NT Disk Mirroring info
This is my first post, and I'm not a specialist as many here in the forum appear to be, so bear with me.
I'm working on a web server that was compromised about a week ago, and ran into a small stumbling block. The box is running Windows NT 4, and the C drive is mirrored on two 9 GB SCSI drives through NT. Even though I know this incident will never go to court, I wanted to make a forensically sound backup of the drive. Since there was no one who new the Admin password for the box, I stopped the box (not a shutdown) and booted to a Bart-PE CD with Winhex Forensics on it. I got access to the physical drives of the mirrored set with Winhex, but noticed when I opened the partition that certain files I knew should be there, weren't. I eventually rebooted the server, and the files I knew were there were exactly where they should be.
My questions are
1) Why couldn't I see the files on the physical device, and how is it they showed when the set.
2) Is there a better way to get a forensically sound backup of a mirrored set, as in my scenario.
Thanks for any help/links.
Whare are you located in NoVA?
I'm in Fairfax. I actually have your book sitting right behind me.
You could be rebuilding the wrong partitions. I have seen more than a couple deleted partitions on a drive. Try some of the other NTFS partitions.
Oh yes, second question. I had the exact same issue with SCSI drives just a couple of weeks ago. We did it exactly the way you are doing it, (except we used Encase) but looking back we should have just done a live acq. We use Encase Enterprise for our Corp, which allows you to do Acquistion over the wire without shutting down the machine, this allows both Logical and Physical acquisitions and you don't have to rebuild the partition from a RAID or SCSI mirrored config. If you don't have that, which most don't understandbly, get a CD with the needed to tools for NT such as DD.EXE, map a Network share, and pipe the logical and physical image to a network share.
Thanks for the tips m7esec, but I'll have to admit a little confusion as I'm not rebuilding any partitions. The C drive on this server consists of two physical drives doing mirroring through NT. My Bart-PE disk uses XP, and I'm just accessing one of the physical drives via Winhex, as neither the physical drives or the mirrored set is mounted by XP. The drives only have a single partition, so I can't be working with the wrong one. Can you clarify the whole idea of rebuilding the partition some.
Also you idea of performing the backup to a network share, while interesting, isn't really applicable in this scenario. I had no login capability to the machine, so I had to turn it off to reboot to my Bart CD. I will look into the DD for windows tool though.
It still doesn't make sense (to me anyway), that those files don't exist on either one of the physical drives from the mirrored set, unless you boot normally and have the mirrored set mounted.
If the system is using a mirrored disk configuration, you need to break the mirror before imaging one of the disks unless you do a live acquisition .
Can I recommend that in these tyes of cases you use the freeware Helix CD. Whilst the server is running, pop in the Helix CDROM & allow it to autorun. You will see a splash screen with various options - one being the ability to image the full drives either via the network to your aquisition machine or you can simply attach an external hard drive via a USB to IDE adapter and do a local copy.