STORAGE FORENSICS
1.
Introduction: SAN vs NAS.
2.
SAN.
3.
NAS.
Storage area network.
A storage area network (SAN) is a dedicated network that provides access to consolidated, block level data storage. SANs are primarily used to make storage devices, such as disk arrays, tape libraries, and optical jukeboxes, accessible to servers so that the devices appear like locally attached devices to the operating system. A SAN typically has
its own network of storage devices that are generally not accessible through the local area
network by other devices.
http://en.wikipedia.org/wiki/Storage_area_network
Network attached storage.
Network-attached storage (NAS) is file-level computer data storage connected to
a computer network providing data access to heterogeneous group of clients. NAS not only
operates as a file server, but is specialized for this task either by its hardware, software, or configuration of those elements. NAS is often manufactured as a computer appliance – a specialized computer built from the ground up for storing and serving files – rather than simply a general purpose computer being used for the role.
http://en.wikipedia.org/wiki/Network-attached_storage
https://communities.netapp.com/servlet/JiveServlet/previewBody/2999-102-1-3620/NetApp-Basic-Concepts-Quickstart-Guide.pdf
STORAGE: SAN vs NAS
SAN:• High Performance in a separated network. • Scalability.
• Reliability: more fabric can guarantee the backup/mirror of the network.
• Safety: with SWITCH/STORAGE ZONING eliminates the possibility of unapproved access.
NAS:
• Low cost and easiness to maintain. • Easily multiplatform access.
• With 10GE connectivity, NAS devices can offer performance on par with many SANs.
Recently many customers are expanding the use of NAS to include storage for relational databases such as Oracle and MySQL, server virtualization environments such as VMWare VSphere, and virtual desktop solutions.
SCSI
Small Computer System Interface (SCSI) is a set of standards for physically connecting and transferring data between
computers and peripheral devices. The SCSI standards define commands, protocols and electrical and optical interfaces.
SCSI is most commonly used for hard disks and tape drives, but it can connect a wide range of other devices, including scanners and CD drives, although not all controllers can handle all devices.
http://en.wikipedia.org/wiki/SCSI
LUN
In computer storage, a logical unit number, or LUN, is a number used to identify a logical unit, which is a device addressed by the SCSI protocol or
protocols which encapsulate SCSI, such as Fibre Channel or iSCSI. A LUN may be used with any device which supports read/write operations, such as a tape drive, but is most often used to refer to a logical disk as created on a SAN. Though not technically correct, the term "LUN" is often also used
to refer to the logical disk itself.
http://en.wikipedia.org/wiki/Logical_Unit_Number
FC
Fibre Channel, or FC, is a high-speed network technology (commonly running at 2-, 4-, 8- and 16-gigabit speeds) primarily used for storage networking. Fibre Channel is standardized in the T11 Technical Committee of the International Committee for Information Technology Standards (INCITS), an American National Standards Institute (ANSI)-accredited standards committee. Fibre Channel was primarily used in the supercomputer field, but has now become the standard connection type for storage area networks (SAN) enterprise storage. Despite its name, Fibre Channel signaling can run
on twisted pair copper wire in addition to fiber-optic cables..
http://en.wikipedia.org/wiki/Fibre_Channel
iSCSI
In computing, iSCSI, is an abbreviation of Internet Small Computer System Interface, an Internet Protocol (IP)-based storage networking standard for linking data storage facilities. By carrying SCSI commands over IP networks, iSCSI is used to facilitate data transfers over intranets and to manage storage over long distances. iSCSI can be used to transmit data over local area networks (LANs), wide area networks (WANs), or the Internet and can enable location-independent data storage and retrieval. The protocol allows
clients (called initiators) to send SCSI commands (CDBs) to SCSI storage devices (called
targets) on remote servers.
http://en.wikipedia.org/wiki/ISCSI
FC SWITCH
In the computer storage field, a Fibre Channel switch is a network
switch compatible with the Fibre Channel (FC) protocol. It allows the
creation of a Fibre Channel fabric, that is currently the core component of most storage area networks (SAN). The fabric is a network of Fibre Channel devices which allows many-to-many communication, device name lookup, security, and redundancy. FC switches implement zoning, a mechanism that disables unwanted traffic between certain fabric nodes.
http://en.wikipedia.org/wiki/Fibre_Channel_switch
NFS
Network File System (NFS) is a distributed file system protocol originally developed by Sun Microsystems in 1984, allowing a user on a client computer to access files over
a network in a manner similar to how local storage is accessed. NFS, like many other
protocols, builds on the Open Network Computing Remote Procedure Call (ONC RPC) system.
http://en.wikipedia.org/wiki/Network_File_System
CIFS
In computer networking, Server Message Block (SMB), also known as Common Internet File System (CIFS) operates as an application-layer network protocol mainly used for providing shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network. It also provides an authenticated inter process
communication mechanism.
http://en.wikipedia.org/wiki/CIFS
SNAPSHOT
What is a snapshot?
In general terms, a snapshot is a locally retained, read-only, point-in-time virtual copy of a file system or volume. Most snapshots are time-and space-efficient. When properly implemented, they’ll enable faster operational recovery (OR) and help meet tighter recovery point objectives (RPOs), recovery time objectives (RTOs) and service level agreements (SLAs). Snapshots are not a
replacement for backups but can be foundational to implementing a solid backup strategy. Research conducted by International Data Corporation (IDC)
shows that enterprises are increasingly relying on disk base backup/restore software to meet their shrinking backup windows and meet application availability requirements. Interestingly, 46% of backup and restore implementations are disk based followed by tape at 38% (according to IDC), which is a dramatic change from the past. This change indicates the necessity of understanding the options – the capabilities and limitations of the different snapshot implementations.
SNAPSHOT
Two Type of Snapshot:• Copy on write (COW): the allocation block are copy before to be overwritten.
• Redirect on write (RoW): the write request is redirect to new allocation block (NETAPP).
COW Low Performance
RoW More Fragmentation
SNAPSHOT: COW
DATA ACQUISITION
The process of data acquisition must preseve:
• INTEGRITY • DISCRETION • AVAILABILITY
1) Freeze the evidence: SNAPSHOT
2) Copy the evidence in another Storage
OR
Clone the evidence.
FREEZE THE EVIDENCE: SNAPSHOT
The SNAPSHOT process is instantaneously and not require VOLUME modification.
COPY THE EVIDENCE
MIRROR is a process that require TCP/IP connectivity. All the command are execute on the DESTINATION STORAGE (except if the destination is in the same STORAGE).
The MIRROR process copy all source block in a destination volume that must have the same or major size of the source. The time required depends of the size of source and the TCP/IP connection.
Commercial Solutions:
CLONE THE EVIDENCE
With The CLONE Technology you can create a clone of different object: LUN, FILE or VOLUME. The best practise to preserve the integrity of a evidence is the VOLUME CLONE.
ACQUIRE THE EVIDENCE: LUN
In a VOLUME CLONE process all data are replicated in read/write mode. All CLONED LUN have a different SIGNATURE from SOURCE LUN for access protection purpose. After the process all LUN are ONLINE but without INITIATOR CONFIGURED.
ACQUIRE THE EVIDENCE: LUN
ACQUIRE THE EVIDENCE: CIFS SHARE
CIFS SHARE SECURITY
When you define a share you can assign the CIFS SHARE SECURITY. This attribute don’t change the METADATA of the FILES in the VOLUME.
