Hi Guys,
My team has been asked to acquire an image of a sun server that has been taken offline. Will booting the server with a Helix free disk from 2009 work? I am in the process of getting all the details on the server as we speak.
You may be able to boot, but the real question is can you do anything useful with the server once you boot it.
What is the server running? Solaris? ESX? Other? What file system(s) do you expect to encounter? Do you have drivers on the Helix disk for all the hardware in the box especially RAID controllers?
There are a lot of questions to ask yourself.
hey bithead,
yes i am waiting on additional details regarding it. I have been told that the server was taken down, but its not confirmed.
I might have misunderstood something here but if all you want is an image and the server is offline then why bother booting?
Acquire the disks with your favorite tool and job done.
the server is raided i believe, its easier to image a raid in its complete state rather than image each disk individually and reconstruct disk image to complete raid.
Agreed…
A lot of times you get one shot at it and if for no other reason you hate to have to make that call "um can I go image it again because the RAID won't go back together"
Good call.
The RAID controller drivers can be an issue, you could download them ahead of time, or you could have several flavors of boot disks handy and try any of those.
the server is raided i believe, its easier to image a raid in its complete state rather than image each disk individually and reconstruct disk image to complete raid.
I've dealt with raided servers before and have come across some hardware issues particularly when you have servers that have been running for a very long time with no 'down time' older SCSI hard drives particular can seize up once they have been powered down.
Xways forensics is pretty good at rebuilding RAID's if you have the stripe size and configuration data.
Otherwise another option would be to image hard disks, restore to another set of disks which can be attached to the server and then try and reboot and take a whole image that way.
I know it's long winded but that method offers the least interaction with the original hard disks and if you have to start and restart the server several times to try and get the imaging process to work then the risk of hardware failure or damage to the original evidence is negated by using the restored drives.
Might not be an option for you but I offer it up as merely another thing to consider. )
My team has been asked to acquire an image of a sun server that has been taken offline. Will booting the server with a Helix free disk from 2009 work?
You will need to know the hardware architecture for that. Sun have SPARC-based systems – x86 boot CDs won't work for those.
as athulin points out it will depend on the Processor for the box.
If its Sparc you'll need a copy of a Solaris disk to boot from the use dd with netcat to image across the network or dd to an external disk
booting from a Solaris CD will need you to do a Stop-A (break the boot sequence), then boot cd –s to get a single user session from boot cd