Server Imaging

Do you have physical access to the servers? What about admin credentials?

Just wondering how everybody handles the imaging of a live or dead server?

It depends. How much storage does the server have? What is the drive configuration? Can it be down? If so, for how long? What OS and file system?

I haven't found a one size fits all approach, based upon the variations in server configuration.

Imaging of servers can often be done with a simple boot disk and a USB drive. Even live imaging can be done with a disk containing imaging applications (such as FTK Imager) and a USB drive.

Of course, different server configurations, sizes and other requirements may necessitate different boot disks (or at least different drivers) and other solutions may need to be considered.

Jonathan - That will vary on a case by case basis I'm sure. I was looking to form a solution for my company in order to image and analyze servers. If we get a case that involves a server, or only a server, we don't want to turn them down and say we can't do it.

seanmcl - No specifics are known, but those are all variables I will take into consideration when forming the solution. I just wanted to know popular solutions for Apache, Exchange, Windows servers etc etc. Is Helix Pro, pipe it out to a NAS or RAID Box, live or dead popular? F-Response? Others? I've only ever helped image 1 server, which was down, and we used an EnCase boot disc, and piped it over ethernet to a RAID Box, which took forever.

gkelley - Thanks for the info, I figured that was pretty common.

Chanko86

First, why would anyone need a $5000 laptop for imaging? The resource needs of imaging software are not that great and you are going to be limited by the speed at which you can read and write from the devices, even if you have Fiberchannel attached storage.

The reason for my questions is that it really does change the solution as well as the cost. What might work in one situation may be totally unworkable in another.

IMHO anyone who says that a single solution will work for all or even most enterprise server classes hasn't done much imaging in the enterprise.

We have a variety of technologies that we use depending upon the configuration of the system to be imaged, the questions to be addressed through the analysis of the image and, most importantly of all, what the Courts will allow us to do based upon the inevitable claim of "hardship" raised by the producing party.

But, at the very least, we have a couple of different forensic acquisition tools, including WinFE with FTK imager, a portable, hot-swappable storage array (cost < $2000) and F-Response.

You simply need F-Response, any cheap laptop! and some form of storage, NAS being probably the most flexible in terms of access in the circumstance you describe.

Either way on a live system you are really restricted by the network, so even if you decided to have direct attached storage to your acquisition machine you are still limited by the network throughput.

F-Response is a must have tool IMHO as it adds so much flexibility to your capabilities and for the price its a no brainer. Additionally F-Response also has their own forensic boot cd.

seanmcl,

Thanks for the response. I think the bottleneck of the drive speeds was overlooked originally. I'll be sure to bring that up. They reduced the laptop to about 2,000 or so, but that still seems a bit extra.

Thank you for the WinFE tip. We have Helix, Paladin/Raptor and I've been pushing for F-Response for awhile. Thanks for the information.

Greetings,

In my last company, I travelled with a >$5,000 Dell M6500 laptop. I used it for imaging, forensics, ediscovery, etc. Quad core processors, huge hard drive, 8GB of RAM, eSATA on board, etc. They don't call it a mobile workstation for nothing.

Yes, you can do a lot with a $2,000 laptop. But, if you can afford it, there may be good reason for getting a $5,000 one. I could get a lot of work done in the field with that thing.

-David