Hi all
A coworker has been tasked with getting data from a SAN - probably be getting an entire shared network drive (or two) about 30GB or so each.
The forensic laptop will be connected to the network via gigabit ethernet.
The external HD where the data is copied is an eSata
Laptop OS will be Win7 Pro 64bit
Which of these options will be the fastest
1. Use FTK Imager 3.0 to create a logical image of the network share onto the eSata drive
2. Use Richcopy (http//
3. Use SafeCopy to copy the data to the eSata and then logical-image that storage folder off-site
4. Any other suggestions?
Further, what is everyone's opinion on having software like Safecopy hash the files prior to copy and then rehash them after? I say we should but have been told that the client and attys want the team to be in and out. Given that once the files-folder is logically imaged after copy to the eSata, the files copied would have their hash values calculated. I would like thoughts on this too please.
Thank you all!
-=Art=-
do you have direct access to the storage array which is provisioning this shared drive?
Does the SAN have a manufacturer supplied backup/copy/migration utility ? This is likely to be the fastest. I'm pretty sure that EMC has one for example - worth a look I'd have thought …
@Mgilespy
We have been told that we would have access to the blade. The only connection out from it is a USB. What were your thoughts?
@Azreal
Haven't asked. I can find out but will it preserve last access timestamps?
Thanx folks
A
In testing I noticed that Richcopy, while fast, does not preserve the last accessed times. Neither does Evidence Mover.
I even tried to test Folder2ISO, mount iso and logically image it - it seemed like last accessed times changed there too (
Would last accessed times not matter much off a server or SAN because of constant virus scanning and other server maintenance functions that would keep touching those files and changing them?
Thanx again
The last one I saw made an identical copy, but, as they say, your mileage may vary !
A possible solution is to first hit the shares with LogParser to capture the metadata, including the MAC dates and hashes. Then copy the files. Follow it up with a hashing of files on your destination to see that they match the source.
I thought unless you use tools that are manufacturer supplied, your best bet, even just to be forensically sound, is to use FTK Imager - such a versatile tool, I can't live without!
@Azreal Thanx - will check into it
@GKelley - Will look at logparser too but that may double the time to get the data.
@MrSteve - That is what i used to use till I started to read about others using Robocopy or Richcopy and the like to copy the files to a drive and then image the logical folder. From what i can tell, most of these programs stomp on the last accessed date. I was shying away from using FTK imager because it took so long due to all the hashing and processing, but you are right if I want it to be forensically sound, i will have to use it.
Safecopy from Pinpoint Labs is supposed to preserve all time stamps - will be testing it tomorrow.
-=Art=-
@Mgilespy
We have been told that we would have access to the blade. The only connection out from it is a USB. What were your thoughts?
Given that you refer to a shared network drive and a blade, I think you are actually looking at a NAS setup here - where the end clients are accessing data on a shared filesystem, probably over either CIFS(SMB) or NFS.
My thoughts were considering whether the storage/server
a) has the capability of taking a snapshot of the share in question, or otherwise preserving a copy of the state of the filesystem at the point where you began investigating.
b) gives you any ability to access deleted items, or items placed outside the normal bounds of the share in question
c) provides for any mechanism (a snapshot would be one) to guarantee that any copies you take to work with will be consistent - in the event that multiple clients are all accessing the share at the same time.
It's possible these considerations don't apply in your specific circumstances but that's where my thoughts went.