[ale]  Need a big external drive quick. Suggestions?
    Greg Freemyer 
    greg.freemyer at gmail.com
       
    Mon Jun 26 13:43:40 EDT 2006
    
    
  
On 6/2/06, Bob Toxen <transam at verysecurelinux.com> wrote:
thx!  Do post us on your experience with the drive and this project.
You may want to make some measurements in advance of transfer speed.
Bob
===
All,
The project did not end up going the way I expected, but it is done and my
"image" is on tape.
I  bought a 1TB Maxtor external drive.  (Not sure how many spindles/drives
are inside the case.)
I ended up doing what we call a "live acquire".  The server in question was
running Win2003 with a SCSI based 5-disk raid5.
I used ntimage (from Maresware) from Win2003 to effectively make a dd image
of the 700GB drive to the 1TB usb external drive I bought from Fry's ($699
IIRC).  ntimage creates a series of 2GB segments as standard files.  Most
forensic software can work with segmented images, so that is not a problem
I got about 1 GB/min sustained throughput.  I don't think the external usb
drive was the issue, instead ntimage under Win2003 maxes out at 1GB/min per
our previous tests, so the best I can say is that the external drive
introduced no additional slow-downs.
I also made a tar backup of the image.  That also took about 1GB/min.  That
happens to be the speed of our LTO drive under linux, so once again the
external drive was not the bottleneck.
I may try running md5 against the 2GB image segments just to see how fast
the drive can run.
Greg
-- 
Greg Freemyer
The Norcross Group
Forensics for the 21st Century
-- 
Greg Freemyer
The Norcross Group
Forensics for the 21st Century
-------------- next part --------------
An HTML attachment was scrubbed...
    
    
More information about the Ale
mailing list