Transcript CSC492 Advanced (Network) Forensics

CSC 486/586
Network Storage
1
Objectives
• Familiarization with network data storage
technologies
• Understanding of RAID concepts and
RAID levels
• Discuss capture/acquisition of network
data storage media.
• Create hardware and software RAIDs
2
Network Storage - The Basics
• Direct Attached Storage (DAS)
– storage device that is directly attached to a
host system
– Most common (at the present)
• Network Attached Storage (NAS)
– data storage mechanism that uses special
devices connected directly to the network
media
– assigned an IP address and can then be
accessed by clients
3
Network Storage - The Basics
• Storage Area Network (SAN)
– a network of storage devices that are
connected to each other and to a server, or
cluster of servers, which act as an access
point to the SAN
– Fibre channel
– iSCSI
4
Network Storage Devices
5
Servers & Hard Drive Arrays
6
RAID Controller (Dell Perc)
•Most server RAID controllers
are SCSI, but some are IDE or
SATA.
•Connects Hard Drives to
Motherboard
•Has both internal and external
SCSI connectors, but usually
can’t use both at same time.
•Has built-in BIOS
configuration utility for
configuring RAID arrays.
•Keystroke to enter BIOS
configuration utility usually
displayed during POST.
7
RAID Arrays
• Redundant Array of Independent Disks (aka Redundant Array of
Inexpensive Disks)
• Fault Tolerance
– Mirroring
– Parity
RAID Levels
•
•
•
•
•
•
8
JBOD - Just a Bunch Of Disks
RAID 0 - block-level striping without parity
RAID 1 - Mirroring (duplexing)
RAID 3 & 7 - byte-level striping with parity
RAID 4, 5 & 6 - block-level striping with parity
RAID 5 - stripes both data and parity information across three or
more drives
Multiple RAID Levels
• Can combine two types of RAIDs to create a more
robust and fault tolerant setup
• (i.e. RAID 10)
• RAID 0, then RAID 1: Divide the ten disks into two sets
of five. Turn each set into a RAID 0 array containing five
disks, then mirror the two arrays. (Sometimes called a
"mirror of stripes".)
• RAID 1, then RAID 0: Divide the ten disks into five sets
of two. Turn each set into a RAID 1 array, then stripe
across the five mirrored sets. (A "stripe of mirrors").
9
Imaging Mirror (RAID 1) Arrays
• If “Mirrored” only, not mirror and striping combined,
complete file system sits on each hard
drive…..assuming the 2 disks are synchronized.
• Can be “handled” in the same manner a single drive
desktop computer would be imaged.
• Use normal imaging tool to take an image of each of the
two physical hard drives.
• Can be software or hardware mirror
• If a hardware mirror and imaging tool has controller
driver for RAID controller, you may image the single
“logical” raid array volume instead.
10
Imaging Striped Arrays
• Data is striped evenly across multiple hard
drives. No complete file system sits on each of
the hard drive.
• Can NOT be “handled” in the same manner a
single drive desktop computer would be imaged.
• If you use your imaging tool to image each
physical drive, you will have data, but it must be
“rebuilt” before it would be meaningful to you.
• Preferred method is to image the “logical” RAID
volume(s) instead of the physical hard drives.
11
Imaging Striped Arrays
• Imaging tool needs to be able to “see” the logical RAID
array volume.
• May need specific driver for RAID controller on your
control boot disk or CD.
• If you can “see” the logical volume with your imaging
tool, you will make an image of it as if it were a single
hard drive.
• Not all new controller drivers are available for Linux boot
CDs.
• Must have “target” drive large enough to hold all the
data from imaging the RAID, which may be large
depending on the number and size of the disks making
up the RAID array.
12
Imaging Striped Arrays
• If you must image the individual physical disks, you
must “rebuild” the data.
• Sometimes this can be done by duplicating the
hardware in the original server, specifically the same
RAID controller (and firmware version).
• If not, there are tools and manual processes to read in
the data from the multiple disk images and write out to
another target disks after putting the striped blocks back
together.
• You must know the original order of the disks, the block
size of the stripes and the parity rotation. Can be very
complicated.
13
Imaging consideration
• It may be a lot of data on the array or
NAS. Do you really need it
all……TRIAGE!!!
• May not image the whole thing, just a
capture of a specific directory or file(s).
• Can’t shut it down??? May have to pull it
across the network using a client machine.
• How do I connect to this thing?
14
Questions
Use the discussion board, as usual…
15
16