Notifications
Clear all

Lab backup solution  

  RSS
StreetForensics
(@streetforensics)
Member

I currently work in a lab with 6 forensic computers all networked together. I would like to begin backing up each computer since I recently had a raid failure in which I almost lost some case data - and I have previously had a drive fail which we did lose data so its time to get prepared.

I'm currently only backing up the OS drives on each PC to a separate internal drive on each PC, I'm using windows backup to do this. I have no way of backing up the drives containing case data and caches. (I do use EnCase and backup cases to our current NAS - other cases not using EnCase or just other data on those drives aren't protected)

My plan/thought is to purchase a large NAS (40TB) and created a folder on it for each of the forensic machines and backup up all drives to it nightly - current cases on all machines is about 7TB.

I'm currently testing this with our current small 5TB NAS with only 3 of the machines but only backing up the OS drives.

I've set the backups to begin one hour apart to reduce the chance of any issues multiple machines trying to backup at once may cause. This seems to be working ok, but it's only been two days.

My questions are
1. Is this a good simple solution for backing up?
2. If I have a drive/raid failure and need to restore from one of these backups how easy is it (Yes, I will be testing this myself but I'm curious as to your experience/advise)

Thanks for any advise!

Quote
Posted : 18/01/2018 8:52 pm
jaclaz
(@jaclaz)
Community Legend

1. the plan seems a good one, BUT
2. the MS backup is a good thing as it uses the VSS/shadow volume mechanism that is very unlikely to fail (files in use, permissions, etc.) but it is essentially aimed to the contents (and the contents only) of "logical volumes" and does not guarantee a "bare metal" restore.

The issues revolve around the Disk Signature and the partitioning (and drive letter assignment), so you will batter have a backup/image of the MBR, as a matter of fact I would make a copy of all the hidden sector (usually 63 or 2048 including the MBR), that will cover also the protective MBR and GPT partition table in case of UEFI/GPT (usually first 32 sectors of the disk).

There is no need to make a copy of the second copy of the GPT partition table as it can be recreated, still it costs next to nothing to also backup those other 32 sectors (or so) at th eend of the disk.

With modern windows the disk signature issue can be worked around by blanking (while offline) the key HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices (the key will be re-populated at first boot) still it doesn't guarantee the same drive letter assignment as the original, and of course not necessarily a newly made partition scheme will be exactly as the one before.

Further, there is anyway the need to restore (again in the worse case, "bare metal") the backup, so you should have a tested, valid, Live Linux or WinPE capable to boot on all the machines involved and containing the needed tools.

Personally I would use (besides the above mentioned additional steps that need only a simple dd-like tool) the DriveImageXML program
https://www.runtime.org/driveimage-xml.htm
that uses the same VSS approach, but offers a few additional features (it actually backups the volume/partition, not just the files) that may be of use including the compatibility with both Linux and PE (in case of restore)
https://www.runtime.org/data-recovery-live-cd.htm
https://www.runtime.org/peb.htm

jaclaz

ReplyQuote
Posted : 19/01/2018 2:07 pm
StreetForensics
(@streetforensics)
Member

Thanks for the reply. I'll look into those options! In addition to the Windows Back up (and letting it create a 'system' image) I also create E01 images of the entire disk containing the C partition for the 'nuclear' option. I only do this 1-2 times a year so I have to reinstall newer versions of a few programs, but that practice has worked so far.

ReplyQuote
Posted : 19/01/2018 4:14 pm
mscotgrove
(@mscotgrove)
Senior Member

Any good backup should ensure that data is saved in different physical locations.

For some data (subject to rules on security) cloud storage could be considered.

For data such as disk images (100s of GBs), don't rule out tape, LTO-6 or better. Again, subject to security, tapes can be stored offsite.

ReplyQuote
Posted : 19/01/2018 4:50 pm
jaclaz
(@jaclaz)
Community Legend

Thanks for the reply. I'll look into those options! In addition to the Windows Back up (and letting it create a 'system' image) I also create E01 images of the entire disk containing the C partition for the 'nuclear' option. I only do this 1-2 times a year so I have to reinstall newer versions of a few programs, but that practice has worked so far.

Yep ) , the E01 image is of course excellent for the "nuclear" option, but is even "too much" (you don't really-really want to have/need a forensic sound image including slack space, unused sectors, etc.), the alternative proposed would allow for a periodic (let's say once a week or every two weeks) backup of the system and boot partition(s) in a way that is restorable even in the "nuclear" case.

The point is only on the convenience of the one or the other approach.

Restoring an "integral" E01 image may take more time and of course needing to reinstall this or that program reflects on the "overall downtime" of the system/workstation.

Making more often "system" images will need some more space (traditionally a rotating set of three copies was used [1]) and it has to be seen if the overall backup procedure stays "within the night closing hours" or if adding the "system" image to the routine will make it too long, thus making it infeasible in practice, but scheduling the "system" backup weekly on Saturday/Sunday may be enough to take care of the time needed issue while still having a fast handy way to recover in case of disaster).

Having such a "fresh" image will reduce the time needed to reinstall the "new" programs and - I believe with modern Windows and the stupid way MS manages them this is getting increasingly problematic - to have the system in sync with Windows Update.

I have seen quite a few reports lately of - besides actual issues - extremely long times for the connection and download of updates, often needing hours.

As always it is a trade off between complexity of the procedures and convenience in case of a "disaster" happening.

jaclaz

[1] Once upon a time - and this unfortunately shows how old I am - we used to have three floppies, one labeled Monday, one Wednesday and one Friday to which we made backups, overwriting the previous contents, so that at any time, including the case of some malfunctioning we had at most a one day old backup and if it failed a three day old one.
Over the years the three floppy became first Zip disks, then CDRW's, and later DVDRW's until hard disks (and important content in them) became simply too [email protected] large to need NAS's.

ReplyQuote
Posted : 19/01/2018 5:07 pm
Share: