Feb02 and Solaris 9) have OS capabilities to truly make a snapshot on a running system. When a command for a snapshot is given, the OS creates a separate file image for all new transactions of given files. When the "freeze" is lifted, the OS merges data from the two images together. It was devised to allow online backup but it certainly would help forensic analysis of "live" systems. From Solaris 9 What's new: UFS Snapshots (fssnap) You can use the fssnap command to create a snapshot of a file system. A snapshot is a file system's temporary image that is intended for backup operations. When the fssnap command is run, it creates a virtual device and a backing-store file. You can back up the virtual device, which looks and acts like a real device, with any of the existing Solaris backup commands. The backing-store file is a bitmapped file that contains copies of pre-snapshot data that has been modified since the snapshot was taken. See the System Administration Guide: Basic Administration and the man page, fssnap(1M), for more information. It would be nice of other OS had similar facilities. -----Original Message----- From: Craig Earnshaw [mailto:Craig.Earnshawat_private] Sent: Wed June 19 2002 11:33 To: H C Cc: Estes, Matt PEO EIS CPR / FCBS; 'Mark Menz'; forensicsat_private Subject: Re: Imaging a "live" system Just a thought about imaging a "live" system: Take the following scenario - the system that you're talking about imaging has a number of active users on it at any given time, those users are reading from, and writing to, the drive in that machine, and that the drive in the machine is anything over a couple of gig, lets say 5Gb. Even with really high data transfer rates it's going to take a good 20 mins to take the image of that system, in that time the active users on the system will have written data to the drive, and the OS will also have written data to the drive (logs etc). The image of the system that you end up with probably isn't going to be worth much as I would suspect that large amounts of the data will be corrupt as, by the time that the data in the last third of the drive is imaged its content, and layout, will have changed to the point whereby it no longer matches up with its layout when the image was started (ie at the start of the image process a file resides in sectors 1, 23, 457, 1127, 28847, 28848, and 28856, by the time that the image is completed the file may have changed and my now reside in 2, 87, 332, 1127, 1128, 1129, and 1130 - no of your data pointers would be pointing to the correct place for the OS to find any part of the file). Not quite sure if I'm explaining myself very well, but I think it illustrates the concept. Any thoughts.....? Craig ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jun 19 2002 - 17:45:24 PDT