Join Us!

Data Deduplication ...
 
Notifications
Clear all

Data Deduplication on Windows Server 2012  

  RSS
tracedf
(@tracedf)
Active Member

We have data deduplication enabled one of our Windows Server 2012 servers. If I try to view the volume in EnCase, remotely or by opening the .vmdk file, all of the files that are deduplicated appears as zero-filled files. Obviously, this hampers our forensic efforts as we can't view, hash, copy a large number of files. Is anyone else aware of a good way to handle this? The only solution I can think of is to turn off data deduplication but the volumes in question are several terabytes and I don't really want to inflate them. Are there any other forensic tools that can read deduplicated files from these volumes?

Thanks.

Quote
Posted : 15/12/2015 4:38 am
athulin
(@athulin)
Community Legend

If I try to view the volume in EnCase, remotely or by opening the .vmdk file, all of the files that are deduplicated appears as zero-filled files.

I recall them being junction points, but it's some time since I looked at it.

If you want to get access to the data, I'm fairly certain you'll need to use Windows Server 2012 itself.

I'd try to set up disk images as read-only virtual disks, and then use a MSDN installation of WS2012 (unless I had something better) as the forensic platform, with whatever toolkit you need.

It's a bit like extracting data from a RAID when you don't have support for that particular RAID in any of your tools..

ReplyQuote
Posted : 16/12/2015 12:14 am
tracedf
(@tracedf)
Active Member

The server in question is running on VMWare so we copied the VMDK files for the volumes we're interested in. I created a Windows Server 2012 VM on my forensics workstation and mounted the disks. I had to enable data reduplication in order for Windows to recognize the reduplication that has already taken place. At this point, I still couldn't use EnCase because EnCase can't read a de-duped volume, even when I connect to the live machine (it uses its own driver, not the Windows API). So, I needed to un-deduplicate the volume but turning off deduplication does undo what has already been done. So, I'm in the process of running a job to unoptimized the volume. I've had to stop the job twice because I'm running out of space on the volume.

In this particular situation, I'm only concerned with pictures and video so I logged in as an administrator, took ownership of the folders I'm interested in and recursively deleted (del /s) several filetypes (.exe, .mp3, .pdf and .iso) in order to reclaim space. Obviously, this is a working copy of the volume. That seems to have given me enough space to fully re-duplicate the volume but the process is terribly slow; it has run for more than a day and it was at 52% when I left work on Friday.

Thoughts

The process of copying and re-duplicating large volumes is really slow and requires a lot of bench time. I'd really like to see support for deduplicated volumes in EnCase and/or other forensic tools. If I encounter this again in the future, I may try setting up a second volume without deduplication and copying over the things I'm interested in so that I don't have to re-duplicate the entire volume. I may also just mount a working copy and examine it live. The problem is that it limits the tools I can use since EnCase and other tools bypass the Windows API but don't understand deduplication.

ReplyQuote
Posted : 21/12/2015 7:01 am
athulin
(@athulin)
Community Legend

At this point, I still couldn't use EnCase because EnCase can't read a de-duped volume, even when I connect to the live machine (it uses its own driver, not the Windows API).

That's right – you can't access the physical disks unless you have some software layer that performs the de-deduplication. Instead you have to treat it as a logical acquiry, and access the contents through Windows, letting it do the job for you. (Or, at least that's how I would attempt the job.)

I'd really like to see support for deduplicated volumes in EnCase and/or other forensic tools.

Anyone who deals with Windows file servers would agree. Make sure you pass it on to Guidance. Unfortunately, Microsoft has not documented the workings, so it will probably be a lot of research to get all details in place.

ReplyQuote
Posted : 21/12/2015 11:14 am
jaclaz
(@jaclaz)
Community Legend

Maybe useful, maybe not, there is this Powershell applet Expand-DedupFile
https://technet.microsoft.com/en-us/library/dn486808.aspx
though I couldn't find any documentation about it to understand how "granular" it can be. ?

jaclaz

ReplyQuote
Posted : 21/12/2015 7:13 pm
Share: