Re: Imaging a "live" system

From: Benjamin Krueger (benjaminat_private)
Date: Fri Jun 21 2002 - 07:17:47 PDT

Next message: rgoto: "Re: Stand-alone Hard Drive Duplicating Devices"

Previous message: ed.crossleyat_private: "Re: Imaging a "live" system"
Next in thread: Mark Menz: "RE: Imaging a "live" system"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>> -----Original Message-----
>> From: Craig Earnshaw [mailto:Craig.Earnshawat_private]
>> Sent: Wed June 19 2002 11:33
>> To: H C
>> Cc: Estes, Matt PEO EIS CPR / FCBS; 'Mark Menz';
>> forensicsat_private
>> Subject: Re: Imaging a "live" system
>>
>>
>> Just a thought about imaging a "live" system:
>>
>> Take the following scenario - the system that you're talking about
>> imaging has a number of active users on it at any given time, those
>> users are reading from, and writing to, the drive in that machine, and
>> that the drive in the machine is anything over a couple of gig, lets say
>> 5Gb.
>>
[ ... ]
>>
>> Any thoughts.....?
>>
>> Craig

* Bill Royds (sf-listsat_private) [020619 17:47]:
> Interestingly, the latest versions of Sun's Solaris OS(Solaris 8 Feb02 
> and Solaris 9) have OS capabilities to truly make a snapshot on a running 
> system. When a command for a snapshot is given, the OS creates a separate 
> file image for all new transactions of given files. When the "freeze" is 
> lifted, the OS merges data from the two images together. It was devised 
> to allow online backup but it certainly would help forensic analysis of 
> "live" systems.
> 
> >From Solaris 9 What's new:
> 
> UFS Snapshots (fssnap)
> 
> You can use the fssnap command to create a snapshot of a file system. A 
> snapshot is a file system's temporary image that is intended for backup 
> operations.
> 
> When the fssnap command is run, it creates a virtual device and a 
> backing-store file. You can back up the virtual device, which looks and 
> acts like a real device, with any of the existing Solaris backup commands. 
> The backing-store file is a bitmapped file that contains copies of 
> pre-snapshot data that has been modified since the snapshot was taken.
> 
> See the System Administration Guide: Basic Administration and the man page, 
> fssnap(1M), for more information.
> 
> 
> It would be nice of other OS had similar facilities.

  A number of operating systems are currently developing, or already
include snapshot capabilities for their filesystems.

  The FreeBSD developement team is currently working on UFS snapshot 
capabilities for FreeBSD 5.0, slated to release in November of this 
year. Linux systems running kernel 2.4 and LVM filesystems offer
snapshot capabilities. I also believe Veritas' vxfs offers snapshot 
capabilities, which would include Solaris and HP-UX. 

-- 
Benjamin Krueger

"Life is far too important a thing ever to talk seriously about."
- Oscar Wilde (1854 - 1900)
----------------------------------------------------------------
Send mail w/ subject 'send public key' or query for (0x251A4B18)
Fingerprint = A642 F299 C1C1 C828 F186  A851 CFF0 7711 251A 4B18

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: rgoto: "Re: Stand-alone Hard Drive Duplicating Devices"
Previous message: ed.crossleyat_private: "Re: Imaging a "live" system"
Next in thread: Mark Menz: "RE: Imaging a "live" system"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 21 2002 - 07:22:00 PDT