Loading ...
Sorry, an error occurred while loading the content.

Re: [linux_forensics] dd - backup

Expand Messages
  • Dietmar Mauersberger
    Hi Andy, my comment had no value. What I ment was that SMART is a great solution for the problem I have, but I want to do it everywhere and at anytime without
    Message 1 of 23 , Aug 1, 2004
    View Source
    • 0 Attachment
      Hi Andy,

      my comment had no value. What I ment was that SMART is a great solution
      for the problem I have, but I want to do it everywhere and at anytime
      without beeing dependent on 3rd-party commercial solutions. I want it
      open, free and done with max. 10 lines or some small tool I'll find on
      most every distribution.

      Dietmar




      Andrew Rosen wrote:
      > Hi Dietmar -
      >
      > My name is Andrew Rosen. I'd like to ask if you'd
      > mind elaborating on the comment :
      >
      >
      >>I know "SMART" can do it but thats no solution ;-)
      >
      >
      > You are correct in that SMART is able to provide the
      > functionality you are seeking, but I'm wondering why
      > you don't see SMART as a viable option.
      >
      > Regards -
      >
      > Andrew Rosen
      > ASR Data
      >
    • Randall Shane
      Dietmar, You can tee your output from dd quite easily. The command line looks like this: dd if=/dev/hdX | tee /mnt/location1 | dd of=/dev/tapedevice A second
      Message 2 of 23 , Aug 2, 2004
      View Source
      • 0 Attachment
        Dietmar,

        You can tee your output from dd quite easily. The command line looks like this:

        dd if=/dev/hdX | tee /mnt/location1 | dd of=/dev/tapedevice

        A second option if you prefer the GUI is to use AIR (Automated Image and
        Restore) written by Steve Gibson. It's out on sourceforge. It's a free GUI dd
        front end that encorporates either dd or dcfldd with the hashwindow. Quite a
        nifty little program.


        Happy Hunting,

        Randall Shane





        ________________________________________________
        Get your own "800" number
        Voicemail, fax, email, and a lot more
        http://www.ureach.com/reg/tag


        ---- On Fri, 30 Jul 2004, Dietmar Mauersberger (news@...) wrote:

        > Hi *,
        >
        > I like Linux as a "forensic tool" but have an unsolved problem with my
        > backups:
        >
        > How do I create a backup on tape & hd simultaniously? Ok, I've heard of
        > the "tee" command and it works pretty well but what if the evidence
        > drive has more capacity than the tape device? Any ideas? I know "SMART"
        > can do it but thats no solution ;-)
        >
        > Thanks!
        > Dietmar
        >
        >
        >
        >
        >
        > Yahoo! Groups Links
        >
        >
        >
        >
        >
        >
        >
      • Dietmar Mauersberger
        Hi Randall, I know. Thats not the problem. What if the capacity of the tape device is lower than the drive to be imaged? Thats the problem I have. The dd to
        Message 3 of 23 , Aug 2, 2004
        View Source
        • 0 Attachment
          Hi Randall,

          I know. Thats not the problem. What if the capacity of the tape device
          is lower than the drive to be imaged? Thats the problem I have.

          The dd to the tape device cannot handle that!

          I'll have a look at AIR, but I assume it does not provide that feature.

          Dietmar

          Randall Shane wrote:
          > Dietmar,
          >
          > You can tee your output from dd quite easily. The command line looks like this:
          >
          > dd if=/dev/hdX | tee /mnt/location1 | dd of=/dev/tapedevice
          >
          > A second option if you prefer the GUI is to use AIR (Automated Image and
          > Restore) written by Steve Gibson. It's out on sourceforge. It's a free GUI dd
          > front end that encorporates either dd or dcfldd with the hashwindow. Quite a
          > nifty little program.
          >
          >
          > Happy Hunting,
          >
          > Randall Shane
          >
          >
        • Randall Shane
          Dietmar, Let me see if I have this correct, you want to image from a single drive to another drive and also to a tape with less capacity that the drive (?).
          Message 4 of 23 , Aug 2, 2004
          View Source
          • 0 Attachment
            Dietmar,

            Let me see if I have this correct, you want to image from a single drive to
            another drive and also to a tape with less capacity that the drive (?). The
            obvious solution here is to buy a larger tape drive, VXA is nice. Aside from
            that, you could pipe the output from the second portion of the command through
            gzip or bzip2 and then direct the output to the tape drive. or split the image
            first but you won't be able to do that simultaneously.

            In order to perform both operations simultaneously, you need some code as
            opposed to scripting or a command line because you'll need to either cache the
            data before a split can be performed or you'll have to pause/stop the dd
            retaining the ending block number until you change the tape. Then, restart dd
            with the block subsequent to the one you ended on in the last tape and move on.
            Use the output from dd to feed your variables that keep track of the block
            number. Then you'll need to mimick the processs with md5 to geta valid hash.
            That could be a fun project in C if you care to play around with it.

            If you're looking for a command line solution, compression may be the better
            route. And I wouldn't just make assume AIR doesn't do it - Check it out.

            RS




            ________________________________________________
            Get your own "800" number
            Voicemail, fax, email, and a lot more
            http://www.ureach.com/reg/tag


            ---- On Mon, 02 Aug 2004, Dietmar Mauersberger (news@...) wrote:

            > Hi Randall,
            >
            > I know. Thats not the problem. What if the capacity of the tape device
            > is lower than the drive to be imaged? Thats the problem I have.
            >
            > The dd to the tape device cannot handle that!
            >
            > I'll have a look at AIR, but I assume it does not provide that feature.
            >
            > Dietmar
            >
            > Randall Shane wrote:
            > > Dietmar,
            > >
            > > You can tee your output from dd quite easily. The command line looks like
            this:
            > >
            > > dd if=/dev/hdX | tee /mnt/location1 | dd of=/dev/tapedevice
            > >
            > > A second option if you prefer the GUI is to use AIR (Automated Image and
            > > Restore) written by Steve Gibson. It's out on sourceforge. It's a free GUI
            dd
            > > front end that encorporates either dd or dcfldd with the hashwindow. Quite a
            > > nifty little program.
            > >
            > >
            > > Happy Hunting,
            > >
            > > Randall Shane
            > >
            > >
            >
            >
            >
            >
            >
            >
            > Yahoo! Groups Links
            >
            >
            >
            >
            >
            >
            >
          • metax@gmx.net
            hallo dietmar, have you tried to pipe the output of dd into gzip? for example: # dd if=/dev/hda1 bs=512 | gzip -9 /safe/place/hda1.dd.gz that results in a
            Message 5 of 23 , Aug 2, 2004
            View Source
            • 0 Attachment
              hallo dietmar,
              have you tried to pipe the output of dd into gzip?
              for example:
              # dd if=/dev/hda1 bs=512 | gzip -9 > /safe/place/hda1.dd.gz

              that results in a smaller image than the original device was.
              perhaps if the compression was strong enough it could fit on your tape
              device.
              for more information see
              http://sentinelsecurity.net/whitepapers/diskcloning.pdf
              hope it helps.

              schöne grüße nach münchen,
              klemens


              I know. Thats not the problem. What if the capacity of the tape device
              is lower than the drive to be imaged? Thats the problem I have.

              The dd to the tape device cannot handle that!

              I'll have a look at AIR, but I assume it does not provide that feature.
            • Dietmar Mauersberger
              Hi Klemens, hi Randall! Compession is unfortunately not enough and to buy a larger tape is not the most desireable solution. The costs for tapes with 400 GB or
              Message 6 of 23 , Aug 2, 2004
              View Source
              • 0 Attachment
                Hi Klemens, hi Randall!

                Compession is unfortunately not enough and to buy a larger tape is not
                the most desireable solution. The costs for tapes with 400 GB or more
                capacity exceeds our budget (and I assume not only ours) by far. I'm
                searching for the easiest solution with simple command line tools. If
                there is none, we'll do it in c or perl. Just wanted to check if I
                missed somthing.

                Thanks!

                Dietmar


                metax@... wrote:
                > hallo dietmar,
                > have you tried to pipe the output of dd into gzip?
                > for example:
                > # dd if=/dev/hda1 bs=512 | gzip -9 > /safe/place/hda1.dd.gz
                >
                > that results in a smaller image than the original device was.
                > perhaps if the compression was strong enough it could fit on your tape
                > device.
                > for more information see
                > http://sentinelsecurity.net/whitepapers/diskcloning.pdf
                > hope it helps.
                >
                > schöne grüße nach münchen,
                > klemens
              • Enda Cronnolly
                Is your tape drive a plain old single tape drive or an autochanger? ... From: Dietmar Mauersberger To:
                Message 7 of 23 , Aug 2, 2004
                View Source
                • 0 Attachment
                  Is your tape drive a plain old single tape drive or an autochanger?

                  ----- Original Message -----
                  From: "Dietmar Mauersberger" <news@...>
                  To: <linux_forensics@yahoogroups.com>
                  Sent: Monday, August 02, 2004 2:24 PM
                  Subject: Re: [linux_forensics] dd - backup


                  > Hi Klemens, hi Randall!
                  >
                  > Compession is unfortunately not enough and to buy a larger tape is not
                  > the most desireable solution. The costs for tapes with 400 GB or more
                  > capacity exceeds our budget (and I assume not only ours) by far. I'm
                  > searching for the easiest solution with simple command line tools. If
                  > there is none, we'll do it in c or perl. Just wanted to check if I
                  > missed somthing.
                  >
                  > Thanks!
                  >
                  > Dietmar
                  >
                  >
                  > metax@... wrote:
                  > > hallo dietmar,
                  > > have you tried to pipe the output of dd into gzip?
                  > > for example:
                  > > # dd if=/dev/hda1 bs=512 | gzip -9 > /safe/place/hda1.dd.gz
                  > >
                  > > that results in a smaller image than the original device was.
                  > > perhaps if the compression was strong enough it could fit on your tape
                  > > device.
                  > > for more information see
                  > > http://sentinelsecurity.net/whitepapers/diskcloning.pdf
                  > > hope it helps.
                  > >
                  > > schöne grüße nach münchen,
                  > > klemens
                  >
                  >
                  >
                  >
                  >
                  >
                  > Yahoo! Groups Links
                  >
                  >
                  >
                  >
                  >
                  >
                • Dietmar Mauersberger
                  they are all old single tapes. DDS-4, DLT, SLR.
                  Message 8 of 23 , Aug 2, 2004
                  View Source
                  • 0 Attachment
                    they are all old single tapes. DDS-4, DLT, SLR.

                    Enda Cronnolly wrote:
                    > Is your tape drive a plain old single tape drive or an autochanger?
                    >
                  • Joe Corrigan
                    Dietmar, do you need the entire drive (i.e. unallocated space) to be backed up? if not you can save some space by only backing up the files you want by using
                    Message 9 of 23 , Aug 2, 2004
                    View Source
                    • 0 Attachment
                      Dietmar,

                      do you need the entire drive (i.e. unallocated space) to be backed up? if
                      not you can save some space by only backing up the files you want by using
                      tar and creating a bz2 compressed tar archive. if that is still too large
                      use the split command and span the archive over multiple tapes.

                      HTH

                      -------------------------------------------------------
                      Joe Corrigan
                      Ohio BCI

                      Victorious warriors win first; Then go to war.
                      Defeated warriors go to war first; Then seek to win.
                      --- Sun Tzu


                      -----Original Message-----
                      From: Dietmar Mauersberger [mailto:news@...]
                      Sent: Monday, August 02, 2004 9:24 AM
                      To: linux_forensics@yahoogroups.com
                      Subject: Re: [linux_forensics] dd - backup


                      Hi Klemens, hi Randall!

                      Compession is unfortunately not enough and to buy a larger tape is not
                      the most desireable solution. The costs for tapes with 400 GB or more
                      capacity exceeds our budget (and I assume not only ours) by far. I'm
                      searching for the easiest solution with simple command line tools. If
                      there is none, we'll do it in c or perl. Just wanted to check if I
                      missed somthing.

                      Thanks!

                      Dietmar


                      metax@... wrote:
                      > hallo dietmar,
                      > have you tried to pipe the output of dd into gzip?
                      > for example:
                      > # dd if=/dev/hda1 bs=512 | gzip -9 > /safe/place/hda1.dd.gz
                      >
                      > that results in a smaller image than the original device was.
                      > perhaps if the compression was strong enough it could fit on your tape
                      > device.
                      > for more information see
                      > http://sentinelsecurity.net/whitepapers/diskcloning.pdf
                      > hope it helps.
                      >
                      > schöne grüße nach münchen,
                      > klemens






                      Yahoo! Groups Links
                    • Rodrigo Barbosa
                      ... Hash: SHA1 Why not try DUMP ? With the correct paramters, it can automaticaly split the data between several tapes. []s ... - -- Rodrigo Barbosa
                      Message 10 of 23 , Aug 2, 2004
                      View Source
                      • 0 Attachment
                        -----BEGIN PGP SIGNED MESSAGE-----
                        Hash: SHA1

                        Why not try DUMP ? With the correct paramters, it can automaticaly split
                        the data between several tapes.

                        []s

                        On Mon, Aug 02, 2004 at 03:24:20PM +0200, Dietmar Mauersberger wrote:
                        > Hi Klemens, hi Randall!
                        >
                        > Compession is unfortunately not enough and to buy a larger tape is not
                        > the most desireable solution. The costs for tapes with 400 GB or more
                        > capacity exceeds our budget (and I assume not only ours) by far. I'm
                        > searching for the easiest solution with simple command line tools. If
                        > there is none, we'll do it in c or perl. Just wanted to check if I
                        > missed somthing.
                        >
                        > Thanks!
                        >
                        > Dietmar
                        >
                        >
                        > metax@... wrote:
                        > > hallo dietmar,
                        > > have you tried to pipe the output of dd into gzip?
                        > > for example:
                        > > # dd if=/dev/hda1 bs=512 | gzip -9 > /safe/place/hda1.dd.gz
                        > >
                        > > that results in a smaller image than the original device was.
                        > > perhaps if the compression was strong enough it could fit on your tape
                        > > device.
                        > > for more information see
                        > > http://sentinelsecurity.net/whitepapers/diskcloning.pdf
                        > > hope it helps.
                        > >
                        > > schöne grüße nach münchen,
                        > > klemens
                        >
                        >
                        >
                        >
                        >
                        >
                        > Yahoo! Groups Links
                        >
                        >
                        >
                        >
                        >

                        - --
                        Rodrigo Barbosa <rodrigob@...>
                        "Quid quid Latine dictum sit, altum viditur"
                        "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)

                        -----BEGIN PGP SIGNATURE-----
                        Version: GnuPG v1.2.3 (GNU/Linux)

                        iD8DBQFBDl5ypdyWzQ5b5ckRAu/0AJ99r9ovJy0o6N5cF7HBooyfDl9wbQCfalWA
                        2JhNaPcf92pyb9akOtOj1O0=
                        =pC4a
                        -----END PGP SIGNATURE-----
                      • Enda Cronnolly
                        ... Yeah, but without an autochanger he s going to have difficulties achieving his goal of doing it simultaneously to disk and tape. -Enda.
                        Message 11 of 23 , Aug 2, 2004
                        View Source
                        • 0 Attachment
                          > -----BEGIN PGP SIGNED MESSAGE-----
                          > Hash: SHA1
                          >
                          > Why not try DUMP ? With the correct paramters, it can automaticaly split
                          > the data between several tapes.

                          Yeah, but without an autochanger he's going to have difficulties achieving
                          his goal of doing it simultaneously to disk and tape.

                          -Enda.

                          > []s
                          >
                          > On Mon, Aug 02, 2004 at 03:24:20PM +0200, Dietmar Mauersberger wrote:
                          > > Hi Klemens, hi Randall!
                          > >
                          > > Compession is unfortunately not enough and to buy a larger tape is not
                          > > the most desireable solution. The costs for tapes with 400 GB or more
                          > > capacity exceeds our budget (and I assume not only ours) by far. I'm
                          > > searching for the easiest solution with simple command line tools. If
                          > > there is none, we'll do it in c or perl. Just wanted to check if I
                          > > missed somthing.
                          > >
                          > > Thanks!
                          > >
                          > > Dietmar
                          > >
                          > >
                          > > metax@... wrote:
                          > > > hallo dietmar,
                          > > > have you tried to pipe the output of dd into gzip?
                          > > > for example:
                          > > > # dd if=/dev/hda1 bs=512 | gzip -9 > /safe/place/hda1.dd.gz
                          > > >
                          > > > that results in a smaller image than the original device was.
                          > > > perhaps if the compression was strong enough it could fit on your tape
                          > > > device.
                          > > > for more information see
                          > > > http://sentinelsecurity.net/whitepapers/diskcloning.pdf
                          > > > hope it helps.
                          > > >
                          > > > schöne grüße nach münchen,
                          > > > klemens
                          > >
                          > >
                          > >
                          > >
                          > >
                          > >
                          > > Yahoo! Groups Links
                          > >
                          > >
                          > >
                          > >
                          > >
                          >
                          > - --
                          > Rodrigo Barbosa <rodrigob@...>
                          > "Quid quid Latine dictum sit, altum viditur"
                          > "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)
                          >
                          > -----BEGIN PGP SIGNATURE-----
                          > Version: GnuPG v1.2.3 (GNU/Linux)
                          >
                          > iD8DBQFBDl5ypdyWzQ5b5ckRAu/0AJ99r9ovJy0o6N5cF7HBooyfDl9wbQCfalWA
                          > 2JhNaPcf92pyb9akOtOj1O0=
                          > =pC4a
                          > -----END PGP SIGNATURE-----
                          >
                          >
                          >
                          >
                          > Yahoo! Groups Links
                          >
                          >
                          >
                          >
                          >
                          >
                        • Gary Funck
                          ... Perhaps cpio can be used here to handle the archiving. It accepts a list of files on standard input and archives the files to the output medium. Cpio will
                          Message 12 of 23 , Aug 2, 2004
                          View Source
                          • 0 Attachment
                            > -----Original Message-----
                            > From: Dietmar Mauersberger [mailto:news@...]
                            > Sent: Friday, July 30, 2004 5:47 AM
                            >
                            > I like Linux as a "forensic tool" but have an unsolved problem with my
                            > backups:
                            >
                            > How do I create a backup on tape & hd simultaniously? Ok, I've heard of
                            > the "tee" command and it works pretty well but what if the evidence
                            > drive has more capacity than the tape device? Any ideas? I know "SMART"
                            > can do it but thats no solution ;-)


                            Perhaps cpio can be used here to handle the archiving. It accepts a
                            list of files on standard input and archives the files to the output medium.
                            Cpio will prompt the user for media changes. Schematically, the process
                            might
                            look like this:

                            backup_via_dd_in_chunks <disk_drive_device> | cpio <tape_device>

                            where 'backup_via_dd_in_chunks' is a script which copies
                            data from the drive in convenient sized chunks, copying the
                            chunks into unique files and then writes the filename of the
                            chunk to standard out. Cpio in turn reads standard input
                            for the list of files to be backed up. Cpio has a few choices
                            for the output archive format.
                          • Dietmar Mauersberger
                            Hi *, thank you for all your sugestions. A colleague worked on something like the following script. Thanks to Thomas!!! #!/usr/bin/perl -w use strict; my
                            Message 13 of 23 , Aug 3, 2004
                            View Source
                            • 0 Attachment
                              Hi *,

                              thank you for all your sugestions. A colleague worked on something like
                              the following script. Thanks to Thomas!!!


                              #!/usr/bin/perl -w
                              use strict;
                              my $tape_length = 4 * 1024**3; # for 4 GByte Tape
                              my $tape_written = 0;
                              my $data;
                              open IN, "</dev/hda" or die $!;
                              open FILE, ">file.dd" or die $!;
                              open TAPE, ">/dev/tape" or die $!;

                              while (sysread(IN, $data, 1024)) {
                              if (defined $data) {
                              print FILE $_;
                              if ($tape_written + length($data) >= $tape_length) {
                              print TAPE $_;
                              } else {
                              print TAPE $_;
                              }
                              } else {
                              print "\n\nWARNING\n\n";
                              exit 1;
                              }
                              }

                              close IN;
                              close FILE;
                              close TAPE;
                            • Gary Funck
                              ... Not bad. However, it looks more like a program than a script to me. Also, I doubt that a Perl script banging out blocks to the tape and (large
                              Message 14 of 23 , Aug 3, 2004
                              View Source
                              • 0 Attachment
                                > -----Original Message-----
                                > From: Dietmar Mauersberger [mailto:news@...]
                                > Sent: Tuesday, August 03, 2004 3:04 AM
                                > To: linux_forensics@yahoogroups.com
                                > Subject: Re: [linux_forensics] dd - backup
                                >
                                >
                                > Hi *,
                                >
                                > thank you for all your sugestions. A colleague worked on something like
                                > the following script. Thanks to Thomas!!!
                                >
                                >
                                > #!/usr/bin/perl -w
                                > use strict;
                                > my $tape_length = 4 * 1024**3; # for 4 GByte Tape
                                > my $tape_written = 0;
                                > my $data;
                                > open IN, "</dev/hda" or die $!;
                                > open FILE, ">file.dd" or die $!;
                                > open TAPE, ">/dev/tape" or die $!;
                                >
                                > while (sysread(IN, $data, 1024)) {
                                > if (defined $data) {
                                > print FILE $_;
                                > if ($tape_written + length($data) >= $tape_length) {
                                > print TAPE $_;
                                > } else {
                                > print TAPE $_;
                                > }
                                > } else {
                                > print "\n\nWARNING\n\n";
                                > exit 1;
                                > }
                                > }
                                >
                                > close IN;
                                > close FILE;
                                > close TAPE;

                                Not bad. However, it looks more like a "program" than a "script" to me. <g>
                                Also, I doubt that a Perl script banging out blocks to the tape and (large
                                single)
                                disk file are going to be nearly as fast as the system utilities like 'dd'
                                and 'cpio'.

                                A few technical issues:

                                1) There is no tape volume switching here:

                                > if ($tape_written + length($data) >= $tape_length) {
                                > print TAPE $_;
                                [...]


                                2) Unless your kernel supports it, and you make the correct I/O calls
                                then you may hit the 2 (or 4) gigabyte file size limit on this write:

                                > print FILE $_;

                                3) There is no checksumming that will provide an audit trail.

                                4) The resulting big file (file.dd) may be difficult to work with.
                                Conventionally, you'd break the 'dd' file into chunks that are
                                small enough to not exceed the OS file size limit, and (possibly)
                                that fit onto CD's or DVD's for later archiving.

                                5) There is no error handling above. Unfortunately, older disks often
                                develop errors, and likewise tape drives can act up as well. There
                                is also no checking that the tape volume is (a) writeable, (b) empty.
                                It can be difficult to write a robust tape handling program that helps
                                the user avoid errors.
                              • Dietmar Mauersberger
                                Hi Gary, ... There is a message to ask for the tape change and to press a key if done. It was in german, so I deleted it and it looks incomplete now. ...
                                Message 15 of 23 , Aug 4, 2004
                                View Source
                                • 0 Attachment
                                  Hi Gary,

                                  > A few technical issues:
                                  >
                                  > 1) There is no tape volume switching here:
                                  >
                                  >
                                  >> if ($tape_written + length($data) >= $tape_length) {
                                  >> print TAPE $_;

                                  There is a message to ask for the tape change and to press a key if
                                  done. It was in german, so I deleted it and it looks incomplete now.

                                  > 3) There is no checksumming that will provide an audit trail.

                                  Checksumming is not so high on demand...but thats another story.

                                  > 4) The resulting big file (file.dd) may be difficult to work with.
                                  > Conventionally, you'd break the 'dd' file into chunks that are
                                  > small enough to not exceed the OS file size limit, and (possibly)
                                  > that fit onto CD's or DVD's for later archiving.

                                  Did you find a way to use chunks with the loopback device? I don't know
                                  of any and so I prefere one larg file (or at least one file for each
                                  partition). I do not use encase or any other commercial tool for my
                                  investigations.

                                  > 5) There is no error handling above. Unfortunately, older disks often
                                  > develop errors, and likewise tape drives can act up as well. There
                                  > is also no checking that the tape volume is (a) writeable, (b) empty.
                                  > It can be difficult to write a robust tape handling program that helps
                                  > the user avoid errors.

                                  thats why I was searching for a solution with common command line
                                  tools..but there is none :-(

                                  Dietmar
                                • Altheide, Cory B. (IARC)
                                  ... I haven t had to do this for a while, but the procedure is something like so: 1) Create loop devices associated with your raw *volume* (not disk) chunks.
                                  Message 16 of 23 , Aug 4, 2004
                                  View Source
                                  • 0 Attachment
                                    > -----Original Message-----
                                    > From: Dietmar Mauersberger [mailto:news@...]
                                    > Sent: Wednesday, August 04, 2004 1:44 AM
                                    > To: linux_forensics@yahoogroups.com
                                    > Subject: Re: [linux_forensics] dd - backup
                                    >
                                    > > 4) The resulting big file (file.dd) may be difficult to work with.
                                    > > Conventionally, you'd break the 'dd' file into chunks that are
                                    > > small enough to not exceed the OS file size limit, and (possibly)
                                    > > that fit onto CD's or DVD's for later archiving.
                                    >
                                    > Did you find a way to use chunks with the loopback device? I
                                    > don't know
                                    > of any and so I prefere one larg file (or at least one file for each
                                    > partition). I do not use encase or any other commercial tool for my
                                    > investigations.

                                    I haven't had to do this for a while, but the procedure is something like
                                    so:

                                    1) Create loop devices associated with your raw *volume* (not disk) chunks.

                                    2) Create an /etc/raidtab file with something along the lines of the
                                    following ($x indicates a variable you must supply):

                                    raiddev /dev/md0
                                    raid-level linear
                                    nr-raid-disks $N #N being the number of chunks you've got.
                                    persistent-superblock 0
                                    chunk-size X # Not used for this level of RAID, so any
                                    value is fine.

                                    device /dev/loop0
                                    raid-disk 0
                                    device /dev/loop1
                                    raid-disk 1
                                    ...(snip)...
                                    device /dev/loopN-1
                                    raid-disk N-1

                                    3) Initialize the raid device

                                    root@yourbox # mkraid /dev/md0

                                    4) If you cat /proc/mdstat you should see stats on your new raid.

                                    5) Mount /dev/md0 @ /FORENSICS/MOUNTPOINT - read-only, of course! ;)

                                    Again, this is pretty hazy, but I can verify and do a more complete HOWTO if
                                    there's interest. Disk image chunks won't work unless there is only one
                                    volume of interest and you apply an offset when creating your loop devices
                                    to point to the beginning of that volume. If there are other volumes on
                                    partitions after that one, "physical" searches of the /dev/md0 will return
                                    data from these spaces as well. I haven't tested against different sized
                                    chunks and don't know enough about the innards of software raid to determine
                                    whether it'll cause problems or not, but I'll test that as part of the
                                    HOWTO, again, if there's interest.

                                    Or someone who knows the answers already can pipe up. :p

                                    Cory Altheide
                                    Senior Network Forensics Specialist
                                    NNSA Information Assurance Response Center (IARC)
                                    altheidec@...
                                  • Andrew Rosen
                                    You are correct and that is (as usual) a great answer. I have found that the chunks must be integral exponents of 1024 byte blocks AND that it helps if loop.o
                                    Message 17 of 23 , Aug 4, 2004
                                    View Source
                                    • 0 Attachment
                                      You are correct and that is (as usual) a great answer.
                                      I have found that the chunks must be integral
                                      exponents of 1024 byte blocks AND that it helps if
                                      loop.o is a module (as opposed to in kernel). I sue

                                      rmmod loop
                                      insmod loop max_loop=255

                                      in my init script (rc.local) to insure that I have
                                      plenty of available loopback devices.

                                      Also, loop is 32 bit clean, but beyond that, the
                                      offset to loop appears to be 31 bits.

                                      Regards -

                                      Andy

                                      --- "Altheide, Cory B. (IARC)" <AltheideC@...>
                                      wrote:
                                      [snip]
                                      > I haven't tested
                                      > against different sized
                                      > chunks and don't know enough about the innards of
                                      > software raid to determine
                                      > whether it'll cause problems or not, but I'll test
                                      > that as part of the
                                      > HOWTO, again, if there's interest.
                                      >
                                      > Or someone who knows the answers already can pipe
                                      > up. :p
                                      >
                                      > Cory Altheide




                                      __________________________________
                                      Do you Yahoo!?
                                      Yahoo! Mail is new and improved - Check it out!
                                      http://promotions.yahoo.com/new_mail
                                    • Dietmar Mauersberger
                                      Hi Cory, thank you very much for that great piece of help!!! Of course I would be more than interested in your HOWTO :-)) It would solve the fat32 problems we
                                      Message 18 of 23 , Aug 4, 2004
                                      View Source
                                      • 0 Attachment
                                        Hi Cory,

                                        thank you very much for that great piece of help!!! Of course I would be
                                        more than interested in your HOWTO :-)) It would solve the fat32
                                        problems we have on some search warrents if there are no other file
                                        systems available to create an image.

                                        Thank you!
                                        Dietmar

                                        p.s. hey, I could offer you a "mass beer" at the oktoberfest in munich
                                        for that ;-)


                                        > I haven't had to do this for a while, but the procedure is something like
                                        > so:
                                        >
                                        > 1) Create loop devices associated with your raw *volume* (not disk) chunks.
                                        >
                                        > 2) Create an /etc/raidtab file with something along the lines of the
                                        > following ($x indicates a variable you must supply):
                                        >
                                        > raiddev /dev/md0
                                        > raid-level linear
                                        > nr-raid-disks $N #N being the number of chunks you've got.
                                        > persistent-superblock 0
                                        > chunk-size X # Not used for this level of RAID, so any
                                        > value is fine.
                                        >
                                        > device /dev/loop0
                                        > raid-disk 0
                                        > device /dev/loop1
                                        > raid-disk 1
                                        > ...(snip)...
                                        > device /dev/loopN-1
                                        > raid-disk N-1
                                        >
                                        > 3) Initialize the raid device
                                        >
                                        > root@yourbox # mkraid /dev/md0
                                        >
                                        > 4) If you cat /proc/mdstat you should see stats on your new raid.
                                        >
                                        > 5) Mount /dev/md0 @ /FORENSICS/MOUNTPOINT - read-only, of course! ;)
                                        >
                                        > Again, this is pretty hazy, but I can verify and do a more complete HOWTO if
                                        > there's interest. Disk image chunks won't work unless there is only one
                                        > volume of interest and you apply an offset when creating your loop devices
                                        > to point to the beginning of that volume. If there are other volumes on
                                        > partitions after that one, "physical" searches of the /dev/md0 will return
                                        > data from these spaces as well. I haven't tested against different sized
                                        > chunks and don't know enough about the innards of software raid to determine
                                        > whether it'll cause problems or not, but I'll test that as part of the
                                        > HOWTO, again, if there's interest.
                                        >
                                        > Or someone who knows the answers already can pipe up. :p
                                        >
                                        > Cory Altheide
                                        > Senior Network Forensics Specialist
                                        > NNSA Information Assurance Response Center (IARC)
                                        > altheidec@...
                                        >
                                        >
                                        >
                                        >
                                        >
                                        > Yahoo! Groups Links
                                        >
                                        >
                                        >
                                        >
                                        >
                                        >
                                      • Luis Gómez Miralles
                                        ... You can also add a line: append= max_loop=255 to your images in lilo.conf , and you ll have all those loop devices as soon as you boot. Regards, Luis --
                                        Message 19 of 23 , Aug 6, 2004
                                        View Source
                                        • 0 Attachment
                                          Andrew Rosen escribi�:

                                          >You are correct and that is (as usual) a great answer.
                                          >I have found that the chunks must be integral
                                          >exponents of 1024 byte blocks AND that it helps if
                                          >loop.o is a module (as opposed to in kernel). I sue
                                          >
                                          >rmmod loop
                                          >insmod loop max_loop=255
                                          >
                                          >in my init script (rc.local) to insure that I have
                                          >plenty of available loopback devices.
                                          >
                                          >
                                          You can also add a line:
                                          append="max_loop=255"
                                          to your images in lilo.conf , and you'll have all those loop devices as
                                          soon as you boot.

                                          Regards,

                                          Luis

                                          --
                                          Luis G�mez Miralles // lgomez@...
                                          esCERT-UPC Incident Response Team
                                          Universitat Politecnica de Catalunya
                                          c/ Jordi Girona, 29 - Edificio Nexus II planta 1 zona B
                                          08034 Barcelona (SPAIN)
                                          Phone (+34) 93.413.79.47 / (+34) 93.413.79.48
                                          Fax (+34) 93.413.79.46
                                          http://escert.upc.es


                                          [Non-text portions of this message have been removed]
                                        Your message has been successfully submitted and would be delivered to recipients shortly.