Hello colleagues,
I have tried to find solution by myself, but I'm not sure for 100% that acquisition using Live CD will work properly. There is no ability to try now.
Can you please give me your recommendations how to acquire forensic image from Linux box with raid 1+0. Live acquisition is preferred but not mandatory.
Raid consist of 4 hard drives.
What is the best way to get image for the analysis without any additional tasks for rebuilding RAID disks into one image?
Thank you very much.
You may want to check here. It's already discussed.
Cheers
Nicci
Thanks a lot for the link. It was helpful
Are there any means to make proper image from the live system?
Well you can image with dd at the command line, but if you're doing this using the host linux system, you'll likely never get your hashes to match. Conversely, the good thing about imaging a live linux host is the ease of capturing the memory since the tools are built in.
If it is live, use dd as suggested previously. If suspected that the machine is compromised, run dd from amy external write-protected media (USB or CD) that contain the tools you can trust.
I haven't heard of matching MD5 or SHA1 hashes on live machines, so I would not worry about it too much (as long as you understand and can explain the reason for that).
Capturing memory may not be possible on modern Linux Systems (Ubuntu 9.04 and later, Fedora 11 etc.) due to the new memory protection mechanism.
Live CD may not work with the RAID controller (driver issues etc). Could this be a software RAID? You may want to run fdisk -l command as root and check for /dev/md0 or simialr.
It is important to check BIOS for configured stripe size IN CASE you end up imaging HDD's separately and rebuilding it (which I believe you'd like to avoid).
As for tools, default dd or my favourite dcfldd should work just fine.
Удачи
Of course hash matching on live machine is not considered.
Thanks a lot for your posts. I'm very appreciated for your help.
I hope everything will work properly.
Good Luck!
Regards,
Alex
Of course hash matching on live machine is not considered.
Thanks a lot for your posts. I'm very appreciated for your help.I hope everything will work properly.
Good Luck!Regards,
Alex
True, however I will do a file hash set on the machine from a write blocked system before hand and then compare afterwards to the collection. The live files will not match but any static files will and can be used as a reference in many ways in your investigation.
As always, acquiring the logical RAID array _may_ leave (critical) data behind. I strongly recommend acquiring each hard drive independently.
Cheers!
farmerdude