This makes me think of LiveVault. It is backup software that uses an agent to send byte (or bit) level changes to a remote backup of a system. It is not an image since unallocated areas are not "backed up" but a history is kept and a machine can be restored to a point in time. If it could be altered for forensic instead of admin use, it gets fairly close to what you are thinking of. I don't know which OS's it works on, I haven't looked at it in a while. Michael Burnette Rogers & Hardin LLP Atlanta, GA -----Original Message----- From: Jason Robertson [mailto:jasonat_private] Sent: Wednesday June 19, 2002 8:37 PM To: forensicsat_private Subject: Re: Imaging a "live" system Would this not be a possible thing to maintain a live image of a system, through something like a journalled file system, though again, this could be better if you could design a file system with a few things. First an Overlay Filesystem, (there is 2 OFS's that do exist both are still lacking, due to implementation problems, could be solved with making a virtual file system, like a raid 5 system), but in the most basic sense, you would have the primary medium being a read only system, eg some of the old seagate HD's had a readonly pin, or CDR. then you would overlay that file system, with a RW file system, so that you could update, and change files, and this would not cause problems with the base system, and if it is done right you could in theory rebuild on a regular basis the RO version. Now the next thing to add to this, is a transaction log as found in SQL database. Therefore transactions could be rolled back, but this could be done on a WORM style of medium, therefore all changes are one way keeping a record of actions. If anyone steals my idea, at least give me credit for it, such as "Thanks for nothing, Jason" j/k jason -- Jason Robertson Now at the Nation Research Council. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com This message and any attachments are intended for the use of the addressee(s) only and may be confidential and covered by the attorney/client and other privileges. If the reader is not the intended recipient, DO NOT READ, notify sender and delete this message. In addition, be aware that any disclosure, copying, distribution or use of the contents of this message is strictly prohibited. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jun 21 2002 - 06:51:33 PDT