[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bare Metal Backups & Restorations
On Sat, 2009-01-10 at 22:29 -0600, Gary Smithe wrote:
>
>
> On Sat, Jan 10, 2009 at 7:20 AM, Robert G. (Doc) Savage
> <dsavage@peaknet.net> wrote:
> Matt Wehland's mention of his Gateway laptop without install
> disks
> prompts me to release to this group the attached draft of a
> document
> I've been working on. It's still in the "polishing" and "what
> about
> such-and-such" stage, so comments & questions are welcome.
> (It's in
> OpenOffice.org Writer v2.3 format.)
>
> In this document I've borrowed many of the techniques I
> learned in a
> SANS Security 508 course, "Computer Forensics, Investigation,
> and
> Response" that I took about three years ago. For those of you
> who can
> finagle your employer to send you to such a course at an
> upcomig event
> like SANS 2009 at Orlando, I highly recommend it. You'll learn
> how to
> employ GNU/Linux tools to do some amazing things.
>
> --Doc
>
>
> -
> To unsubscribe, send email to majordomo@silug.org with
> "unsubscribe silug-discuss" in the body.
>
>
> Doc,
>
>
> I'm not privy to what the "gateway laptop" is that prompted you to
> send this email, but I'd like to offer an option to the group. The
> clonezilla project, http://clonezilla.org/ is a very nice, very active
> project that makes backing up any system fairly painless.
>
>
> It uses either ntfsclone, partclone, or dd (if it really doesn't know
> the fstype) to make a fast image copying only the data needed, unlike
> dd. It gets the mbr and partition table as well. It can save
> everything to an image file or copy it to another disk.
>
>
> It saves locally or over a network.
>
>
> It's probably not forensically sound, but for making backups for the
> purpose of bare metal restore, I've not found a free/libre tool that's
> any better.
>
>
> Even if the name is kinda dumb.
Clonezilla sounds like a reasonable alternative to my local-only
solution. As a specialized package it would be more familiar to Windows
users than my generic utilities-based approach. For the same reason it
might not be as easy to adapt to other uses. The forensic basics of my
approach will preserve the most subtle of things in places you might
overlook.
I recently used it to replace a root filesystem hard drive on an RHEL
server. By doing a bare metal restoration of the MBR, I didn't lose
GRUB's first phase code that was recorded in bytes 1-440 of that first
sector.
The partition table entries that were written to the 64 bytes between
446-509 were wrong for the new disk, but fdisk made them right. The root
filesystem image that was written back to the much larger /dev/sda2 on
the new disk was identical in size to the one recorded from the old
disk. After rebooting I used the 'resize2fs' utility to grow it to fill
the new partition.
Overall this process took a lot less time and effort than a scratch
installation.
--Doc
-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.