Hello All,
I need some input/help imaging a NetApp FAS3140 NAS.
* This is a incident response / intrusion matter
* This NAS is attached via NFS
* I need to collect specifically unallocated space / files
Questions are
* can I image / collect unallocated from this device?
* how would one do this?
* what tools / utils / etc are required?
What other info can I provide to help anyone answer this for me?
Thanks so much for any input …
-Mark
Mark,
You won't image unallocated space using NFS. You need to be able to see the whole device as a physical disk. You have a few options I think
1) Pull any physical drives from the NAS and image them. Pros - Most forensic methodology. Cons - difficult (if not sometimes impossible) to reconstruct any RAID configurations.
2) Access the operating system on the device and employ a servlet to access the disks and pass the data across the network. Pros - you don't need to worry about RAID configuration, Cons - Not very forensic as you are leaving a footprint. Also, you may not be able to access the underlying system.
3) Access the device via its iSCSI interface to see the whole disk across the network. Pros - again, no worries about the RAID configuration. Cons - Can be a pain to set up and you'll have to tinker with the device to do so and therefore it still is not the most forensically sound method.
I don't know much about this particular device but my preferred method for such devices is to image the physical hard drives first and have a go at reconstructing any RAIDs later. If this fails then try having a go at a different method of attack
Regards,
Paul
Paul,
…Pros - Most forensic methodology. Cons - difficult (if not sometimes impossible) to reconstruct any RAID configurations.
If you don't mind, what exactly does "most forensic methodology" mean?
Given the cons, whatever it is, is it really much of a solution at all?
I don't know much about this particular device but my preferred method for such devices is to image the physical hard drives first and have a go at reconstructing any RAIDs later. If this fails then try having a go at a different method of attack.
F-Response, perhaps?
Paul,
Thanks so much for the response and the ideas.
Harlan,
How would one implement f-response in this configuration?
-Thanks to you both.
-Mark
How would one implement f-response in this configuration?
Using f-response directly on the appliance would depend on what the NetApp Data ONTAP OS is. If it is some kind on Linux (seems likely) variant you might be able to use the Linux agent. That would certainly take some testing.
Paul,
If you don't mind, what exactly does "most forensic methodology" mean?
Given the cons, whatever it is, is it really much of a solution at all?
I think what Paul means is the most forensically sound method because of footprint you are leaving with the other methods, opposed to just taking the disks out to take an image.
Greetings,
The NetApp runs a proprietary OS and you'll not be able to connect to it directly with F-Response. Some of the commands look like *nix commands, but that is just on the surface.
I've not looked at the NetApp file system spec in a long time, but I suspect you'll have a hard time finding anything in unallocated space on it, particularly if the system is still running.
I don't think any of your tools will recognize a NetApp disk image, or to reconstruct the array. (And do you have enough disk space to store a 5TB image?)
I'd call NetApp and pose these questions to them directly. They have some superb engineers that you can usually get to with a bit of patience.
-David
Looks like I'm a bit late to the show on this one.
Yes, the NetApp runs a proprietary OS, one we don't yet have a version of F-Response for )
I agree with David, contact the manufacturer, they should be able to get you what you need.
Thanks!
Paul,
If you don't mind, what exactly does "most forensic methodology" mean?
Given the cons, whatever it is, is it really much of a solution at all?
I think what Paul means is the most forensically sound method because of footprint you are leaving with the other methods, opposed to just taking the disks out to take an image.
Yes, just that.
Thank you Ben o)
In this case 'forensic' is a euphamism for 'scientific', I'm sorry this wasn't clear.
Harlan, I'd like to know what you thought it could mean…
Paul
Even if it was as simple as acquiring physical drives or grabbing an image remotely, I think we are missing the bigger point here - having an image won't do us much good if nothing we have will interpret the filesystem. WAFL is an entirely different animal, especially when you throw deduplication into the mix. If you have disk images, you'll have to tackle sewing the RAID-6 back together first.
I don't have the info you'll need to get the job done, but I didn't want you to get the idea that you'd be able to grab some disk images and all would be good.
Good luck and be sure to share what you find out!