*nix and Non-Intel Platform issues

CSC 486/586

1

Objectives

• Non-Intel hardware (RISC platform) issues• Other *nix issues (any platform)– Network scanning– Backup Tapes

2

Non Intel-based (x86) hardware platforms - RISC

SUN, HP-UX, IBM, Apple, etc.

3

How do I boot it?– Your Intel boot disks (CD/floppy) won’t boot it– Usually no floppy drive and may be no CD drive

either – If you don’t have a boot CD for the proprietary

platform, you may need to boot to the native UNIX OS and perform any data acquisition from within the native OS using built-in UNIX commands

– May need to use native system to access NAS or other storage medium….better practice ahead of time!!!

4

Can I attach my drive to it?

– Proprietary drive controllers– Usually no PCI slot for your own controller– Usually SCSI…• Is it “High Voltage” SCSI (HVD) or Low Voltage (LVD)?• Don’t fry your drive!!!– Their high voltage drive + your low voltage system =

nothing– Your low voltage drive + their high voltage system =

smoke• Adaptec 2944 controller card• Look for a standard SCSI controller in drive. Usually a

standard SCSI tape backup drive attached to the standard SCSI controller.

5

You’ve attached your drive now what?

– Better get online or start reading the Sys admins manuals…

– Identify your drive from the subject hard drives within the OS

– You need to partition and format your drive with a UFS file system…..using Unix commands

If you are not sure what to do….call someone!!!

6

Data Acquisition???– Image with “dd”– Capture files and folders with “tar” onto your UFS

formatted drive– CP or CPIO (but the first two options are better)– FTP data across the network to another machine

• You should always have an FTP client on your laptop (i.e. SmartFTP).

• FTP command line version is built into all OSs.• Use WinRAR or tar (in the native Unix OS) to put a

“wrapper” around files pulled off by FTP• This is usually the best way to deal with machines like an

IBM AS-400If you are not sure what to do….call someone!!!

7

How will you analyze the data?

• Do you need the RISC system to “analyze” the data you are seizing?

• Do you need to “run” the Unix software or just look at files?

• FTP’d database files may not do much good without the front-end database app.

• Linux can be used to view, search, extract files you seize onto your UFS formatted drive.

8

Other Linux/Unix Issues

• Network Scanning– Nmap

• Backup Tapes– How to read tapes, pull data off and uncompress it

with Linux/Unix

9

Windows scanning tools vs. Nmap

10

• Scanned 10.10.10.1-10.10.10.103

Windows scanning tools vs. Nmap

• Same IP address range scanned….this time in Linux with Nmap 4.23RC1

• Detected ALL machines, even those running firewalls!

11

Backup Tapes

• Tape data is linear…just a stream of data in whatever form the backup utility writes.– No Partition, no file system– Normally can not “map out” files and directories

without the backup utility that created the data stream.

• Tapes come in many sizes, capacities, and use a variety of different tape drives.

• Many commonly used backup programs/utilities.

12

Backup Tapes

• Unless you have a tape drive of the same type used, also seize the tape drive so you have a device that reads the tapes.

• If seizing backup tapes, also seize the backup software used by the subject.

• …but what do you do if someone just gives you tapes and you don’t know what program created the backup data.

13

Working with Tapes in Linux

• mt – SCSI tape control• dd – device copy• file – File signature identification• Proper SCSI tape device driver– /dev/st0 – rewinding tape device– /dev/nst0 – non-rewinding tape device

• First set the block size of your tape drive to 0 so that you can read variable block sizes.– mt -f /dev/st0 setblk 0

14

Determining allocation (how much data is on the tape)

• Run to end of data (EOD) on tapemt -f /dev/nst0 eod

• Determine position on tapemt -f /dev/nst0 tell

• Response is total blocks allocated on the tapeTape is at block 24088

• Rewind tapemt –f /dev/st0 rewind

15

Finding block size

• Grab an arbitrary large block of data to force error reportingdd if=/dev/nst0 of=test ibs=128k obs=1 count=1

• Error report gives correct block size0+1 records in5120+0 records out

16

Identifying the data

• Use file command to identifyfile testTest: gzip compressed data, deflated, last modified:

Wed Jan 26 16:43:42 205, os: Unix

• Uses /usr/share/magic file which identifies file signatures

• Gzipped or otherwise compressed data must be decompressed to identify

• Typically such data is a compressed archive (tar, cpio, or dump)

17

Pulling data off the tape

• Start at beginning of sessionmt –f /dev/nst0 bsfm 1

• Read entire session to a filedd if=/dev/nst0 of=/mnt/session1.txt bs=5120

• The dd command reports blocks copied15198+0 records in15198+0 records out

• May need to set block size of tape drive to block size determined on tape.– mt –f /dev/st0 setblk 5120

18

Uncompressing the data

• You may need a third-party tool to interpret the data file you pulled off the tape.

• If it is a *nix archive such as tar or gz, use standard tar and gunzip commands to uncompress into logical files and folders.

tar –zxf /mnt/session1.txt

19

Questions???

Use the discussion board, as usual…

20

21