[ale] Need a big external drive quick. Suggestions?
Greg Freemyer
greg.freemyer at gmail.com
Mon Jun 26 13:43:40 EDT 2006
On 6/2/06, Bob Toxen <transam at verysecurelinux.com> wrote:
thx! Do post us on your experience with the drive and this project.
You may want to make some measurements in advance of transfer speed.
Bob
===
All,
The project did not end up going the way I expected, but it is done and my
"image" is on tape.
I bought a 1TB Maxtor external drive. (Not sure how many spindles/drives
are inside the case.)
I ended up doing what we call a "live acquire". The server in question was
running Win2003 with a SCSI based 5-disk raid5.
I used ntimage (from Maresware) from Win2003 to effectively make a dd image
of the 700GB drive to the 1TB usb external drive I bought from Fry's ($699
IIRC). ntimage creates a series of 2GB segments as standard files. Most
forensic software can work with segmented images, so that is not a problem
I got about 1 GB/min sustained throughput. I don't think the external usb
drive was the issue, instead ntimage under Win2003 maxes out at 1GB/min per
our previous tests, so the best I can say is that the external drive
introduced no additional slow-downs.
I also made a tar backup of the image. That also took about 1GB/min. That
happens to be the speed of our LTO drive under linux, so once again the
external drive was not the bottleneck.
I may try running md5 against the 2GB image segments just to see how fast
the drive can run.
Greg
--
Greg Freemyer
The Norcross Group
Forensics for the 21st Century
--
Greg Freemyer
The Norcross Group
Forensics for the 21st Century
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Ale
mailing list