[ale] Need a big external drive quick. Suggestions?

Greg Freemyer greg.freemyer at gmail.com
Mon Jun 26 13:43:40 EDT 2006


On 6/2/06, Bob Toxen <transam at verysecurelinux.com> wrote:
thx!  Do post us on your experience with the drive and this project.
You may want to make some measurements in advance of transfer speed.

Bob
===
All,

The project did not end up going the way I expected, but it is done and my
"image" is on tape.

I  bought a 1TB Maxtor external drive.  (Not sure how many spindles/drives
are inside the case.)

I ended up doing what we call a "live acquire".  The server in question was
running Win2003 with a SCSI based 5-disk raid5.

I used ntimage (from Maresware) from Win2003 to effectively make a dd image
of the 700GB drive to the 1TB usb external drive I bought from Fry's ($699
IIRC).  ntimage creates a series of 2GB segments as standard files.  Most
forensic software can work with segmented images, so that is not a problem

I got about 1 GB/min sustained throughput.  I don't think the external usb
drive was the issue, instead ntimage under Win2003 maxes out at 1GB/min per
our previous tests, so the best I can say is that the external drive
introduced no additional slow-downs.

I also made a tar backup of the image.  That also took about 1GB/min.  That
happens to be the speed of our LTO drive under linux, so once again the
external drive was not the bottleneck.

I may try running md5 against the 2GB image segments just to see how fast
the drive can run.


Greg
-- 
Greg Freemyer
The Norcross Group
Forensics for the 21st Century


-- 
Greg Freemyer
The Norcross Group
Forensics for the 21st Century
-------------- next part --------------
An HTML attachment was scrubbed...




More information about the Ale mailing list