±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36775
New Yesterday: 0 Visitors: 121

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

NT Disk Mirroring info

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

Guardian
Newbie
 

NT Disk Mirroring info

Post Posted: Nov 22, 05 22:25

Hi everyone,
This is my first post, and I'm not a specialist as many here in the forum appear to be, so bear with me.

I'm working on a web server that was compromised about a week ago, and ran into a small stumbling block. The box is running Windows NT 4, and the C: drive is mirrored on two 9 GB SCSI drives through NT. Even though I know this incident will never go to court, I wanted to make a forensically sound backup of the drive. Since there was no one who new the Admin password for the box, I stopped the box (not a shutdown) and booted to a Bart-PE CD with Winhex Forensics on it. I got access to the physical drives of the mirrored set with Winhex, but noticed when I opened the partition that certain files I knew should be there, weren't. I eventually rebooted the server, and the files I knew were there were exactly where they should be.

My questions are:
1) Why couldn't I see the files on the physical device, and how is it they showed when the set.
2) Is there a better way to get a forensically sound backup of a mirrored set, as in my scenario.

Thanks for any help/links.

Guardian  
 
  

keydet89
Senior Member
 

Re: NT Disk Mirroring info

Post Posted: Nov 23, 05 01:32

Whare are you located in NoVA?  
 
  

Guardian
Newbie
 

Re: NT Disk Mirroring info

Post Posted: Nov 23, 05 01:42

I'm in Fairfax. I actually have your book sitting right behind me.  
 
  

m7esec
Senior Member
 

Re: NT Disk Mirroring info

Post Posted: Nov 23, 05 04:07

You could be rebuilding the wrong partitions. I have seen more than a couple deleted partitions on a drive. Try some of the other NTFS partitions.
_________________
GSEC, GCFA, GCIH, EnCE
Certified Forensic Examiner
St. Louis, MO 
 
  

m7esec
Senior Member
 

Re: NT Disk Mirroring info

Post Posted: Nov 23, 05 04:18

Oh yes, second question. I had the exact same issue with SCSI drives just a couple of weeks ago. We did it exactly the way you are doing it, (except we used Encase) but looking back we should have just done a live acq. We use Encase Enterprise for our Corp, which allows you to do Acquistion over the wire without shutting down the machine, this allows both Logical and Physical acquisitions and you don't have to rebuild the partition from a RAID or SCSI mirrored config. If you don't have that, which most don't understandbly, get a CD with the needed to tools for NT such as DD.EXE, map a Network share, and pipe the logical and physical image to a network share.  
 
  

Guardian
Newbie
 

Re: NT Disk Mirroring info

Post Posted: Nov 23, 05 18:55

Thanks for the tips m7esec, but I'll have to admit a little confusion as I'm not rebuilding any partitions. The C: drive on this server consists of two physical drives doing mirroring through NT. My Bart-PE disk uses XP, and I'm just accessing one of the physical drives via Winhex, as neither the physical drives or the mirrored set is mounted by XP. The drives only have a single partition, so I can't be working with the wrong one. Can you clarify the whole idea of rebuilding the partition some.

Also you idea of performing the backup to a network share, while interesting, isn't really applicable in this scenario. I had no login capability to the machine, so I had to turn it off to reboot to my Bart CD. I will look into the DD for windows tool though.

It still doesn't make sense (to me anyway), that those files don't exist on either one of the physical drives from the mirrored set, unless you boot normally and have the mirrored set mounted.  
 
  

hogfly
Senior Member
 

Re: NT Disk Mirroring info

Post Posted: Nov 23, 05 19:39

If the system is using a mirrored disk configuration, you need to break the mirror before imaging one of the disks unless you do a live acquisition .  
 

Page 1 of 2
Page 1, 2  Next