That is how the Solaris snapshot file system works. Once you "freeze" the system, any further transactions on the set of files in your freeze set are sent to a secondary logical device which caches them and any altered sections of original file until the freeze is lifted, then reconciles the resulting transactions. It guarantees the integrity of a backup at the expense of more disk space and extra access time. Any request for a record on the frozen data set causes that record to be copied to secondary file, acted up by transaction, then saved in secondary. The original record is not changed or moved, but the SNAPFS has to do a lot of work copying, maintains audit trails etc. on updated records. It still beats a "smear" shot backup though. -----Original Message----- From: ed.crossleyat_private [mailto:ed.crossleyat_private] Sent: Thu June 20 2002 11:46 To: forensicsat_private Subject: Re: Imaging a "live" system In-Reply-To: <3D10A42A.9070006at_private> Plase forgive me with this, im not an expert like the rest of you ;) could a read only quaranitne be put up around the drive to image. if read requests are required by the system these are allowed. If the system needs to write to the disk, could it be diverted to a secondary drive, with the system assuming it has gone to the original? then any request for data wrote would come from the secondary device. in the mean time, the original disk is imaged. Just a thought. Forgive me if its a stupid one!! ---------- --------------- ------------- | system |<-------| |<-------| hard disk | | |------->| | | | ---------- | | ------------- | l i v e | || | | \/ | i m a g e r | ------------- | | | i m a g e | | | ------------- | | | |------>|-------------| | | | secondary | | |<------| storage | | | |-------------| --------------- Regards Ed ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Jun 22 2002 - 16:03:06 PDT