RE: Imaging a "live" system

From: Bill Royds (sf-listsat_private)
Date: Fri Jun 21 2002 - 16:00:13 PDT

  • Next message: Jason Robertson: "RE: Imaging a "live" system" 

    That is how the Solaris snapshot file system works. Once you "freeze" the system, any further transactions on the set of files in your freeze set are sent to a secondary logical device which caches them and any altered sections of original file until the freeze is lifted, then reconciles the resulting transactions.

It guarantees the integrity of a backup at the expense of more disk space and extra access time.

Any request for a record on the frozen data set causes that record to be copied to secondary file, acted up by transaction, then saved in secondary.
  The original record is not changed or moved, but the SNAPFS has to do a lot of work copying, maintains audit trails etc. on updated records. It still beats a "smear" shot backup though.


-----Original Message-----
From: ed.crossleyat_private [mailto:ed.crossleyat_private]
Sent: Thu June 20 2002 11:46
To: forensicsat_private
Subject: Re: Imaging a "live" system


In-Reply-To: <3D10A42A.9070006at_private>

Plase forgive me with this, im not an expert like the rest of you ;)

could a read only quaranitne be put up around the drive to image. if read 
requests are required by the system these are allowed. If the system needs 
to write to the disk, could it be diverted to a secondary drive, with the 
system assuming it has gone to the original? then any request for data 
wrote would come from the secondary device. in the mean time, the original 
disk is imaged. Just a thought. Forgive me if its a stupid one!!

----------	  ---------------	 -------------
| system |<-------|		|<-------| hard disk |
|        |------->|		|	 |           |
----------        |		|	 -------------
		  |   l i v e   |              ||
		  |             |	       \/	
		  | i m a g e r |	 -------------
		  |		|	 | i m a g e |
		  |		|	 -------------
		  |		|
		  |		|------>|-------------|
		  |		|	|  secondary  |
		  | 		|<------|   storage   |
		  |		|	|-------------|
		  ---------------

Regards

Ed

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Sat Jun 22 2002 - 16:03:06 PDT