Hi, first post, go easy.
I have a SAN - specifically Netapp kit. More specifically, 13TB of SCSI disk arrays, controlled by 3 FAS3020 (more
On the san are Volumes. They hold luns. Luns can be mounted on servers as drives via iSCSI, Fibre chan etc. Alternatively, I can create a CIFS volume on the SAN directly, and mount it as network share directly.
The most useful function of these devices is their ability to create an instantaneous snapshot of the volumes and luns at any point in time.
The snapshots are 'virtual', however they can be mounted on a server as a duplicate drive as a readonly drive for example. The snapshot process seems to have many parallels to the standard method of acquiring a hard drive. Except of course the process by which the snapshot is created, is proprietary and closed to the end user.
Has any one had any experience in forensic analysis of SAN snapshots? I haven't found any cases (or indeed anything) so far on any forum. I may have to get involved with a case where data was changed. We have snapshots from before and after, but I dont know if the analysis will stand up under scrutiny. I'm getting more familiar with the disk structures and how data is stored on SAN's but there are several layers of virtualisation between the logical data (presented as NTFS partitions) and the physical disks - in this case there are 42 of them.
I'm not in full time forensics, I'm a first responder with some basic forensic acquistion skills and knowledge. I'm advising in the first instance to my senior management, before we outsource to the pros. I'd be a primary contact and I'd like to be able to discuss this with the expert.
Dave,
As it applies to netapp's specifically you'll want to focus your study to the WAFL file system to understand how it does block pointer mapping to be able to describe the snapshots. The snapshot in a netapp centers largely around block pointers if I'm not mistaken. I really recommend contacting netapp for detailed specifics of their file system since snapshots are a function of WAFL and netapp does snapshots differently than other SAN vendors.
Analysis of a SAN snapshot can be paralleled to something such as Volume Shadow Copy on a windows server. If you have snapshots before and after, you should have all the "proof" you need. Scrutiny comes with the territory and the difficulty will be in explaining how it all works to a lay person.
A few years ago I installed a number of NetApp filers etc in a corporate environment. I have a load of docs that may be of use. I don't think any go down to actual byte level and they are old (880 hardware) but they may help - PM me if you are interested.
James