Analyze a SAN Storage


obi-wan

New Member
Sep 3, 2006
27
0
#1
Hi there,
i have just got my new 6 TByte SAN Box in our company and i am thinking now on how the hell i will be do a Forensic Image of it.

The normal way is to Image each Disk itself (16 x 500Gb).

But what will happen, when there is a case on an , let me say 20 TByte SAN Storage.

How it should be handel.
The other Point is, it thakes a very Huge amount of time to image it, the to copy ,verify and analyze the Disk.

For my thought it would be , let me say, "impossible"

Or does someone knows a better way?


May the force be with u
Obi Wan
 

selil

New Member
Sep 11, 2006
258
0
#2
I'm actually involved in some research on this issue. As the image sizes increase the storage required for the image increases and the likelihood of a simple hash will take longer than the investigator has life time.

FoNet is a distributed forensics system that allows you to break up the job and run it in a distributed environment. There are a couple of other solutions but nothing mainstream at this point. What I'm currently working on is a system where you might have a "huge" image or system and you wanted to create a forensic image. The Image process is basically an time=N*size problem. Where the time to complete is bit's per second multiplied by the number of bits. Pretty linear. The analysis phase is another issue. It is a solvable problem as we've all done it right? Except when the sizes get really large. Some of the index requests take a minute or more on a 250gb disk (when carving, looking for text strings etc..). The distributed systems can take that down to tenths of seconds. What I'm doing is building a distributed environment that you could load an image to from "anywhere", and have it indexed and analyze it where you are. It would also allow for multiple investigators to work on one case "at the same time". The new science within this problem is the distributed collaborative environment to work with enterprise level systems.


A paper laying out the issues of forensics in large environments:
cit.uws.edu.au/compsci/computerforensics/Technical%2520Reports/Blankenhorn2005.doc

Here's a paper on the performance issues:
dfrws.org/2004/bios/day2/Golden-Perfromance.pdf

Another good paper on performance issues:
utica.edu/academic/institutes/ecii/publications/articles/A0B57A8C-B6FD-092A-4D06F7039867505D.pdf
 

obi-wan

New Member
Sep 3, 2006
27
0
#3
Hello selil
That sounds good. Thanks for the reply.
I will read the Papers you attached.


May the force be with you
Obi-Wan
 

az_gcfa

New Member
Nov 30, 2006
42
0
#4
Imaging SAN

<t>First off, you need to do some research. The majority of SANs are not configured as JBOD or one big filesystem. A SAN administrator will more than likely allocated different sections(groups of disk) to particular functions. Plus, the SAN will probably be installed with some type of RAID configuration. Depending upon the disk allocations and RAID configurations you may be only imaging only a small section of the RAID. <br/>
Next, if you have sufficient disk to image the raw devices that is the appropriate or fail-safe way. However, you can also image the logical filesystem(allow RAID hardware to reconstruct the data chunks). You can use dd but supply the logical volume name. You can also image the filesystem but you will lose the freespace. The higher you transverse up the interface tree the less granularity you get.</t>
 

Rudy

New Member
Feb 1, 2007
18
0
#5
Admittedly a newbie here... but it seems to me that any company with a SAN will (OK at least they should...) also have a disaster recovery (DR) scheme for that data store. Either using snap-mirror to another section within the array, or typically to another array off-site. Or pick a removable media DR scheme....

The part I'm uncertain of is for CF purposes, would analysis of the disaster recovery image be sufficient? I know it does not address the scale / time required issue...
 

az_gcfa

New Member
Nov 30, 2006
42
0
#6
CF and SAN

<t>No with qualifications! Depending upon your DRP it will be a snapshot of a particular point in time. You should use the most current dataset. Now that I've climbed out on the limb - you will probably won't to analyze the DR dataset as well. For example: When researching e-mail history, the DR dataset may contain e-mail data, log records, or temporary files not availalbe in the current active dataset. Actually, you may feel compelled to review several cycles of backups. <br/>
<br/>
Depending upon the case, need and availability of data, you may have review several years of backups or use the current SAN dataset only. Your case parameters and resources will/should drive your investigation.</t>
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu