Hello All,
I'm looking at imaging a 4TB Server that is running a RAID(3+ discs, and not sure what type yet). My plan was to use FTK imager lite to get a memory dump, and then take the server offline and image each individual disc. I planned on using RAID Reconstructor and a mounting tool(Mount Image Pro or Captain Nemo) then.
If I went the live acquisition route, is FTk imager lite/Helix still preferred?
If I need to capture network info, ports and processes, I was leaning towards AD Triage. Other suggestions?
Any help is much appreciated. I don't have incredibly detailed information yet, just looking for high level tool and process suggestions.
Hello All,
I'm looking at imaging a 4TB Server that is running a RAID(3+ discs, and not sure what type yet). My plan was to use FTK imager lite to get a memory dump, and then take the server offline and image each individual disc. I planned on using RAID Reconstructor and a mounting tool(Mount Image Pro or Captain Nemo) then.
If I went the live acquisition route, is FTk imager lite/Helix still preferred?
If I need to capture network info, ports and processes, I was leaning towards AD Triage. Other suggestions?
Any help is much appreciated. I don't have incredibly detailed information yet, just looking for high level tool and process suggestions.
Perhaps after you do your physical images of the drive, do a logical image of the RAID. You SHOULD be able to reconstruct the raid from the physical images, but this gives you a fallback option.
I agree, if you have time do both physical and logical. There are too many RAID permutations to be 100% sure you are rebuild it latter.
If you were short on time or disk space and could only do one option, I would do the logical first.
Also are you sure they are stripped?
Unlikely, but it could be a mirror with a hot spare or something other than what you expect?