Notifications
Clear all

SAN units

11 Posts
6 Users
0 Likes
675 Views
Beetle
(@beetle)
Posts: 318
Reputable Member
Topic starter
 

Anyone have any tips or can point me at previewing a SAN in the field?

 
Posted : 09/06/2009 1:24 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Preview, how? What are you looking for in a preview?

 
Posted : 09/06/2009 1:30 am
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

Most SAN managers allow viewing of the connection to physical and logical drives. Is that what you mean preview?

 
Posted : 09/06/2009 2:08 am
(@gkelley)
Posts: 128
Estimable Member
 

Anyone have any tips or can point me at previewing a SAN in the field?

If you are looking to get a directory listing of data on a SAN including some of the metadata, I would look at using LogParser. If run correctly, it will not change the last accessed date/time of the files it is scanning (even if it is asked to create an MD5 hash of each file).

 
Posted : 09/06/2009 6:53 pm
Beetle
(@beetle)
Posts: 318
Reputable Member
Topic starter
 

We 'preview' systems in the field to see if the data is covered during the execution of a warrant. Usually for standalone systems we use Encase and the helix boot disk to run linen and attaching to the drive so we can examine and search the data before we seize the machine. We are looking for a similar/simple way to look at a SAN forensically before seizure.

 
Posted : 09/06/2009 11:16 pm
(@gkelley)
Posts: 128
Estimable Member
 

Tools such as Paraben's P2 commander, Technology Pathways ProDiscover IR, GSI's Encase FIM and F-Responses Field Kit Addition allow one to connect over a network to another computer and preview the files and folders contained on the computer. A computer that is part of a SAN will see the remote storage devices as local drive letters so you should be able to preview them using one or all of these tools. But I would recommend trying before buying.

 
Posted : 09/06/2009 11:52 pm
Beetle
(@beetle)
Posts: 318
Reputable Member
Topic starter
 

Tools such as Paraben's P2 commander, Technology Pathways ProDiscover IR, GSI's Encase FIM and F-Responses Field Kit Addition allow one to connect over a network to another computer and preview the files and folders contained on the computer. A computer that is part of a SAN will see the remote storage devices as local drive letters so you should be able to preview them using one or all of these tools. But I would recommend trying before buying.

We are _very_ adverse to attaching in any type of write-able mode so I don't think these types of solutions would be received favourably by my superiors. Any other ideas?

 
Posted : 10/06/2009 2:41 am
(@gkelley)
Posts: 128
Estimable Member
 

Tools such as Paraben's P2 commander, Technology Pathways ProDiscover IR, GSI's Encase FIM and F-Responses Field Kit Addition allow one to connect over a network to another computer and preview the files and folders contained on the computer. A computer that is part of a SAN will see the remote storage devices as local drive letters so you should be able to preview them using one or all of these tools. But I would recommend trying before buying.

We are _very_ adverse to attaching in any type of write-able mode so I don't think these types of solutions would be received favourably by my superiors. Any other ideas?

All the tools I mentioned tout that they do not have the ability to write to the source drive. That being said, the source computer does need to be running and therefore the source computer (not your examination machine) could be writing to those drives.

If you are looking for a scenario where neither your computer nor the source computer can write to the drives, your choices are

1. A *Nix box that can mount the remote attached storage device in a read-only matter. But that requires you to disconnect the remote attached storage device from the owner's computer and attaching it to your *Nix box.

2. Pull each drive out of the remote attached storage device and hook each of them up with write blockers to a computer. Use Encase to rebuild the RAID and then preview it that way. Again requires taking off-line the remote attached storage device.

There may be other solutions, but those are the only two I can think of right now.

 
Posted : 10/06/2009 2:52 am
(@nathan-vorhees)
Posts: 3
New Member
 

Depending on the SAN you are going to have a nightmare of a time rebuilding the RAID from individual drives. Most RAID implementations on SANs have a lot of proprietary metadata to hold things like snapshots, block level de-duping, etc. You will have even more problems trying to find a FC connector for a write blocker. In the ned a logical capture of the drive from a host connected to the san is the best way, you might also want too lookinto the SAN software and see if you can dump out or mount snapshots and image those.

 
Posted : 16/12/2009 12:42 am
(@seanmcl)
Posts: 700
Honorable Member
 

I second the recommendation of F-Response. It has a mall footprint, and attaches to remote systems in read-only mode.

And you can use it with any other forensic tool to do the preview.

 
Posted : 17/12/2009 9:10 pm
Page 1 / 2
Share: