Friday, August 15, 2008

F-Response: Imaging RAIDs

Matt Shannon posted an excellent article to his blog this morning called Singing in the RAID...it's a must read, folks. Take a look.

One thing that Matt quite correctly points out is that sometimes live acquisition (acquiring an image of system while the system is running) is your only option. There are times when a customer will tell you that the system you need to image can't be taken down, so removing the drives, imaging each, and rebuilding the array is not an option. Of course, there are other issues, such as SAS drives, boot-from-SAN systems, etc., that can all put a responder in the position to have to acquire the system in a live condition. This can be done by running acquisition tools such as FTK Imager from a CD or USB removable device, or the circumstances may permit or require you to use F-Response with its built-in write-blocking capability to access the system and perform the live acquisition (imaging done with the acquisition tool of your choice).

Another advantage of using F-Response is that it obviates the need for expensive enterprise licenses.

2 comments:

Troy said...

OK, I know I am becoming a broken record, but Windows FE also a good solution for RAIDs, SAS drives, and, even, VIOs. Windows FE is now are tool of choice for imaging SAS and RAID. If the system you want to image runs Windows, then Windows FE should give you a reliable platform to use for imaging.

By the way, the same techniques that work to make Windows FE forensically sound can be used with Vista and Windows 2008 to make a live Windows system that treats all added hard drives as read only.

Keydet89 said...

Troy,

My major concern with this is, showing up on-site as a consultant, convincing the customer that the system has to be taken down, and then not having the correct drivers.

However, I am downloading the ISO described in the instructions (version 1.1) that you provided.