390 likes | 1.39k Views
Raids. 13 Examples on how to Image Them. Overview. Intel Based Hardware Raid Dead Live Software Raid Unix Based Raid. Warning. Since each RAID is different, these are generic steps. There is no ONE command which will work every time on every system.
E N D
Raids 13 Examples on how to Image Them
Overview • Intel Based Hardware Raid • Dead • Live • Software Raid • Unix Based Raid
Warning • Since each RAID is different, these are generic steps. There is no ONE command which will work every time on every system. • You should test and verify these steps BEFORE attempting them “in real life”
Intel Based Hardware Raid • Common Makes • Gateway • Dell • Compaq • The physical RAID card controls the drives, not the OS.
Dead Intel Based Hardware Raid • How to #1 • Insert firewire card • Attach preformatted FAT32 HDD to Firewire • Boot from floppy • Send image to firewire hdd • Recommended not to compress
Dead Intel Based Hardware Raid • How to #2 • Insert promise card • Attach preformatted FAT32 HDD to card • Boot from floppy • Send image to your hdd • Recommended not to compress
Live Intel Based Hardware Raid • How to #3 (Windows) (Live) • Attach external (USB, Firewire) preformatted NTFS drive with Encase program folder on the drive. • On the system you want to image, navigate to your drive. • Launch <your tool here>, get the image and send it to your hdd.
Live Intel Based Hardware Raid • How to #4 (Windows) (Live) • On the same network segment • Open up a share (NTFS) big enough to handle the image with Encase program folder on the drive. • On the system you want to image, map the network drive. • Launch <your tool here>, get the image and send it to your hdd.
Live Intel Based Hardware Raid • How to #5 (Windows) (Live) • Use the Encase Enterprise Edition
Linux Software RAID • How to #6 (Linux) (Live) • On the same network segment • Open up a share (NFS) big enough to handle the image on another Linux Box. • On the system you want to image, mount the network drive. • DD the image to your hdd.
Linux Software RAID • How to #7 (Linux) (Live) • If the server has a tape drive • DD the raid to the tape drive
Linux Software RAID • How to #8 (Linux) (Live) • Use the Encase Enterprise Edition
Linux Software RAID • How to #9 (Linux) (Dead) Option A • Remove the RAID and place them • 1) I created a /etc/raidtab file which contained the following: • raiddev /dev/md0 • raid-level 0 • nr-raid-disks 2 • nr-spare-disks 0 • chunk-size 4 • persistent-superblock 1 • device /dev/sda1 • raid-disk 0 • device /dev/sdb1 • raid-disk 1 • NOTE: I knew the RAID level from the system's owner and • I learned the partitions on the devices from the fdisk -l command
Linux Software RAID • Create the raid by the command • mkraid /dev/md0 • Creat a mount point for it • mkdir /mnt/raid • Mount the raid as read-only • mount /dev/md0 /mnt/raid –r • View the contents of the raid • ls -l /mnt/raid • dd the /dev/md0 to tape or flat file • dd if=/dev/md0 of=<your destination> • Finally add the dd to your favorite examination software.
Linux Software RAID • How to #9 (Linux) (Dead) Option B • Place Raid drives and your large dump drive into same box • Boot from Redhat linux install CD, choose recovery • Mount the RAID as Read-only • Format your dump drive and mount it • DD the raid to the your drive
Windows Software RAID • How to #10 (Windows) (Live) • On the same network segment • Open up a share (NTFS) big enough to handle the image with Encase program folder on the drive. • On the system you want to image, map the network drive. • Launch <your tool here>, get the image and send it to your hdd.
Windows Software RAID • How to #11 (Windows) (Dead) • Image each of the drives and use your favorite tool to put them back together
Windows Software RAID • How to #12 (Windows) (Live) • Use the Encase Enterprise Edition
Non-Intel Based Hardware Raid • Common Makes • SUN • SGI • HP • Not i386, so no booting from a DOS disk
Unix Raid • How to #13 (Unix) (Live) • On the same network segment • Open up a share (NFS) big enough to handle the image on a linux box. • On the system you want to image, mount the network drive. • DD the image to your hdd.
PART 1: SETTING UP NFS • Change the IP of your RedHat box to be in the same range as the SUN server. For this example, the SUN server was assigned the IP 10.0.0.10 and the RedHat box was assigned the IP 10.0.0.11. • On my computer, the share I wanted to use was /share. • Then I had to modify the permissions on the /share folderchmod 777 /share
PART 1: SETTING UP NFS • Use the NFS server manager to allow read-write access to the share, the IP of the SUN server and the share path
PART 1: SETTING UP NFS • NOTE: Before booting up a SUN Server, ensure all the network cables are plugged into a hub. Otherwise you will get a cable error message which will fill up your log files. • Now to verify it is working, open up a terminal and type showmount –e and hit enter. This will show the share and the IP which can connect to it.
PART 2: CONNECTING TO YOUR SERVER • Plug your RedHat box into the same hub as the SUN server (or crossover cable) • If not already running, boot up the SUN box and log in as root • On the SUN box, check the /mnt directory to see if anything is mounted there. Generally there will be nothing mounted. If something is mounted, you can unmount it, and use the /mnt as your mount point for this exercise. • Mount the NFS sharemount -F nfs 10.0.0.11:/share /mnt
PART 3: CREATING THE IMAGE • You need to list the drives on the SUN in order to know what device needs to be imaged. • Three different methods, depending on the version of the OS.
PART 3: CREATING THE IMAGE • df –h command • dd if=/dev/vx/dsk/rootvol of=/mnt/<IP address>-root.dd bs=512 &
PART 3: CREATING THE IMAGE • The mount command • dd if=/dev/dsk/c1t0d0s0 of=/mnt/<IP address>-root.dd bs=512 &
PART 3: CREATING THE IMAGE • df –k command • dd if=/dev/dsk/c1t0d0s2 of=/mnt/<IP address>dd bs=512 &
PART 3: CREATING THE IMAGE • The command line is dd if=/what you want to image of=/where you want the image to be stored bs=512 (bs is block size). • Note: the s2 portion of the above command tells the computer to image the entire physical drive. This is good for single drive systems and it may be good for RAIDs…depending on your case.
PART 3: CREATING THE IMAGE • Each system will be different and each case will be different. • Do you need to image each slice? • Do you only need certain files or folders? This is something that you will need to figure out before you start.
PART 3: CREATING THE IMAGE • The “bs=512” portion of the command specifies the byte sector. 512 is a good standard for importing into Encase. • The “&” portion of the command tells the computer to run the process in the background. This is good idea, so that you can run several (recommend only running two at the same time) dd’s at the same time. • Recommend you name the output the IP address of the server_slice.dd. So an image of sun computer with the IP 10.0.0.10 root slice (partition) would be named 10.0.0.10_root.dd
PART 4: HASHING THE IMAGE • On the RedHat computer you can run the command from the directory where the dd images are stored: • md5sum *.dd >> IP.Add.re.ss_md5sum.txt
PART 5: GETTING THE IMAGES OFF THE REDHAT BOX • There are several methods to get the files off, the easiest method is for you to put the RedHat box onto your network and use SSH to connect and copy off the dd files. You can download a copy of SSH from www.ssh.com.
PART 5: GETTING THE IMAGES OFF THE REDHAT BOX • The other methods are: • Use Samba, this works like opening a windows share. • You can copy the files to tape • You can FTP them off. • Etc
PART 6: WARNING • You should practice these commands before doing it “live”. • If you are going to place your RedHat computer on a network, you should know how to secure your computer to prevent it from getting hacked. • This “how-to” was written as a general outline of the necessary steps, you cannot hold me responsible if something doesn’t work.
Unix Raid • How to #13 (Unix) (Live) • If the server has a tape drive • DD the raid to the tape drive
Other Information • It has been noted that some RAIDs do not work with Encase V4 due to a memory issue. Replace the V4 version with V3 and it should work.
Questions? • Got questions? • SA Dave Shaver • shaverd@belvoir.army.mil