Non Intel-based (x86) hardware platforms

Download Report

Transcript Non Intel-based (x86) hardware platforms

CSC 486/586
*nix and Non-Intel
Platform issues
1
Objectives
• Non-Intel hardware (RISC platform) issues
• Other *nix issues (any platform)
– Network scanning
– Backup Tapes
2
Non Intel-based (x86) hardware
platforms - RISC
SUN, HP-UX, IBM, Apple, etc.
3
How do I boot it?
– Your Intel boot disks (CD/floppy) won’t boot it
– Usually no floppy drive and may be no CD drive
either
– If you don’t have a boot CD for the proprietary
platform, you may need to boot to the native
UNIX OS and perform any data acquisition from
within the native OS using built-in UNIX
commands
– May need to use native system to access NAS or
other storage medium….better practice ahead of
time!!!
4
Can I attach my drive to it?
– Proprietary drive controllers
– Usually no PCI slot for your own controller
– Usually SCSI…
• Is it “High Voltage” SCSI (HVD) or Low Voltage (LVD)?
• Don’t fry your drive!!!
– Their high voltage drive + your low voltage system =
nothing
– Your low voltage drive + their high voltage system =
smoke
• Adaptec 2944 controller card
• Look for a standard SCSI controller in drive. Usually a
standard SCSI tape backup drive attached to the
standard SCSI controller.
5
You’ve attached your drive now what?
– Better get online or start reading the Sys admins
manuals…
– Identify your drive from the subject hard drives
within the OS
– You need to partition and format your drive with a
UFS file system…..using Unix commands
If you are not sure what to do….call someone!!!
6
Data Acquisition???
– Image with “dd”
– Capture files and folders with “tar” onto your UFS
formatted drive
– CP or CPIO (but the first two options are better)
– FTP data across the network to another machine
• You should always have an FTP client on your laptop
(i.e. SmartFTP).
• FTP command line version is built into all OSs.
• Use WinRAR or tar (in the native Unix OS) to put a
“wrapper” around files pulled off by FTP
• This is usually the best way to deal with machines like
an IBM AS-400
If you are not sure what to do….call someone!!!
7
How will you analyze the data?
• Do you need the RISC system to “analyze” the
data you are seizing?
• Do you need to “run” the Unix software or just
look at files?
• FTP’d database files may not do much good
without the front-end database app.
• Linux can be used to view, search, extract files
you seize onto your UFS formatted drive.
8
Other Linux/Unix Issues
• Network Scanning
– Nmap
• Backup Tapes
– How to read tapes, pull data off and uncompress it
with Linux/Unix
9
Windows scanning tools vs. Nmap
• Scanned
10.10.10.110.10.10.103
10
Windows scanning tools vs. Nmap
• Same IP
address range
scanned….this
time in Linux
with Nmap
4.23RC1
• Detected ALL
machines,
even those
running
firewalls!
11
Backup Tapes
• Tape data is linear…just a stream of data in
whatever form the backup utility writes.
– No Partition, no file system
– Normally can not “map out” files and directories
without the backup utility that created the data
stream.
• Tapes come in many sizes, capacities, and use
a variety of different tape drives.
• Many commonly used backup
programs/utilities.
12
Backup Tapes
• Unless you have a tape drive of the same type
used, also seize the tape drive so you have a
device that reads the tapes.
• If seizing backup tapes, also seize the backup
software used by the subject.
• …but what do you do if someone just gives
you tapes and you don’t know what program
created the backup data.
13
Working with Tapes in Linux
•
•
•
•
mt – SCSI tape control
dd – device copy
file – File signature identification
Proper SCSI tape device driver
– /dev/st0 – rewinding tape device
– /dev/nst0 – non-rewinding tape device
• First set the block size of your tape drive to 0
so that you can read variable block sizes.
14
– mt -f /dev/st0 setblk 0
Determining allocation (how much data is on the tape)
• Run to end of data (EOD) on tape
mt -f /dev/nst0 eod
• Determine position on tape
mt -f /dev/nst0 tell
• Response is total blocks allocated on the tape
Tape is at block 24088
• Rewind tape
mt –f /dev/st0 rewind
15
Finding block size
• Grab an arbitrary large block of data to force
error reporting
dd if=/dev/nst0 of=test ibs=128k obs=1 count=1
• Error report gives correct block size
0+1 records in
5120+0 records out
16
Identifying the data
• Use file command to identify
file test
Test: gzip compressed data, deflated, last modified:
Wed Jan 26 16:43:42 205, os: Unix
• Uses /usr/share/magic file which identifies file
signatures
• Gzipped or otherwise compressed data must
be decompressed to identify
• Typically such data is a compressed archive
(tar, cpio, or dump)
17
Pulling data off the tape
• Start at beginning of session
mt –f /dev/nst0 bsfm 1
• Read entire session to a file
dd if=/dev/nst0 of=/mnt/session1.txt bs=5120
• The dd command reports blocks copied
15198+0 records in
15198+0 records out
• May need to set block size of tape drive to
block size determined on tape.
18
– mt –f /dev/st0 setblk 5120
Uncompressing the data
• You may need a third-party tool to interpret
the data file you pulled off the tape.
• If it is a *nix archive such as tar or gz, use
standard tar and gunzip commands to
uncompress into logical files and folders.
tar –zxf /mnt/session1.txt
19
Questions???
Use the discussion board, as usual…
20
21