±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 33838
New Yesterday: 2 Visitors: 164

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Imaging technique using a NAS

Discussion of forensic workstations, write blockers, bridges, adapters, disk duplicators, storage etc. Strictly no advertising of commercial products, please.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

Imaging technique using a NAS

Post Posted: Thu Apr 12, 2018 11:38 am

Good day everyone. Just to give a quick prelude to my question. We currently image multiple desktops/laptops on client site using a custom built forensic linux distro that allows us to create EnCase compatible images of the target machine. The way we do it now, is that we attach an external HD to each system and perform the imagining individually.

I would like to know how I can image using a NAS drive. Let's say I would get a NAS of about 10Tb, would I be able to image about 8 individual systems to that same NAS simultaneously and would i still be able to achieve the same performance as when I was using an individual HD for each of those target machines?

Another question is going to be on storage of those image files. After I bring the NAS back to the Lab, would I store copies of the images somewhere on a storage server, and create a working copy for processing? What are the back up options i should be considering?

Thanks.  

sovietpecker
Member
 
 
  

Re: Imaging technique using a NAS

Post Posted: Thu Apr 12, 2018 12:36 pm

Most NAS boxes run a Linux software raid known as LVM.
If you attach the drives to a Linux machine with the MDADM software installed on it, you can rebuild the RAIDs from the attached disks and image the volumes using Guymager or similar tools.
This will change a very small amount of data on the disk, not user data but data nonetheless.
Write access is required to mount the drives, but you could try it with write blockers that 'cache' writes and see if it works.
Alternatively image all the disks and try and rebuild back at your main office.  

minime2k9
Senior Member
 
 
  

Re: Imaging technique using a NAS

Post Posted: Thu Apr 12, 2018 3:56 pm

- minime2k9
Most NAS boxes run a Linux software raid known as LVM.
If you attach the drives to a Linux machine with the MDADM software installed on it, you can rebuild the RAIDs from the attached disks and image the volumes using Guymager or similar tools.
This will change a very small amount of data on the disk, not user data but data nonetheless.
Write access is required to mount the drives, but you could try it with write blockers that 'cache' writes and see if it works.
Alternatively image all the disks and try and rebuild back at your main office.


Thank you for your reply. However, I was actually asking how I can image using the NAS as the destination and not the source.  

sovietpecker
Member
 
 
  

Re: Imaging technique using a NAS

Post Posted: Thu Apr 12, 2018 4:23 pm

I have a Synology DS 1817+ (https://www.synology.com/en-us/products/DS1817+) with eight 1 terabyte SSD drives.

I do not have the DS 1817+ RAIDed so that I have a total of 8TB of storage capacity.

Currently I use the Synology to store forensic databases, which works very well.

Basically I will plug in an external USB drive holding the forensic image file to one of my forensic workstations, and then create the forensic database (Forensic Explorer, OSForensics, Axiom) to the Synology machine. This setup allows my multiple forensic workstations to all connect to Synology and access the forensic databases stored there.

I do not see why you could not write forensic image files to a Synology's internal individual drives at the same time if you wanted to.  

UnallocatedClusters
Senior Member
 
 
  

Re: Imaging technique using a NAS

Post Posted: Thu Apr 12, 2018 4:51 pm

- minime2k9
This will change a very small amount of data on the disk, not user data but data nonetheless.


This is a dangerous assumption. It is possible that the activation of a software RAID volume will change gigabytes of user data.  

thefuf
Senior Member
 
 
  

Re: Imaging technique using a NAS

Post Posted: Thu Apr 12, 2018 7:08 pm

I think you will find writing 8 streams of data to a NAS device will be very slow. Reading is potentially fast but writing will involve a very large amount of head movement on the NAS drives.

One to one is in my experience likely to be the fastest solution.
_________________
Michael Cotgrove
www.cnwrecovery.com
www.goprorecovery.co.uk 

mscotgrove
Senior Member
 
 
  

Re: Imaging technique using a NAS

Post Posted: Fri Apr 13, 2018 5:56 am

- thefuf
- minime2k9
This will change a very small amount of data on the disk, not user data but data nonetheless.


This is a dangerous assumption. It is possible that the activation of a software RAID volume will change gigabytes of user data.


In what scenarios are you talking about?  

minime2k9
Senior Member
 
 

Page 1 of 2
Go to page 1, 2  Next